ANF Autoridad de Certificaci�n has applied to include the �ANF Server
CA� and �ANF Global Root CA� root certificates, turn on the websites
trust bit for both, and enable EV treatment for the �ANF Global Root CA�
certificate.
ANF Autoridad de Certificaci�n (ANF AC) is a private Certification
Authority, recognized and accredited by the Spanish Government as a
Certificate Services Provider (CSP). ANF AC has accredited more than
1000 Registry Authorities throughout Spain to issue qualified user
identity certificates. ANF CA also issues certificates for SSL with and
without Extended Validation.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=555156
And in the pending certificates list:
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8416718
Noteworthy points:
* The primary documents are the CPS for SSL CP, which are provided in
Spanish and English.
Document repository (ES):
http://www.anf.es/es/politicas/psc-acreditado/documentos-publicados
Document repository (EN):
http://www.anf.es/en/
CPS:
https://anf.es/es/pdf/DPC_ANF_AC_EN.pdf
SSL CP:
https://anf.es/es/pdf/PC_SSL_Sede_EV_EN.pdf
* CA Hierarchy: Both roots have internally-operated subordinate CAs
which sign end-entity certificates for individuals and organization.
* This request is to enable the websites trust bit for both roots, and
to enable EV treatment for the �ANF Global Root CA� certificate.
** CPS section 1.3.1.4, Issuance Report Managers: These are staff
attached to ANF AC's Legal Department, responsible for checking the
documentation provided by the Registration Authorities. They determine
whether the documents are sufficient or not, they check the reliability
of the information, and, if they consider it necessary, order further
investigations.
** SSL CP section 4.2.1 provides a description of the process for
performing identification and authentication functions for verifying the
certificate subscriber�s identity, organization, and authority to
request the certificate on behalf of the organization.
** SSL CP section 4.2.2: The Issuance Reports Manager (IRM) assumes the
final response assumes the ultimate responsibility to verify the
information contained in the Application Form, and to assess the
adequacy of the documents provided and of the application, in accordance
with the provisions of this Certification Policy.
** SSL CP section 4.2.2.1, SSL Certificates: The IRM shall check the
documentation by consulting the whois database, verifying that the
domain is registered, by consulting valid registrars. A copy of the
whois query is attached to the validation act.
** SSL CP section 4.2.2.3, SSL EV y and Electronic Office EV
Certificates: In the process of verification of the information and
documentation received, the following means may be used:
- Consultation to official public records in which the entity must be
registered in order to check availability, effect of charges and other
legal issues such as activity and date of establishment.
- Official Journals of national or regional public bodies belonging to
public bodies and enterprises.
- With regard to Internet addresses and domains, ANF AC consult
recorders attached only by ICANN / IANA domain names and addresses
associated with the certificate. In this query, it is verified verify:
-- That the holder (registrant) agrees with the subscriber.
-- People and contact information associated with that domain registration.
- One of the contact persons listed in the whois query shall be reached
in order to verify compliance of the certificate issuance request
associated with that domain.
* EV Policy OID: 1.3.6.1.4.1.18332.55.1.1.2.22
* Root Certs:
http://www.anf.es/es/certificates_download/ANF_Server_CA.cer
http://www.anf.es/es/certificates_download/ANF_Global_Root_CA_SHA256.cer
* Test Websites:
https://anf.kerberosns.com/en/
https://kerberosns.com/cloud
* OCSP
http://ocsp.anf.es/spain/AV
* Audit: Annual audits are performed by DNB (
http://www.dnbcons.com)
according to the WebTrust criteria.
WebTrust CA:
https://cert.webtrust.org/SealFile?seal=1625&file=pdf
WebTrust EV:
https://cert.webtrust.org/SealFile?seal=1626&file=pdf
WebTrust BR:
https://bugzilla.mozilla.org/attachment.cgi?id=8401262
* Potentially Problematic Practices � None Noted
(
http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from ANF Autoridad de
Certificaci�n to include the �ANF Server CA� and �ANF Global Root CA�
root certificates, turn on the websites trust bit for both, and enable
EV treatment for the �ANF Global Root CA� certificate. At the conclusion
of this discussion I will provide a summary of issues noted and action
items. If there are outstanding issues, then an additional discussion
may be needed as follow-up. If there are no outstanding issues, then I
will recommend approval of this request in the bug.
Kathleen