Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Re: Request to Include Microsec e-Szigno Root CA 2017 and to EV-enable Microsec e-Szigno Root CA 2009
325 views
Skip to first unread message
Ben Wilson
Apr 17, 2020, 5:15:28 PM4/17/20
to dev-secur...@lists.mozilla.org
Dear Sándor,
I have a couple of follow-up questions for Microsec.
There were some responses during the recent public discussion in which
Microsec indicated it would update its CPS(es).
When do you anticipate that this will occur?
Also, it is also unclear from the quoted thread below whether such updates
will include additions to section 1.5.2 as required by Section 4.9.3 of the
Baseline Requirements.
Could you please clarify if and when section 1.5.2 will be updated?
Thanks.
Sincerely yours,
Ben Wilson
Mozilla Root Program
-
BR section 4.9.3 requires CPS section 1.5.2 to contain instructions for
reporting an issue such as key compromise to the CA. The Microsec CPS’
only state that questions related to the policy may be reported via the
info in that section, and other email addresses
(“HighPriority...@e-szigno.hu”,
“revoc...@e-szigno.hu") are found in other sections of some documents. Section
4.9.5 then states that revocation requests are only accepted at the address
listed in section 1.2, but there is no email address in this section.
The CPS of Microsec is structured according to the requirement of RFC3647.
This also required by the CABF BR in section 2.2. According to RFC3647 the
Section 1.5 is for the policy administration and section 1.5.2 defines the
contact person who is responsible for maintaining the CPS. Section 4.9.3 of
the CPS contains detailed information about the possibilities of revocation
request submission. Section 1.3.1 contains the email addresses, where
revocation request can be sent (mentioning section 1.2 is an editorial
mistake, it will be corrected in the next version of the CPS). Section
4.9.3 contains also a subsection which describes the High-Priority
Certificate Problem Report mechanism. More detailed information can be
found on our website on the given link.
I have a couple of follow-up questions for Microsec.
There were some responses during the recent public discussion in which
Microsec indicated it would update its CPS(es).
When do you anticipate that this will occur?
Also, it is also unclear from the quoted thread below whether such updates
will include additions to section 1.5.2 as required by Section 4.9.3 of the
Baseline Requirements.
Could you please clarify if and when section 1.5.2 will be updated?
Thanks.
Sincerely yours,
Ben Wilson
Mozilla Root Program
-
BR section 4.9.3 requires CPS section 1.5.2 to contain instructions for
reporting an issue such as key compromise to the CA. The Microsec CPS’
only state that questions related to the policy may be reported via the
info in that section, and other email addresses
(“HighPriority...@e-szigno.hu”,
“revoc...@e-szigno.hu") are found in other sections of some documents. Section
4.9.5 then states that revocation requests are only accepted at the address
listed in section 1.2, but there is no email address in this section.
The CPS of Microsec is structured according to the requirement of RFC3647.
This also required by the CABF BR in section 2.2. According to RFC3647 the
Section 1.5 is for the policy administration and section 1.5.2 defines the
contact person who is responsible for maintaining the CPS. Section 4.9.3 of
the CPS contains detailed information about the possibilities of revocation
request submission. Section 1.3.1 contains the email addresses, where
revocation request can be sent (mentioning section 1.2 is an editorial
mistake, it will be corrected in the next version of the CPS). Section
4.9.3 contains also a subsection which describes the High-Priority
Certificate Problem Report mechanism. More detailed information can be
found on our website on the given link.
Sándor dr. Szőke
Apr 20, 2020, 7:44:30 AM4/20/20
to mozilla-dev-s...@lists.mozilla.org
Dear Ben,
I confirm that Microsec will correct all issues in the CP and CPS documents as promised during the public discussion.
Thanks to everyone who took the time to read Microsec CP and CPS and to comment on them.
If there are no more comments on the content of our CP and CPS documents in the public discussion, we will review the thread again and gather all the issues to be resolved.
As usual, Microsec will review current versions of all applicable requirements for changes.
I confirm that the section 1.5.2 will be changed. The High Priority Certificate Problem Report will be reviewed and will be moved here from section 4.9.3.
Other issues I can see after a brief overview:
- Preliminary report in case of Certificate problem report in section 4.9.5
- correct the reference to section 1.3.1 instead of 1.2 in section 4.9.5
- review the email address validation rules in case of non-automatic validation procedure in section 3.2.7
I expect that Microsec will be able to do it within one week and will prepare the draft version of the public documents by the end of April.
