TeliaSonera has applied to add the “TeliaSonera Root CA v1” root
certificate and enable the websites and email trust bits. TeliaSonera
currently has two root certificates included in NSS, “Sonera Class1 CA”
and “Sonera Class2 CA”, that were included as per bug #258416.
TeliaSonera provides telecommunication services in the Nordic and Baltic
countries, the emerging markets of Eurasia, including Russia and Turkey,
and in Spain.
* This root cert has internally-operated subordinate CAs for server,
client, and TeliaSonera internal certificates
* The request is to enable the websites and email trust bits.
* Server Cert CPS section 3.2.3: TeliaSonera has two different server
1) SSL order by public electronic form: TeliSonera authenticates the
administrative contact person defined in the certificate application by
calling the contact person via the Customer’s PBX number or when there
is no switchboard, by making a call to some other number in the
organization, which is looked up from a directory maintained by a third
2) SSL order using TeliaSonera’s self service software: The Customer can
make an agreement with TeliaSonera to act as a Registration Officer
within the Customer Organization (Full SSL Service) and to register
TeliaSonera Server certificates using TeliaSonera’s RA system for
Customers. The Customer Registration Officer is restricted to register
certificates only within their own Organization (O) and the domain names
authorized by the CA. Before enabling the service or adding new
authorized Organization or domain names, the CA verifies the
organization identity and the domain names as described in the section
When registering Subjects, the identity of the Registration Officer is
verified by means of the Registration Officer’s certificate issued by a
* Server Cert CPS section 3.2.2: TeliaSonera verifies domain names and
IP addresses from a database maintained by a reliable third party
registrar e.g.e “domain.fi” (for domain “.fi”), iis.se (for domain
“.se”), ripe.net (for IP addresses) and
www.networksolutions.com/whosis-search (for non-country domains), that
as of the date the Certificate was issued, the Aplication either had the
right to use, or had control of, the Fully-Qualified Domain Names(s) and
IP address(es) listed int e Certificate, or was authorized by a person
having such right or contgrol (e.g. under a Principal-Agent or
Licensor-Licensee relationship) to obtain a Certificate Containing the
Fully-Qualfiied Domain mames(s) and IP address(es).
* Bug Comment #2: In enterprise RA cases when Customer Registration
Officer is allowed to enroll server certificates for his/her
organization each organization and domain value is first inspected by
TeliaSonera Registration Officer using the documented checking rules.
Then the values are added to the configuration of that customer so that
later the customer can use same values without a new verification.
* Organizational User Cert CPS section 3.2.3: The procedures to
authenticate the identity of the Subject vary between the different
TeliaSonera certificate services:
** TeliaSonera Class 1 CA v1 – TeliaSonera or Customer Registration
Officer is responsible for authenticating the Subject data according to
Organization’s internal policies. Subject authentication is typically
based on a previously recorded ownership of Customer’s email address,
device, or mobile phone number.
If Common Name or dnsName field of Subject Alternative Name includes
public domain names, TeliaSonera verifies that Customer Organization has
right to use them by checking the ownership from the official records
(e.g. domain.fi (.fk), iis.se (.se) or
www.networksolutions.com/whoi-search). A written permission from the
registered legal owner is an alternative.
TeliaSonera verifies the ownership of an email address by sending a
one-time-password to the applied email-address. Then the Subject entity
must use the password within limited time frame to prove the access to
the email-address. In Enterprise RA cases email-address can be taken
from reliable internal source of the Subscriber without additional
verification by one-time-password.
** TeliaSonera Class 2 CA v1 – Customer or TeliaSonera Registration
Officer is responsible for authenticating the Subject. The Registration
Officers are obliged to follow the policies and instructions given by
The Registration officer should use Organization’s previously recorded
directories, databases or other similar information on Organization’s
employees, partners or devices to verify the Subject information
including the email address, Or the Registration Officer should verify
the information by checking the Subject’s identity card.
** TeliaSonera Email CA v3 – Certificates are issued to employees within
the TeliaSonera Group and individuals contracted by TeliaSonera. The
Subscriber is authenticated using a username and password and
information stored in TeliaSonera’s directories or databases.
Potentially Problematic Practices
* Issuing end entity certificates directly from roots
** Bug Comment #2: We are stopping this problematic practice during this
year when our new TeliaSonera CAs are replacing the old Sonera CAs.
This begins the discussion of the request from TeliaSonera to add the
“TeliaSonera Root CA v1” root certificate and enable the websites and
email trust bits. At the conclusion of this discussion, I will provide a
summary of issues noted and action items. If there are no outstanding
issues, then this request can be approved. If there are outstanding
issues or action items, then an additional discussion may be needed as