Hi Wayne
> Thank you, I am now able to access the checklist. Unfortunately, item #4 of the checklist also lists obsolete domain validation methods including "any other method". Mozilla policy section 2.2(3) requires domain validation methods to be clearly described in the CA's CPS.
- You are referring to the comment section of #4.
The relevant section is the "check criteria".
In practice the CA will ask for an authorization letter which among others must contain the signature of the domain owner (see " Berechtigungsformular zum Bezug von SSL/TLS Zertifikaten",
https://www.bit.admin.ch/adminpki/00240/00241/05913/05914/index.html).
- 2.2(3) says: " The CA's CP/CPS must clearly specify the procedure(s) that the CA employs, and each documented procedure should state which subsection of 3.2.2.4 it is complying with."
In our opinion this does not mean that the very description has to be in CP/CPS itself.
We choose to "clearly specify the procedure " by referring to our checklist for this purpose (4.2.1).
The reference section of the CP/CPS wrongly states that this checklist is not publicly available. It is of course publicly available.
We will update this in the next revision of the CPS.
> Could you explain what a "direct contractual relationship" means?
A registration agent is identified beforehand with a NCP+ certificate and must sign a contract stating that he/she accepts the terms and conditions of the CA.
The registration agent may then use an online tool to file the registration request for a defined set of domains only.
Before further processing, the request will be checked by a CA employee against the checklist.
> This appears to be generic contact information, which is fine as long as it is monitored 24x7, however, I don't see any indication that this is the place where problem reports are accepted.
We take note of your opinion.
In practice, this contact information is indeed used for problem reporting.
We therefore assume that the indication is clear enough.
> Per section 2.2 of the BRs, this was required as of 8-September.
We fully agree.
> I am referring to BR section 2.2 paragraph 3 which states:
> The CA SHALL publicly give effect to these Requirements and represent
> that it will adhere to the latest published version. The CA MAY
> fulfill this requirement by incorporating these Requirements directly
> into its Certificate Policy and/or Certification Practice Statements
> or by incorporating them by reference using a clause such as the
> following (which MUST include a link to the
> official version of these Requirements):
> [Name of CA] conforms to the current version of the Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates published at
http://www.cabforum.org. In the event of any inconsistency between this document and those Requirements, those Requirements > take precedence over this document.
> I believe this has been a requirement since version 1.0 of the BRs.
We fully agree. Compliance is already mentioned in paragraph 8.4: "SG Root CA III is compliant to ETSI 102.042 V 2.4.1 with EV requirements and to the Guidelines and Baseline Requirements published by the CA/Browser Forum [17] [18] [19] and covers all aspects of a Web Trust certification.". We will further update the CPS with a more specific statement.
Best Regards
Michael
-----Ursprüngliche Nachricht-----
Von: dev-security-policy [mailto:
dev-security-policy-bounces+michael.vonniederhaeusern=
bit.ad...@lists.mozilla.org] Im Auftrag von wthayer--- via dev-security-policy
Gesendet: Mittwoch, 15. November 2017 19:56
An:
mozilla-dev-s...@lists.mozilla.org
Betreff: Re: Swiss Government root inclusion request
Thank you, I am now able to access the checklist. Unfortunately, item #4 of the checklist also lists obsolete domain validation methods including "any other method". Mozilla policy section 2.2(3) requires domain validation methods to be clearly described in the CA's CPS.
>
> >> - The answer to the self-assessment question 1.3.2 on Delegated Third Parties states that “CA does not allow initial identity validation delegated to third parties”; however, CPS section 1.3.2 uses the [undefined] term 'Registration Agent' to describe what appears may be a Delegated Third Party in 1.3.2.3.
>
> It may appear to be, but it is not. All 'Registration Agent's are public employees, mandated, trained and checked by the CA in a direct contractual relationship with the CA.
>
Could you explain what a "direct contractual relationship" means?