We publish the drafts on our website and send them to the auditor and our supervisory authority at the same time.
This is followed by a 30-day commenting period during which anyone can comment on the planned changes.
If significant issues arise during this period, the draft shall be amended and the 30 days shall begin again.
If there are no significant issues, the new document will enter into force by the end of May 2020.
Please let us know if you expect us to take any further steps in this process.
Best regards,
Sándor
dr. Sándor Szőke
Microsec deputy director
Ben Wilson
May 28, 2020, 3:00:49 PM5/28/20
to Sándor dr. Szőke, mozilla-dev-s...@lists.mozilla.org
In accordance with the CA inclusion process,[1] this is a summary of the
public discussion of Microsec’s application for inclusion of the e-Szigno
Root CA 2017 into the Mozilla root store, and to EV enable it and the
currently-included e-Szigno Root CA 2009. The request is documented in
Bugzilla #1445364.[2] The public discussion began on 9-March-2020.[3] The
email launching the public discussion and comments received during the
public discussion raised a number of issues, not all of which are itemized
here, including:
* the CPS was unclear about certificate problem reporting and revocation
request processing[4]; and
* Microsec has had systemic, standards-related non-conformities, e.g. Bug#
1622539[5], and needs to demonstrate better behavior in keeping up with and
complying with the CABF Baseline Requirements and root store policy.[6]
Microsec is resolving these concerns by:
- updating its CPS[7][8]; and
- committing to engage in better compliance with industry standards[9].
In my opinion Microsec has demonstrated sufficient response that we do not
need to remove Microsec from Mozilla’s root store. Therefore, once I am
satisfied after a review of the updated CPS, I am planning to recommend
that we approve the request to include the e-Szigno Root CA 2017
certificate and enable the websites trust bit. However, I plan to deny the
request for EV treatment for both root certificates. Microsec may re-apply
by filing a new request for EV treatment after they have demonstrated
improved compliance with the BRs and EV Guidelines.
I appreciate any feedback on this proposed course of action.
[1] https://wiki.mozilla.org/CA/Application_Process#Process_Overview
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1445364
[3]
https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/QrhdAWq_AAAJ
[4]
https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/KN-gnSLLAAAJ
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1622539
[6]
https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/T7hcaOYGAQAJ
[7]
https://groups.google.com/d/msg/mozilla.dev.security.policy/rHTmKOzspCo/pyZKc40_CQAJ
[8]
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/1L0crAafm30
[9]
https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/mNFZGgXBAgAJ
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
public discussion of Microsec’s application for inclusion of the e-Szigno
Root CA 2017 into the Mozilla root store, and to EV enable it and the
currently-included e-Szigno Root CA 2009. The request is documented in
Bugzilla #1445364.[2] The public discussion began on 9-March-2020.[3] The
email launching the public discussion and comments received during the
public discussion raised a number of issues, not all of which are itemized
here, including:
* the CPS was unclear about certificate problem reporting and revocation
request processing[4]; and
* Microsec has had systemic, standards-related non-conformities, e.g. Bug#
1622539[5], and needs to demonstrate better behavior in keeping up with and
complying with the CABF Baseline Requirements and root store policy.[6]
Microsec is resolving these concerns by:
- updating its CPS[7][8]; and
- committing to engage in better compliance with industry standards[9].
In my opinion Microsec has demonstrated sufficient response that we do not
need to remove Microsec from Mozilla’s root store. Therefore, once I am
satisfied after a review of the updated CPS, I am planning to recommend
that we approve the request to include the e-Szigno Root CA 2017
certificate and enable the websites trust bit. However, I plan to deny the
request for EV treatment for both root certificates. Microsec may re-apply
by filing a new request for EV treatment after they have demonstrated
improved compliance with the BRs and EV Guidelines.
I appreciate any feedback on this proposed course of action.
