info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Second Discussion of ANF Root Inclusion Request
181 views
Skip to first unread message
Kathleen Wilson
Dec 9, 2015, 4:36:06 PM12/9/15
to mozilla-dev-s...@lists.mozilla.org
The first discussion of the ANF root inclusion request was here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/cNgy1_rkv6A/h8YOlR3AFMIJ
ANF has responded to the concerns that were raised, so I am now opening
the second discussion about their inclusion request.
ANF has applied to include the “ANF Global Root CA” root certificate,
enable the Websites trust bit, and enable EV treatment.
ANF Autoridad de Certificación (ANF AC) is a private Certification
Authority, recognized and accredited by the Spanish Government as a
Certificate Services Provider (CSP). ANF AC has accredited more than
1000 Registry Authorities throughout Spain to issue qualified user
identity certificates. ANF CA also issues certificates for SSL with and
without Extended Validation.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=555156
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8644470
Noteworthy points:
* The primary documents are the CPS and SSL CP, which are provided in
Spanish and English.
Document repository (Spanish):
http://www.anf.es/es/politicas/psc-acreditado/documentos-publicados
Document Repository (English): http://www.anf.es/en/
CP: https://www.anf.es/es/pdf/PC_SSL_Sede_EV_EN.pdf
CPS: https://www.anf.es/es/pdf/DPC_ANF_AC_EN.pdf
* CA Hierarchy: This root has eight internally-operated subordinate CAs
which sign end-entity certificates for individuals and organizations.
- ANF High Assurance EV CA1 (SHA1 and SHA256): Issues technical
certificates for authentication services SSL, SSL EV, Encryption and
Code Signing.
- ANF High Assurance AP CA1 (SHA1 and SHA256): Issues end-entity
certificates for Public Administrations.
- ANF Global CA1 (SHA1 and SHA256): Issues certificates for the
management and administration of the PKI of ANF AC.
- ANF Assured ID CA1 (SHA1 and SHA256): Issues end-entity in accordance
with the provisions of Electronic Signature Law 59/2003.
* This request is to enable the websites trust bit and enable EV treatment.
** SSL CP, section 4.2.2: The Issuance Reports Manager (IRM) assumes the
final response assumes the ultimate responsibility to verify the
information contained in the Application Form, and to assess the
adequacy of the documents provided and of the application, in accordance
with the provisions of this Certification Policy.
** SSL CP, section 4.2.2.1: The IRM shall check the documentation by
consulting the whois database, verifying that the domain is registered,
by consulting valid registrars. A copy of the whois query is attached to
the validation act.
** SSL CP section 4.2.2.3, SSL EV y and Electronic Office EV
Certificates: In the process of verification of the information and
documentation received, the following means may be used:
- Consultation to official public records in which the entity must be
registered in order to check availability, effect of charges and other
legal issues such as activity and date of establishment.
- Official Journals of national or regional public bodies belonging to
public bodies and enterprises.
- With regard to Internet addresses and domains, ANF AC consult
recorders attached only by ICANN / IANA domain names and addresses
associated with the certificate. In this query, it is verified verify:
-- That the holder (registrant) agrees with the subscriber.
-- People and contact information associated with that domain registration.
- One of the contact persons listed in the whois query shall be reached
in order to verify compliance of the certificate issuance request
associated with that domain.
** SSL CP section 4.10: ANF AC limits the set of email verification
addresses to the following: admin@domain, administrador@domain,
webmaster@domain, hostmaster@domain, postmaster@domain as well as any
address appearing in the technical or administrative contact field of
the “Whois” domain, regardless of the domains of the addresses.
ANF AC directly validates the identification of e-mail address in the
whois, avoiding the delegation to third identification.
Subordinate CA certificates issued by ANF AC, are managed directly and
exclusively by ANF AC, who in no case allows its operation by external
entities.
Root Certificate Download URL:
http://www.anf.es/es/certificates_download/ANF_Global_Root_CA_SHA256.cer
EV Policy OID: 1.3.6.1.4.1.18332.55.1.1.2.22
* Test Website: https://ssl.anf.es/
* OCSP: http://ocsp.anf.es/spain/AV
* CRL URL(s):
https://www.anf.es/crl/ANF_Global_Root_CA_arl.crl
https://www.anf.es/crl/ANF_High_Assurance_EV_CA1_SHA256.crl
NextUpdate for End-entity CRLs: 7 days
* Audit: Annual audits are performed by Auren, according to the WebTrust
criteria.
Standard Audit: https://cert.webtrust.org/SealFile?seal=1833&file=pdf
BR Audit: https://cert.webtrust.org/SealFile?seal=1833&file=pdf
EV Audit: https://cert.webtrust.org/SealFile?seal=1834&file=pdf
* Potentially Problematic Practices: None Noted
(http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from ANF to include the “ANF
Global Root CA” root certificate, enable the Websites trust bit, and
enable EV treatment.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
https://groups.google.com/d/msg/mozilla.dev.security.policy/cNgy1_rkv6A/h8YOlR3AFMIJ
ANF has responded to the concerns that were raised, so I am now opening
the second discussion about their inclusion request.
ANF has applied to include the “ANF Global Root CA” root certificate,
enable the Websites trust bit, and enable EV treatment.
ANF Autoridad de Certificación (ANF AC) is a private Certification
Authority, recognized and accredited by the Spanish Government as a
Certificate Services Provider (CSP). ANF AC has accredited more than
1000 Registry Authorities throughout Spain to issue qualified user
identity certificates. ANF CA also issues certificates for SSL with and
without Extended Validation.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=555156
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8644470
Noteworthy points:
* The primary documents are the CPS and SSL CP, which are provided in
Spanish and English.
Document repository (Spanish):
http://www.anf.es/es/politicas/psc-acreditado/documentos-publicados
Document Repository (English): http://www.anf.es/en/
CP: https://www.anf.es/es/pdf/PC_SSL_Sede_EV_EN.pdf
CPS: https://www.anf.es/es/pdf/DPC_ANF_AC_EN.pdf
* CA Hierarchy: This root has eight internally-operated subordinate CAs
which sign end-entity certificates for individuals and organizations.
- ANF High Assurance EV CA1 (SHA1 and SHA256): Issues technical
certificates for authentication services SSL, SSL EV, Encryption and
Code Signing.
- ANF High Assurance AP CA1 (SHA1 and SHA256): Issues end-entity
certificates for Public Administrations.
- ANF Global CA1 (SHA1 and SHA256): Issues certificates for the
management and administration of the PKI of ANF AC.
- ANF Assured ID CA1 (SHA1 and SHA256): Issues end-entity in accordance
with the provisions of Electronic Signature Law 59/2003.
* This request is to enable the websites trust bit and enable EV treatment.
** SSL CP, section 4.2.2: The Issuance Reports Manager (IRM) assumes the
final response assumes the ultimate responsibility to verify the
information contained in the Application Form, and to assess the
adequacy of the documents provided and of the application, in accordance
with the provisions of this Certification Policy.
** SSL CP, section 4.2.2.1: The IRM shall check the documentation by
consulting the whois database, verifying that the domain is registered,
by consulting valid registrars. A copy of the whois query is attached to
the validation act.
** SSL CP section 4.2.2.3, SSL EV y and Electronic Office EV
Certificates: In the process of verification of the information and
documentation received, the following means may be used:
- Consultation to official public records in which the entity must be
registered in order to check availability, effect of charges and other
legal issues such as activity and date of establishment.
- Official Journals of national or regional public bodies belonging to
public bodies and enterprises.
- With regard to Internet addresses and domains, ANF AC consult
recorders attached only by ICANN / IANA domain names and addresses
associated with the certificate. In this query, it is verified verify:
-- That the holder (registrant) agrees with the subscriber.
-- People and contact information associated with that domain registration.
- One of the contact persons listed in the whois query shall be reached
in order to verify compliance of the certificate issuance request
associated with that domain.
** SSL CP section 4.10: ANF AC limits the set of email verification
addresses to the following: admin@domain, administrador@domain,
webmaster@domain, hostmaster@domain, postmaster@domain as well as any
address appearing in the technical or administrative contact field of
the “Whois” domain, regardless of the domains of the addresses.
ANF AC directly validates the identification of e-mail address in the
whois, avoiding the delegation to third identification.
Subordinate CA certificates issued by ANF AC, are managed directly and
exclusively by ANF AC, who in no case allows its operation by external
entities.
Root Certificate Download URL:
http://www.anf.es/es/certificates_download/ANF_Global_Root_CA_SHA256.cer
EV Policy OID: 1.3.6.1.4.1.18332.55.1.1.2.22
* Test Website: https://ssl.anf.es/
* OCSP: http://ocsp.anf.es/spain/AV
* CRL URL(s):
https://www.anf.es/crl/ANF_Global_Root_CA_arl.crl
https://www.anf.es/crl/ANF_High_Assurance_EV_CA1_SHA256.crl
NextUpdate for End-entity CRLs: 7 days
* Audit: Annual audits are performed by Auren, according to the WebTrust
criteria.
Standard Audit: https://cert.webtrust.org/SealFile?seal=1833&file=pdf
BR Audit: https://cert.webtrust.org/SealFile?seal=1833&file=pdf
EV Audit: https://cert.webtrust.org/SealFile?seal=1834&file=pdf
* Potentially Problematic Practices: None Noted
(http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from ANF to include the “ANF
Global Root CA” root certificate, enable the Websites trust bit, and
enable EV treatment.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
Enric Castillo Font
Dec 10, 2015, 9:52:12 AM12/10/15
to mozilla-dev-s...@lists.mozilla.org
Thanks Kathleen. I'm Enric Castillo from ANF Autoridad de Certificación, and I will be reviewing and answering your questions.
Thanks for your collaboration.
Thanks for your collaboration.
Kathleen Wilson
Jan 12, 2016, 7:17:04 PM1/12/16
to mozilla-dev-s...@lists.mozilla.org
If not, and no one has any questions/concerns about this request, then I
will close this discussion and recommend approval in the bug.
Thanks,
Kathleen
Kathleen Wilson
Jan 19, 2016, 2:00:35 PM1/19/16
to mozilla-dev-s...@lists.mozilla.org
the first discussion, and no one has raised further questions or
concerns in this second discussion.
Therefore, I am closing this discussion and will recommend approval in
the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=555156
Any further follow-up on this request should be added directly to the bug.
Thanks,
Kathleen
Kathleen Wilson
Jan 28, 2016, 7:18:44 PM1/28/16
to mozilla-dev-s...@lists.mozilla.org
Ryan re-reviewed the request and commented in the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=555156#c90
And we are waiting for the CA to respond.
Depending on their response, some of the things he noted could result in
the CA needing to issue all new intermediate certs and/or get re-audited.
We will track the CA's responses and progress in the bug, and I will
re-open this discussion once all the concerns have been properly addressed.
Thanks,
Kathleen
0 new messages