>
> >> - BR 4.9.3 requires the CA to publicly disclose instructions for problem reporting through a readily accessible online means. Section 4.10.2 of the CPS states that ‘High-Priority Certificate Problem Reports can be submitted on the SG PKI Homepage 24x7’ but I don’t find any clear reference to problem reporting at
https://www.bit.admin.ch/adminpki/.
>
> See
https://www.bit.admin.ch/adminpki/00252/index.html?lang=de. The BIT Service Desk is available 24/7 for high priority problem reports.
>
This appears to be generic contact information, which is fine as long as it is monitored 24x7, however, I don't see any indication that this is the place where problem reports are accepted.
>
Per section 2.2 of the BRs, this was required as of 8-September.
>
> >> - The CP/CPS doesn’t include the conformance statement required by BR section 2.2.
>
> The CP/CPS is dated 2017-08-17, at that date no conformance statement was required. We will update this in the next revision of the CPS.
>
I am referring to BR section 2.2 paragraph 3 which states:
The CA SHALL publicly give effect to these Requirements and represent that it will adhere to the latest published version. The CA MAY fulfill this requirement by incorporating these Requirements directly into its Certificate Policy and/or Certification Practice Statements or by incorporating them by reference using a clause such as the following (which MUST include a link to the official version of these Requirements):
[Name of CA] conforms to the current version of the Baseline Requirements for the Issuance and Management of Publicly‐Trusted Certificates published at
http://www.cabforum.org. In the event of any inconsistency between this document and those Requirements, those Requirements take precedence over this document.
I believe this has been a requirement since version 1.0 of the BRs.
>
> >> - The CP/CPS doesn’t specify how it is licensed per Mozilla policy 3.3(3).
>
> We fully accept Mozilla policy 3.3, but this is not something that has
> to be mentioned in a CP/CPS. As in 3.3 (3): If no such license is
> indicated, the fact of application is considered as permission from
> the CA to allow Mozilla and the public to deal with these documents,
> and any later versions for root certificates which are included in
> Mozilla's trust store, under CC-BY-ND 4.0
>
> >> - Section 4.1.1 of the CPS describes the enrollment process but does not mention how suspicious certificate requests are identified.
>
> The checklist is published here:
http://www.pki.admin.ch/public/83823_Checkliste-Genehm-SSL-TLS-ZertifAntr-CAs-SwissGov-PKI-160513-e_pub.pdf and linked on our product information page:
https://www.bit.admin.ch/adminpki/00240/00241/05913/05914/index.html?lang=de .
>
> >> - Section 4.2.1 of the CPS does not provide any information on high risk certificate requests.
>
> That’s on the checklist (see above)
>
> >> - Section 4.2.2 makes 'Domain names within the range assigned to the requesting Registration Agent (as of 3.2.3)' a 'Condition for Approval', but section 3.2.3 is titled ‘Authentication of individual identity’ and doesn’t appear to describe domain restrictions.
>
> That’s on the checklist, too (see above)
>
> >> - Section 7.1.2.3 refers the reader to the 'Object Identifiers' document at
https://www.bit.admin.ch/adminpki/00243/index.html?lang=de for subscriber certificate profiles. I believe the reference should be to the 'CA Layout and Policies' document at the same location.
>
> Yes you’re right, the text should refer to [29] not [30]. We will update this in the next revision of the CPS.
>
> >> Please note that responses to section 3 of the BR self-assessment included references to a “Checklist”, but I’m unable to load
http://www.pki.admin.ch/public/83823_Checkliste-Genehm-SSL-TLS-ZertifAntr-CAs-SwissGov-PKI-160513-e_pub.pdf (I get a 404), so my comments do not reflect any information contained therein.
>
> The document was available as of 2017-11-15, 0650 UTC. We will observe the availability and try to figure out why you receive a 404 error.
>
>
> If you have further questions or remarks, I am happy to help.
>
> Regards
> Michael