[1] https://wiki.mozilla.org/CA/Application_Process#Process_Overview
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1445364
[3]
https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/QrhdAWq_AAAJ
[4]
https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/KN-gnSLLAAAJ
[5] https://bugzilla.mozilla.org/show_bug.cgi?id=1622539
[6]
https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/T7hcaOYGAQAJ
[7]
https://groups.google.com/d/msg/mozilla.dev.security.policy/rHTmKOzspCo/pyZKc40_CQAJ
[8]
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/1L0crAafm30
[9]
https://groups.google.com/d/msg/mozilla.dev.security.policy/jRKOr4nvOfY/mNFZGgXBAgAJ
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Ben Wilson
Jun 2, 2020, 3:58:21 PM6/2/20
to Sándor dr. Szőke, mozilla-dev-s...@lists.mozilla.org
I have now reviewed Microsec's updated CPS for OV and DV. I am not going
to hold up approval of the inclusion of this root for the following
reasons, which I believe are relatively minor, but Microsec should be aware
that:
- section 3.1.1 of Microsec's "eIDAS conform Certificate for Website
Authentication CPS" (
https://static.e-szigno.hu/docs/szsz--fok--ssl--EN--v2.14.pdf) ("the
CPS") appears to allow certain identifiers, allowed for EV, but not yet
added to the Baseline Requirements, see
https://cabforum.org/2019/05/21/ballot-sc17-version-7-alternative-registration-numbers-for-ev-certificates/.
This is something that should be taken up with the CA/Browser Forum (and
corrected in Microsec's CPS); and
- section 4.9.5 of the CPS, which states, "Emails arriving out of office
hours are considered as arrived at the beginning of the next business day."
This may put Microsec at risk of a violation of the Baseline Requirements
sections 4.9.1 through 4.9.5. While "receipt" (or "arrival") is not yet
defined in the Baseline Requirements, there is an expectation of 24x7
availability, which it appears Microsec is providing - "The Trust Service
Provider maintains a continuous 24x7 ability to respond internally to a
High Piority Certificate Problem Report."
This concludes my review of the Microsec CPs/CPSes, and I believe it is now
appropriate to begin the process of adding this root CA into NSS (without
EV enablement).
to hold up approval of the inclusion of this root for the following
reasons, which I believe are relatively minor, but Microsec should be aware
that:
- section 3.1.1 of Microsec's "eIDAS conform Certificate for Website
Authentication CPS" (
https://static.e-szigno.hu/docs/szsz--fok--ssl--EN--v2.14.pdf) ("the
CPS") appears to allow certain identifiers, allowed for EV, but not yet
added to the Baseline Requirements, see
https://cabforum.org/2019/05/21/ballot-sc17-version-7-alternative-registration-numbers-for-ev-certificates/.
This is something that should be taken up with the CA/Browser Forum (and
corrected in Microsec's CPS); and
- section 4.9.5 of the CPS, which states, "Emails arriving out of office
hours are considered as arrived at the beginning of the next business day."
This may put Microsec at risk of a violation of the Baseline Requirements
sections 4.9.1 through 4.9.5. While "receipt" (or "arrival") is not yet
defined in the Baseline Requirements, there is an expectation of 24x7
availability, which it appears Microsec is providing - "The Trust Service
Provider maintains a continuous 24x7 ability to respond internally to a
High Piority Certificate Problem Report."
This concludes my review of the Microsec CPs/CPSes, and I believe it is now
appropriate to begin the process of adding this root CA into NSS (without
EV enablement).
Ben Wilson
Jun 4, 2020, 2:17:41 PM6/4/20
to mozilla-dev-s...@lists.mozilla.org
Having received no further comments, I have recommended approval of this
request in bug 1445364
<https://bugzilla.mozilla.org/show_bug.cgi?id=1445364>
- Ben
request in bug 1445364
<https://bugzilla.mozilla.org/show_bug.cgi?id=1445364>
- Ben
Kathleen Wilson
Jun 4, 2020, 2:27:42 PM6/4/20
to mozilla-dev-s...@lists.mozilla.org
On 6/4/20 11:17 AM, Ben Wilson wrote:
> Having received no further comments, I have recommended approval of this
> request in bug 1445364
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1445364>
>
> - Ben
>
To clarify, Ben is recommending approval of the request to include the
> Having received no further comments, I have recommended approval of this
> request in bug 1445364
> <https://bugzilla.mozilla.org/show_bug.cgi?id=1445364>
>
> - Ben
>
e-Szigno Root CA 2017 certificate and enable the websites trust bit.
However, he has recommended that we deny the request for EV treatment
for both root certificates. Microsec may re-apply by filing a new
request for EV treatment after they have demonstrated improved
compliance with the BRs and EV Guidelines.
Reference:
request for EV treatment after they have demonstrated improved
compliance with the BRs and EV Guidelines.
https://groups.google.com/d/msg/mozilla.dev.security.policy/rHTmKOzspCo/yLTkQ25uAAAJ
Thanks,
Kathleen
0 new messages