Krajowa Izba Rozliczeniowa (KIR) S.A. has applied to include the "SZAFIR
ROOT CA" root certificate and enable all three trust bits.
The first discussion is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/aNbK4zw_Zb8/ekmVXYXvfQ4J
The action items resulting from the first discussion are listed here:
https://bugzilla.mozilla.org/show_bug.cgi?id=817994#c37
I have confirmed completion of the action items.
For your convenience, I will re-summarize the request below.
KIR S.A. is a private corporation in Poland which currently mainly
issues qualified certificates for general public and plans to issue
non-qualified certificates. KIR S.A. is an automated clearing house in
Poland and its core business is clearings, and has built numerous
business relationships within banking sector. Therefore, KIR S.A is
aiming to expand its sales in services such as SSL and VPN certificates.
KIR S.A has another line of products called PayByNet, and has created a
vast network of relationships within online stores that KIR S.A can
leverage to create customer base for trusted non-qualified certificates.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=817994
And in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8559351
Noteworthy points:
* The primary documents, the CP and CPS, are provided in both English
and Polish.
Document Repository:
http://eng.elektronicznypodpis.pl/en/information/documents-and-agreements
CPS:
http://www.elektronicznypodpis.pl/files/doc/certification_practice_statement.pdf
CP:
http://elektronicznypodpis.pl/files/doc/certification_policy.pdf
* CA Hierarchy: There is currently one internally-operated
subordinate-CA which issues 6 types of end-user certificates:
- Standard certificate - For protection of information sent
electronically, using mainly e-mail, for authorizing access to systems,
customer authentication in SSL connections. It allows signing and
encrypting data in an electronic form and authenticating subscribers.
- Code signing certificate
- VPN certificate
- SSL certificate
- Test certificate - For testing co-operation of the certificate with
solutions used or developed by a recipient of certification services or
a subscriber.
- ELIXIR certificate - This kind of certificates are issued only for
Participants of ELIXIR and EuroELIXIR systems. Will start to issue all
Elixir certs including the EKU extension with value id-kp-clientAuth
from the 15th of February. Will update CPS to reflect this.
* The request is to enable all three trust bits.
** CPS section 3.2, Initial Identity Validation: Depending on the type
of certificate the procedure of certificate issuance may be different
and is relative to a specific certification policy.
To receive a certificate it is necessary for the subscriber who is a
natural person or an authorised representative of the recipient of
certification services to present:
1) an identification card (or its photocopy depending on the type of
certificate);
2) documents confirming rights to the domain (optionally, relative to
the certificate type);
3) a file with the certificate request (if the pair of keys is generated
individually by the subscriber).
KIR S.A. may expect presentation of other documents, in case entering
data other than the subscriber's first name and surname and the PESEL or
NIP number into the certificate is requested.
** CPS section 3.2.2: If a certificate is to provide for security of
electronic mail, verification of the electronic mail address shall be
done. Verification shall consist in checking if an electronic mail
address indicated in the order belongs to the subscriber. Checking may
be done by confirming that the subscriber has collected authentication
data sent to an electronic mail address given in the order. Checking is
to determine that the e-mail address is legally used by the subscriber.
** CPS section 3.2.2: If an SSL certificate and a test certificate is to
contain a domain name, checking shall include if a recipient of
certification services has the right to use the domain name and if the
domain remains under its control. Verification performed by KIR S.A.
shall comprise:
- checking in publicly available WHOIS services or directly with
entities registering domains, if a recipient of certification services
is registered as a domain owner or has the right to use the domain name;
- checking, if a response has been sent to an e-mail sent by KIR to the
domain administrator to an e-mail address of the administrator domain
containing webmaster, admin, administrator, hostmaster, postmster before
@domena or an e-mail address indicated as the address for contacts for a
specific domain in the WHOIS service or the register of domains;
- checking, if verification data indicated by KIR S.A. has been placed
on a server or in a record such as TXT in DNS;
- in case of Wildcard Certificates checking if in the "public suffix
list" (PSL) register
http://publicsuffix.org/ (PSL), the sign "*" is not
put in the first place on the left-hand side of the suffix of gTLD
domains delegated by ICANN. KIR S.A. may issue a Wildcard Certificate
for gTLD domains, if the subscriber properly proves its right to manage
the entire space of names under the gTLD domain.
To minimise the risk of using inappropriate data KIR S.A. shall use data
presented in the WHOIS service in combination with IANA data and the
WHOIS data supplied by ICCAN approved entities that register domains.
If the identifier of the subscriber's certificate containing the domain
name is to include a name of the country, too, then prior to issuing the
certificate KIR S.A. shall verify if the indicated name of the country
is connected to the subscriber. Verification shall be performed in
accordance with one of the methods described below and consists in checking:
- if a domain IP address indicated in DNS is within the range of IP
addresses assigned for a country for entering of which into the
subscriber's identifier the recipient of certification services has applied;
- if the name of the country included in the information provided by an
authority registering the domain whose name is to be placed in the
certificate is compliant with the name of the country for entering of
which into the subscriber's identifier the recipient of certification
services has applied.
While verifying the name of the country KIR S.A shall check, if the
recipient of certification services does not use a proxy server to
substitute an IP address from another country in which it is actually
located.
** CP section 2.1, Standard certificate: These certificates may be used
for securing electronic mail and for logging into the systems or
services, authorising the subscriber during establishment of secure
connections.
In the process of issuing this type of certificates the operator KIR
S.A. shall verify the subscriber's identity and the right to obtain such
certificate. The certificate is delivered to the subscriber most often
with a pair of keys generated on a carrier defined by the subscriber.
Data included in the certificate allows identifying the subscriber that
uses the certificate.
** CP section 2.2: Certificates for signing codes are used for
confirming authenticity and origins of binary codes. Based on the data
included in the certificate it is possible for define the author or an
entity that provides the code for a program or application.
In the process of issuing this type of certificates the operator KIR
S.A. shall verify the subscriber's identity and the right to obtain such
certificate and shall confirm reliability of the data entered into the
certificate.
** CP section 2.4: An SSL certificate allows confirming authenticity of
www servers and setting up secure connections using SSL and TSL
protocols. A certificate may contain data of a single www server or
associated servers within a single domain.
In the process of issuing this type of certificates the operator KIR
S.A. shall verify the subscriber's identity and its right to obtain a
certificate. The process includes verification, whether the server or
domain are held by the recipient of certification services.
** CP section 2.5: Test certificate -- These certificates are used for
checking co-operation with the system or the subscriber's IT solution.
In the process of issuing this type of certificates the operator KIR
S.A. shall verify the subscriber's right to obtain such certificate. In
case, when test certificate is to serve to examine the possibility of
setting up secure connections, then process includes also verification,
if www server or domain are at the disposal of recipient of
certification services.
* EV Policy OID: Not requesting EV treatment
* Root Cert:
http://www.elektronicznypodpis.pl/certyfikaty/root_ca.crt
* Test Website:
https://ssl.elektronicznypodpis.pl
* OCSP:
http://ocsp.elektronicznypodpis.pl
* Audit: Annual audits are performed by Ernst&Young (EY) according to
the WebTrust CA and BR criteria. The WebTrust seal file contains two
audit statements: WebTrust CA and WebTrust BR.
https://cert.webtrust.org/SealFile?seal=1681&file=pdf
* Potentially Problematic Practices – None Noted
(
http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the second discussion of the request from KIR S.A. to
include the "SZAFIR ROOT CA" root certificate and enable all three trust
bits. At the conclusion of this discussion I will provide a summary of
issues noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen