The first discussion of the ANF root inclusion request was here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/cNgy1_rkv6A/h8YOlR3AFMIJ
ANF has responded to the concerns that were raised, so I am now opening
the second discussion about their inclusion request.
ANF has applied to include the “ANF Global Root CA” root certificate,
enable the Websites trust bit, and enable EV treatment.
ANF Autoridad de Certificación (ANF AC) is a private Certification
Authority, recognized and accredited by the Spanish Government as a
Certificate Services Provider (CSP). ANF AC has accredited more than
1000 Registry Authorities throughout Spain to issue qualified user
identity certificates. ANF CA also issues certificates for SSL with and
without Extended Validation.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=555156
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8644470
Noteworthy points:
* The primary documents are the CPS and SSL CP, which are provided in
Spanish and English.
Document repository (Spanish):
http://www.anf.es/es/politicas/psc-acreditado/documentos-publicados
Document Repository (English):
http://www.anf.es/en/
CP:
https://www.anf.es/es/pdf/PC_SSL_Sede_EV_EN.pdf
CPS:
https://www.anf.es/es/pdf/DPC_ANF_AC_EN.pdf
* CA Hierarchy: This root has eight internally-operated subordinate CAs
which sign end-entity certificates for individuals and organizations.
- ANF High Assurance EV CA1 (SHA1 and SHA256): Issues technical
certificates for authentication services SSL, SSL EV, Encryption and
Code Signing.
- ANF High Assurance AP CA1 (SHA1 and SHA256): Issues end-entity
certificates for Public Administrations.
- ANF Global CA1 (SHA1 and SHA256): Issues certificates for the
management and administration of the PKI of ANF AC.
- ANF Assured ID CA1 (SHA1 and SHA256): Issues end-entity in accordance
with the provisions of Electronic Signature Law 59/2003.
* This request is to enable the websites trust bit and enable EV treatment.
** SSL CP, section 4.2.2: The Issuance Reports Manager (IRM) assumes the
final response assumes the ultimate responsibility to verify the
information contained in the Application Form, and to assess the
adequacy of the documents provided and of the application, in accordance
with the provisions of this Certification Policy.
** SSL CP, section
4.2.2.1: The IRM shall check the documentation by
consulting the whois database, verifying that the domain is registered,
by consulting valid registrars. A copy of the whois query is attached to
the validation act.
** SSL CP section 4.2.2.3, SSL EV y and Electronic Office EV
Certificates: In the process of verification of the information and
documentation received, the following means may be used:
- Consultation to official public records in which the entity must be
registered in order to check availability, effect of charges and other
legal issues such as activity and date of establishment.
- Official Journals of national or regional public bodies belonging to
public bodies and enterprises.
- With regard to Internet addresses and domains, ANF AC consult
recorders attached only by ICANN / IANA domain names and addresses
associated with the certificate. In this query, it is verified verify:
-- That the holder (registrant) agrees with the subscriber.
-- People and contact information associated with that domain registration.
- One of the contact persons listed in the whois query shall be reached
in order to verify compliance of the certificate issuance request
associated with that domain.
** SSL CP section 4.10: ANF AC limits the set of email verification
addresses to the following: admin@domain, administrador@domain,
webmaster@domain, hostmaster@domain, postmaster@domain as well as any
address appearing in the technical or administrative contact field of
the “Whois” domain, regardless of the domains of the addresses.
ANF AC directly validates the identification of e-mail address in the
whois, avoiding the delegation to third identification.
Subordinate CA certificates issued by ANF AC, are managed directly and
exclusively by ANF AC, who in no case allows its operation by external
entities.
Root Certificate Download URL:
http://www.anf.es/es/certificates_download/ANF_Global_Root_CA_SHA256.cer
EV Policy OID: 1.3.6.1.4.1.18332.55.1.1.2.22
* Test Website:
https://ssl.anf.es/
* OCSP:
http://ocsp.anf.es/spain/AV
* CRL URL(s):
https://www.anf.es/crl/ANF_Global_Root_CA_arl.crl
https://www.anf.es/crl/ANF_High_Assurance_EV_CA1_SHA256.crl
NextUpdate for End-entity CRLs: 7 days
* Audit: Annual audits are performed by Auren, according to the WebTrust
criteria.
Standard Audit:
https://cert.webtrust.org/SealFile?seal=1833&file=pdf
BR Audit:
https://cert.webtrust.org/SealFile?seal=1833&file=pdf
EV Audit:
https://cert.webtrust.org/SealFile?seal=1834&file=pdf
* Potentially Problematic Practices: None Noted
(
http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from ANF to include the “ANF
Global Root CA” root certificate, enable the Websites trust bit, and
enable EV treatment.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen