Firmaprofesional Root Inclusion Request
Kathleen Wilson
Firmaprofesional CIF A62634068” root certificate, and to enable all
three trust bits.
Firmaprofesional is a commercial CA in Spain that issues certificates to
professional corporations, companies and other institutions. Their main
activity is the generation, transmission and distribution of digital
certificates through professional corporations, companies or other
institutions, which act as Registration Authorities and Certification
Authorities in the hierarchy of certification Firmaprofesional.
Firmaprofesional has a network of more than 70 Registration Authorities
located throughout Spain.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=521439
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#Firmaprofesional
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=464156
Noteworthy points:
* This is a renewal for the Firmaprofesional root certificate that is
currently in NSS, which was evaluated for inclusion in bug #342426.
* Sub-CAs of the new root cross-sign end-entity certs with sub-CAs of
the old root, in order to maintain business continuity.
* This root CA signs subordinate CAs that sign end-entity certificates.
One sub-CA is used by Firmaprofesional, and other sub-CAs are issued for
organizations including professional corporations, companies or other
institutions, which act as Registration Authorities and Certification
Authorities in the hierarchy of certification Firmaprofesional.
* All of the Sub-CAs are internally operated by Firmaprofesional.
* The CP and CPS documents are in Spanish. English translations of
certain sections are provided in the Information Gathering and
Verification document.
CPS: http://www.firmaprofesional.com/cps/FP_CPS_5.pdf
SSL CP: http://www.firmaprofesional.com/cps/FP_CP_SSL_4.pdf
Code Signing CP:
http://www.firmaprofesional.com/cps/FP_CP_FirmaCodigo_4.pdf
* The request is to enable all three trust bits.
* SSL: Firmaprofesional does not delegate issuance of SSL certificates
to third parties, so in the context of SSL certificates, RA refers to
Firmaprofesional.
* CPS Section 3.2.5: To ensure that a requesting entity has control over
the domain (URL) requesting a certificate include uses two types of checks:
** Organizational: requesting ownership of the domain name, certified by
a legal representative of the organization.
** Technical: The following services are queried whois authenticated:
o For domains “*.es”:
https://www.nic.es/sgnd/dominio/publicInformacionDominios.action
o For the rest of domains:
https://www.networksolutions.com/whois/index.jsp
* SSL CP section 4.1: The RA is responsible for processing applications
and issuing certificates of compliance always with the general terms
described in the CPS. The steps for obtaining the license is detailed
below:
a) Request: Must be submitted by the applicant, meeting described in the
CPS and presenting, at least the following documentation:
** The authorization of the applicant organization to the person making
the request for issuing the certificate.
** The identity of the individual.
** The ownership of the domain name, certified by a legal representative
of the organization.
** Accreditation by a reliable means of existence of the entity under
Right.
b) Acceptance of the application: The RA will verify the applicant's
identity, its relationship with the entity, its existence and data to
include in the certificate.
* Code Signing: Firmaprofesional does not delegate issuance of Code
Signing certificates to third parties, so in the context of Code Signing
certificates, RA refers to Firmaprofesional.
* CP section 4.1: The RA is responsible for processing applications and
issuing certificates of compliance with the procedures described in the
CPS. The steps for obtaining the certificate are:
a) Request: Must be submitted by the applicant, meeting described in the
CPS and with the following:
** The applicant must be authorized to request the certificate.
** The applicant must submit the documentation required by the RA to
process the application.
b) Acceptance of the application: The RA will verify the applicant's
identity and linking the subscriber with the entity and data to include
in the certificate.
* Email validation is delegated to third party RAs.
* Comment from Firmaprofesional: It is not the individual (the person
whose personal data is going to be in the "subject field") who provides
the data to be included in the certificate, but a legal representative.
And this data is collected from de company's or professional
association's database.
* CPS Section 3.2.6: In general, the signatories are people associated
with the Registration Authority (eg, colleges, members of associations,
etc.) In such cases it is not the signatory who is requesting a specific
email address to be included in the certificate but the RA itself, by
consulting its database, gets the address. In cases where the signer
does not have any link with the RA, the control of the e-mail is
verified by challenge and response to the requested address.
* CPS section 8.4.1: RAs have to pass a yearly-based audit perform by a
third, independent party. The scope of that audit reaches from
procedural issues since logical security points. Third party RAs can
only issue certificates to end-entities closely related with the RA.
Most of these RAs are professional association and they only can issue
certificates to its members.
* CPS section 1.3.3: The following may act as RA for Firmaprofesional:
** Schools, Professional Corporations and Professional Schools Councils,
for their professional associations or for applicants who maintain some
kind of relationship with the organization as employees, partners,
customers or suppliers. Only Colleges or professional corporations may
be registered for their college or members, because they have the
capacity certification exclusively, on the peer or member status.
*** Companies and private entities, for applicants who maintain some
kind of relationship with the organization as employees, partners,
customers or suppliers.
*** Firmaprofesional directly regarding any type of certificate.
**Firmaprofesional contractually formalize the relations between itself
and each of the entities act as RA in the Firmaprofesional Certification
System.
** Where the geographical location of subscribers represents a
logistical problem for the subscriber identification and the application
and presentation of certificates, the RA may delegate these functions to
a trusted entity. This entity must have a special bond with the RA and a
close relationship with the underwriters of the certificates to justify
the delegation.
** The trusted entity must sign a partnership agreement with the RA on
the acceptance of delegation of these functions. Firmaprofesional should
know and explicitly authorize the agreement.
* Firmaprofesional is not requesting EV-enablement at this time.
* Test Website: https://www.firmaprofesional.com
* ARL: http://crl.firmaprofesional.com/fproot.crl
* CRL: http://crl.firmaprofesional.com/firmaprofesional1.crl
(NextUpdate: 7 days)
* OCSP: http://servicios.firmaprofesional.com/ocsp
* Audit: Ernst & Young performed the audit according to the WebTrust CA
criteria, and the audit report is posted on the webtrust.org website:
https://cert.webtrust.org/ViewSeal?id=946 (2009.07.28).
This begins a one-week discussion period. After that week, I will
provide a summary of issues noted and action items. If there are no
outstanding issues, then this request can be approved. If there are
outstanding issues or action items, then an additional discussion may be
needed as follow-up.
Kathleen
Kathleen Wilson
> Firmaprofesional has applied to add the “Autoridad de Certificacion
> Firmaprofesional CIF A62634068” root certificate, and to enable all
> three trust bits.
>
> Firmaprofesional is a commercial CA in Spain that issues certificates to
> professional corporations, companies and other institutions. Their main
> activity is the generation, transmission and distribution of digital
> certificates through professional corporations, companies or other
> institutions, which act as Registration Authorities and Certification
> Authorities in the hierarchy of certification Firmaprofesional.
> Firmaprofesional has a network of more than 70 Registration Authorities
> located throughout Spain.
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=521439
>
> And in the pending certificates list here:
> http://www.mozilla.org/projects/security/certs/pending/#Firmaprofesional
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=464156
>
> Noteworthy points:
>
> * This is a renewal for the Firmaprofesional root certificate that is
> currently in NSS, which was evaluated for inclusion in bug #342426.
All,
Would at least two people please review and comment on this request?
Those of you with requests sitting in the public discussion queue can
help too. If you have a request in the Queue for Public Discussion, you
are directly impacted by the time it takes to work through the queue. If
no one reviews and contributes to a discussion, then a request may sit
in the discussion for weeks. When there are not enough people
contributing to the discussions ahead of yours, then your request will
sit in the queue longer.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
How can you help reduce the time that your request sits in the queue?
You can help by reviewing and providing your feedback in the public
discussions of root inclusion requests, or by asking a knowledgeable
colleague to do so.
What do reviewers look for?
Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
I look forward to your contributions in reviewing this and future requests.
Kathleen
Eddy Nigg
> Would at least two people please review and comment on this request?
>
Hopefully at the weekend my dear :-)
I've browsed through the introduction and it looks good as far as I can
see. Will spend some time soonish.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Eddy Nigg
> Firmaprofesional has applied to add the “Autoridad de Certificacion
> Firmaprofesional CIF A62634068” root certificate, and to enable all
> three trust bits.
First of all I'd be interested to know where the CA root is. The URL
http://crl.firmaprofesional.com/carootnew.crt doesn't work for me.
> Firmaprofesional has a network of more than 70 Registration
> Authorities located throughout Spain.
As noted by Kathleen in the bug, this could be a source for concern...
> * CPS Section 3.2.5: To ensure that a requesting entity has control
> over the domain (URL) requesting a certificate include uses two types
> of checks:
> ** Organizational: requesting ownership of the domain name, certified
> by a legal representative of the organization.
> ** Technical: The following services are queried whois authenticated:
> o For domains “*.es”:
> https://www.nic.es/sgnd/dominio/publicInformacionDominios.action
> o For the rest of domains:
> https://www.networksolutions.com/whois/index.jsp
...specially with relying on them for establish domain control or
ownership. And is Network Solutions search page authoritative for all
domain name extensions? I highly doubt that...
> a) Request: Must be submitted by the applicant, meeting described in
> the CPS and with the following:
> ** The applicant must be authorized to request the certificate.
> ** The applicant must submit the documentation required by the RA to
> process the application.
> b) Acceptance of the application: The RA will verify the applicant's
> identity and linking the subscriber with the entity and data to
> include in the certificate.
Obviously we would like to know how this is done. Because the very same
information is used to verify domain control or ownership (btw, is this
done also by the RA???)
>
> * Email validation is delegated to third party RAs.
This might be a problem, email and domain control validation shouldn't
be outsourced to third parties according to the problematic practices.
>
> * Comment from Firmaprofesional: It is not the individual (the person
> whose personal data is going to be in the "subject field") who
> provides the data to be included in the certificate, but a legal
> representative. And this data is collected from de company's or
> professional association's database.
How is control over an email address established?
>
> * CPS Section 3.2.6: In general, the signatories are people associated
> with the Registration Authority (eg, colleges, members of
> associations, etc.) In such cases it is not the signatory who is
> requesting a specific email address to be included in the certificate
> but the RA itself, by consulting its database, gets the address.
So this is basically self-attestation?
>
> * CPS section 8.4.1: RAs have to pass a yearly-based audit perform by
> a third, independent party.
OK, I like to learn a but more about that and what it means. Who is that
third party and what is the audit criteria?
> ** Schools, Professional Corporations and Professional Schools
> Councils, for their professional associations or for applicants who
> maintain some kind of relationship with the organization as employees,
> partners, customers or suppliers. Only Colleges or professional
> corporations may be registered for their college or members, because
> they have the capacity certification exclusively, on the peer or
> member status.
> *** Companies and private entities, for applicants who maintain some
> kind of relationship with the organization as employees, partners,
> customers or suppliers.
We have to talk about this some more....it appears to be just about any
interested party can become an RA for Firmaprofesional, but this isn't
an easy task at all. How are those RAs trained, data handled and
archived, verifications performed and according to the above, audited?
Aren't those RAs basically asserting their own information? Which
assurances do relying parties have about those 70+ RAs performing these
CA specific tasks.
Kathleen Wilson
> On 08/28/2010 01:35 AM, From Kathleen Wilson:
>> Firmaprofesional has applied to add the “Autoridad de Certificacion
>> Firmaprofesional CIF A62634068” root certificate, and to enable all
>> three trust bits.
>
> First of all I'd be interested to know where the CA root is. The URL
> http://crl.firmaprofesional.com/carootnew.crt doesn't work for me.
>
>> Firmaprofesional has a network of more than 70 Registration
Eddy, thank you for reviewing this request and providing your feedback.
All, Would at least one other person please review and comment on this
request?
It appears that the cert download url has changed to:
http://crl.firmaprofesional.com/caroot.crt
I'll update the pending page to represent this change.
A representative of Firmaprofesional shall respond to the rest of your
comments.
Thanks,
Kathleen
Eddy Nigg
> It appears that the cert download url has changed to:
> http://crl.firmaprofesional.com/caroot.crt
>
Just a thought for Firmaprofesional about the choice of the hash. Didn't
Firmaprofesional consider using a SHA2 based hash for the new
certificate? It would probably steer them clear from another root update
within the next few years or so...
chemalogo
Indeed, we considered the possibility of using SHA-2 as hashing
algorithm, but as you know, other widespread software manufacturers
do not guarantee its support in the short term and therefore we
decided to go out with SHA-1, even knowing the consequences that you
very rightly point.
Other CSP, as the Spanish DNIe, have opted to issue two CA
certificates, one with SHA1 and one with SHA2 .
We think we can always issue a second certificate SHA2.
Thanks for your comments.
On Sep 13, 11:20 pm, Eddy Nigg <eddy_n...@startcom.org> wrote:
> On 09/13/2010 08:32 PM, From Kathleen Wilson:
>
> > It appears that the cert download url has changed to:
> >http://crl.firmaprofesional.com/caroot.crt
>
> Just a thought forFirmaprofesionalabout the choice of the hash. Didn'tFirmaprofesionalconsider using a SHA2 based hash for the new
> certificate? It would probably steer them clear from anotherrootupdate
> within the next few years or so...
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: start...@startcom.org
chemalogo
> On 08/28/2010 01:35 AM, From Kathleen Wilson:
>
> >FirmaprofesionalCIF A62634068”rootcertificate, and to enable all
> > three trust bits.
>
> First of all I'd be interested to know where the CArootis. The URLhttp://crl.firmaprofesional.com/carootnew.crtdoesn't work for me.
As Kathleen said. Now it is available at http://crl.firmaprofesional.com/carootnew.crt.
It costs so much time gain admission to Mozilla that the CA is no
longer new
>
> >Firmaprofesionalhas a network of more than 70 Registration
> > Authorities located throughout Spain.
>
> As noted by Kathleen in the bug, this could be a source for concern...
Only if one does not have the necessary controls and the legal
instruments.
>
> > * CPS Section 3.2.5: To ensure that a requesting entity has control
> > over the domain (URL) requesting a certificate include uses two types
> > of checks:
> > ** Organizational: requesting ownership of the domain name, certified
> > by a legal representative of the organization.
> > ** Technical: The following services are queried whois authenticated:
> > o For domains “*.es”:
> >https://www.nic.es/sgnd/dominio/publicInformacionDominios.action
> > o For the rest of domains:
> >https://www.networksolutions.com/whois/index.jsp
>
> ...specially with relying on them for establish domain control or
> ownership. And is Network Solutions search page authoritative for all
> domain name extensions? I highly doubt that...
Regarding this issue I would like to remark the following:
- There are TWO complementary controls. One Organizational and one
Technical.
- The legal enforcement is linked to the organizational control since
a contract is signed by a representative of the company.
- As far as we operate with Network Solutions we haven’t found any
problem
- And finally, as we stated on 30/06/2010, we would like to clarify
that the sole and only RA that can issue SSL (and Code-signing)
certificates it is Firmaprofesional itself and no other RA.
>
> > a)Request: Must be submitted by the applicant, meeting described in
> > the CPS and with the following:
> > ** The applicant must be authorized torequestthe certificate.
> > ** The applicant must submit the documentation required by the RA to
> > process the application.
> > b) Acceptance of the application: The RA will verify the applicant's
> > identity and linking the subscriber with the entity and data to
> > include in the certificate.
>
> Obviously we would like to know how this is done. Because the very same
> information is used to verify domain control or ownership (btw, is this
> done also by the RA???)
I will try to explain ti with a hopefully more accurate translation
and some comments:
Request must be made by the applicant, meeting the requirements
described in the CPS and presenting at least the following documents:
- Approval of the Requesting Organization to the individual making
the request for the issuance of the certificate.
- The identity of the individual (ID Card, Passport).
- The ownership of the domain name, certified by a legal
representative of the organization.
- Accreditation by a reliable means (in terms of law) of existence of
the entity.
So it is need to present documentation legally binding the domain with
the organization and the individual who “sign” the request with the
Organization as well.
> > * Email validation is delegated to third party RAs.
>
> This might be a problem, email and domain control validation shouldn't
> be outsourced to third parties according to the problematic practices.
This is one of the tasks of a RA, by definition. The RA does not
outsources this validation, the RA performs the validation.
> > * Comment fromFirmaprofesional: It is not the individual (the person
> > whose personal data is going to be in the "subject field") who
> > provides the data to be included in the certificate, but a legal
> > representative. And this data is collected from de company's or
> > professional association's database.
>
> How is control over an email address established?
The validation is performed in a challenge/response basis.
> > * CPS Section 3.2.6: In general, the signatories are people associated
> > with the Registration Authority (eg, colleges, members of
> > associations, etc.) In such cases it is not the signatory who is
> > requesting a specific email address to be included in the certificate
> > but the RA itself, by consulting its database, gets the address.
>
> So this is basically self-attestation?
The organization ACME request a certificate for individual (who works
for the organization) X, with e-mail x...@acme.com. This e-mail is
controlled by the organization.
> > * CPS section 8.4.1: RAs have to pass a yearly-based audit perform by
> > a third, independent party.
>
> OK, I like to learn a but more about that and what it means. Who is that
> third party and what is the audit criteria?
As said in june:
- Audit goal is to ensure that the operations RAS perform meet:
+ Legal requirements (Spanish Law 59/2003 of December 19, on
electronic signature)
+ Operational requirements stablished in the Certification Practice
Statement (CPS) of Firmaprofesional
+ Recommendations of regulatory bodies (ETSI 101 456. Policy
Requirements for Certification Authorities Issuing qualified
certificates)
- Audit scope. The elements to be evaluated can be classified into
the following areas:
+ Procedures (PRO): to assess whether the staff has the necessary
training to perform the RA Operator and performs operations in
accordance with procedures established by Firmaprofesional.
# Theorical skils throught RA Operator tests.
# Practical skills throught RA Operator test operations with
registration application
# Documetation throught a sample of documentation gathered for a
random certificate. Is the documentation complete?
# ...
+ Logical Security (SEL): to assess the correct configuration of
the computers from which RA operators access registration application.
# OS version and patches
# Antivirus version, patches and updating policy as well as
level of
# Password quality, automatic log-out, screensaver,...
# ...
+ Physical Security (SEF): to assess archiving and custody of
registration documentation and RA Operator's authentication devices
that performs the RA and operators of registration.
# Documentation archiving: facilities, security levels,...
# RA Operator authentication device: device management, PIN
management, ...
# ...
There are more than one provider, but the most representative is
Ernst&Young (R).
Also, we have WebTrust for CA seal. You know the scope and the audit
criteria.
> > ** Schools, Professional Corporations and Professional Schools
> > Councils, for their professional associations or for applicants who
> > maintain some kind of relationship with the organization as employees,
> > partners, customers or suppliers. Only Colleges or professional
> > corporations may be registered for their college or members, because
> > they have the capacity certification exclusively, on the peer or
> > member status.
> > *** Companies and private entities, for applicants who maintain some
> > kind of relationship with the organization as employees, partners,
> > customers or suppliers.
>
> We have to talk about this some more....it appears to be just about any
> interested party can become an RA forFirmaprofesional, but this isn't
> an easy task at all. How are those RAs trained, data handled and
> archived, verifications performed and according to the above, audited?
> Aren't those RAs basically asserting their own information? Which
> assurances do relying parties have about those 70+ RAs performing these
> CA specific tasks.
I do not understand the last question. Which CA specific tasks are
performing the RAs?
Of course there is an in-person training and an immediate audit after
training, regarding the three former domains: PRO, SEL, SEF.
Each RA is responsible for archiving ina seccurly manner the
documentation gathered during the registration process. Audit covers
this issue, asking for documentation related with a random selected
certificate.
Verifications are performed according with CPS and points discuss
above.
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: start...@startcom.org
chemalogo
>
> >FirmaprofesionalCIF A62634068”rootcertificate, and to enable all
> > three trust bits.
>
> First of all I'd be interested to know where the CArootis. The URLhttp://crl.firmaprofesional.com/carootnew.crtdoesn't work for me.
As Kathleen said. Now it is available at http://crl.firmaprofesional.com/carootnew.crt.
It costs so much time gain admission to Mozilla that the CA is no
longer new
> >Firmaprofesionalhas a network of more than 70 Registration
> > Authorities located throughout Spain.
>
> As noted by Kathleen in the bug, this could be a source for concern...
Only if one does not have the appropriate controls and the legal
instruments.
> > * CPS Section 3.2.5: To ensure that a requesting entity has control
> > over the domain (URL) requesting a certificate include uses two types
> > of checks:
> > ** Organizational: requesting ownership of the domain name, certified
> > by a legal representative of the organization.
> > ** Technical: The following services are queried whois authenticated:
> > o For domains “*.es”:
> >https://www.nic.es/sgnd/dominio/publicInformacionDominios.action
> > o For the rest of domains:
> >https://www.networksolutions.com/whois/index.jsp
>
> ...specially with relying on them for establish domain control or
> ownership. And is Network Solutions search page authoritative for all
> domain name extensions? I highly doubt that...
Regarding this issue I would like to remark the following:
- There are TWO complementary controls. One Organizational and one
Technical.
- The legal enforcement is linked to the organizational control since
a contract is signed by a representative of the company.
- As far as we operate with Network Solutions we haven’t found any
problem
- And finally, as we stated on 30/06/2010, we would like to clarify
that the sole and only RA that can issue SSL (and Code-signing)
certificates it is Firmaprofesional itself and no other RA.
> > a)Request: Must be submitted by the applicant, meeting described in
> > the CPS and with the following:
> > ** The applicant must be authorized torequestthe certificate.
> > ** The applicant must submit the documentation required by the RA to
> > process the application.
> > b) Acceptance of the application: The RA will verify the applicant's
> > identity and linking the subscriber with the entity and data to
> > include in the certificate.
>
> Obviously we would like to know how this is done. Because the very same
> information is used to verify domain control or ownership (btw, is this
> done also by the RA???)
I will try to explain ti with a hopefully more accurate translation
and some comments:
Request must be made by the applicant, meeting the requirements
described in the CPS and presenting at least the following documents:
- Approval of the Requesting Organization to the individual making the
request for the issuance of the certificate.
- The identity of the individual (ID Card, Passport).
- The ownership of the domain name, certified by a legal
representative of the organization.
- Accreditation by a reliable means (in terms of law) of existence of
the entity.
So it is need to present documentation legally binding the domain with
the organization and the individual who “sign” the request with the
Organization as well.
> > * Email validation is delegated to third party RAs.
This is one of the tasks of a RA, by definition. The RA does not
outsources this validation, the RA performs the validation.
> This might be a problem, email and domain control validation shouldn't
> be outsourced to third parties according to the problematic practices.
>
>
>
> > * Comment fromFirmaprofesional: It is not the individual (the person
> > whose personal data is going to be in the "subject field") who
> > provides the data to be included in the certificate, but a legal
> > representative. And this data is collected from de company's or
> > professional association's database.
>
> How is control over an email address established?
The validation is performed in a challenge/response basis.
> > * CPS Section 3.2.6: In general, the signatories are people associated
> > with the Registration Authority (eg, colleges, members of
> > associations, etc.) In such cases it is not the signatory who is
> > requesting a specific email address to be included in the certificate
> > but the RA itself, by consulting its database, gets the address.
>
> So this is basically self-attestation?
The organization ACME request a certificate for individual (who works
for the organization) X, with e-mail x...@acme.com. This e-mail is
controlled by the organization.
> > * CPS section 8.4.1: RAs have to pass a yearly-based audit perform by
> > a third, independent party.
>
> OK, I like to learn a but more about that and what it means. Who is that
> third party and what is the audit criteria?
As said in june:
- Audit goal is to ensure that the operations RAS perform meet:
+ Legal requirements (Spanish Law 59/2003 of December 19, on
electronic signature)
+ Operational requirements stablished in the Certification Practice
Statement (CPS) of Firmaprofesional
+ Recommendations of regulatory bodies (ETSI 101 456. Policy
Requirements for Certification Authorities Issuing qualified
certificates)
- Audit scope. The elements to be evaluated can be classified into the
following areas:
+ Procedures (PRO): to assess whether the staff has the necessary
training to perform the RA Operator and performs operations in
accordance with procedures established by Firmaprofesional.
* Theorical skils throught RA Operator tests.
* Practical skills throught RA Operator test operations with
registration application
* Documetation throught a sample of documentation gathered for a
random certificate. Is the documentation complete?
* ...
+ Logical Security (SEL): to assess the correct configuration of
the computers from which RA operators access registration application.
* OS version and patches
* Antivirus version, patches and updating policy as well as level
of
* Password quality, automatic log-out, screensaver,...
* ...
+ Physical Security (SEF): to assess archiving and custody of
registration documentation and RA Operator's authentication devices
that performs the RA and operators of registration.
* Documentation archiving: facilities, security levels,...
* RA Operator authentication device: device management, PIN
management, ...
* ...
There are more than one provider, but the most representative is
Ernst&Young (R).
Additionally Firmaprofesional has the WneTrust for CA seal. You knoe
the scope and audit criteria for this seal.
> > ** Schools, Professional Corporations and Professional Schools
> > Councils, for their professional associations or for applicants who
> > maintain some kind of relationship with the organization as employees,
> > partners, customers or suppliers. Only Colleges or professional
> > corporations may be registered for their college or members, because
> > they have the capacity certification exclusively, on the peer or
> > member status.
> > *** Companies and private entities, for applicants who maintain some
> > kind of relationship with the organization as employees, partners,
> > customers or suppliers.
>
> We have to talk about this some more....it appears to be just about any
> interested party can become an RA forFirmaprofesional, but this isn't
> an easy task at all. How are those RAs trained, data handled and
> archived, verifications performed and according to the above, audited?
> Aren't those RAs basically asserting their own information? Which
> assurances do relying parties have about those 70+ RAs performing these
> CA specific tasks.
I do not understand the last question. Which CA specific tasks are
performing the RAs?
Of course there is an in-person training and an immediate audit after
training, regarding the three former domains: PRO, SEL, SEF.
Each RA is responsible for archiving ina seccurly manner the
documentation gathered during the registration process. Audit covers
this issue, asking for documentation related with a random selected
certificate.
Verifications are performed according with CPS and points discuss
above.
Thanks for your comments!
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: start...@startcom.org
Eddy Nigg
> Regarding this issue I would like to remark the following:
> - There are TWO complementary controls. One Organizational and one
> Technical.
> - The legal enforcement is linked to the organizational control since
> a contract is signed by a representative of the company.
> - As far as we operate with Network Solutions we haven’t found any
> problem
> - And finally, as we stated on 30/06/2010, we would like to clarify
> that the sole and only RA that can issue SSL (and Code-signing)
> certificates it is Firmaprofesional itself and no other RA.
I don't know what your name is, but your response is well thought and
satisfies my answers mostly and specially the above removes most
concerns. However, where can I read in the policy that Firmaprofesional
is the only RA performing the validations for web server and code
signing certificates?
Regarding verifying the WHOIS data, I suggest not to rely on Network
Solutions web site (for various reasons), instead use the relevant
authoritative WHOIS server which you can find here for every TLD (as far
as they exist, otherwise web based search):
http://www.iana.org/domains/root/db/
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
ramirom
> On 09/15/2010 02:44 PM, From chemalogo:
>
> > Regarding this issue I would like to remark the following:
> > - There are TWO complementary controls. One Organizational and one
> > Technical.
> > - The legal enforcement is linked to the organizational control since
> > a contract is signed by a representative of the company.
> > - As far as we operate with Network Solutions we haven’t found any
> > problem
> > - And finally, as we stated on 30/06/2010, we would like to clarify
> > that the sole and only RA that can issue SSL (and Code-signing)
>
> I don't know what your name is, but your response is well thought and
> satisfies my answers mostly and specially the above removes most
> concerns. However, where can I read in the policy thatFirmaprofesional
> is the only RA performing the validations for web server and code
> signing certificates?
>
> Regarding verifying the WHOIS data, I suggest not to rely on Network
> Solutions web site (for various reasons), instead use the relevant
> authoritative WHOIS server which you can find here for every TLD (as far
> as they exist, otherwise web based search):http://www.iana.org/domains/root/db/
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
Hi
I have review above information about Firmaprofesional and I find no
problems.
I am a CICA Auditor and I know well Firmaprofesional since I have been
involved, long time ago, in setting up this project.
Firma profesional is well known Spanish CSP recognize by the Spanish
Public Administration.
Regards
Kurt Seifried
amused (no name, and hardly objective from the sounds of it).
-Kurt
On Mon, Sep 20, 2010 at 4:45 AM, ramirom <ramiro...@gmail.com> wrote:
> On 17 sep, 00:32, Eddy Nigg <eddy_n...@startcom.org> wrote:
>> On 09/15/2010 02:44 PM, From chemalogo:
>>
>> > Regarding this issue I would like to remark the following:
>> > - There are TWO complementary controls. One Organizational and one
>> > Technical.
>> > - The legal enforcement is linked to the organizational control since
>> > a contract is signed by a representative of the company.
>> > - As far as we operate with Network Solutions we haven’t found any
>> > problem
>> > - And finally, as we stated on 30/06/2010, we would like to clarify
>> > that the sole and only RA that can issue SSL (and Code-signing)
>> > certificates it isFirmaprofesionalitself and no other RA.
>>
>> I don't know what your name is, but your response is well thought and
>> satisfies my answers mostly and specially the above removes most
>> concerns. However, where can I read in the policy thatFirmaprofesional
>> is the only RA performing the validations for web server and code
>> signing certificates?
>>
>> Regarding verifying the WHOIS data, I suggest not to rely on Network
>> Solutions web site (for various reasons), instead use the relevant
>> authoritative WHOIS server which you can find here for every TLD (as far
>> as they exist, otherwise web based search):http://www.iana.org/domains/root/db/
>>
>> --
>> Regards
>>
>> Signer: Eddy Nigg, StartCom Ltd.
>> XMPP: start...@startcom.org
>> Blog: http://blog.startcom.org/
>> Twitter:http://twitter.com/eddy_nigg
>
> Hi
>
> I have review above information about Firmaprofesional and I find no
> problems.
> I am a CICA Auditor and I know well Firmaprofesional since I have been
> involved, long time ago, in setting up this project.
> Firma profesional is well known Spanish CSP recognize by the Spanish
> Public Administration.
>
> Regards
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
--
Kurt Seifried
ku...@seifried.org
tel: 1-703-879-3176
Kathleen Wilson
> If this counts as one of the two "ok no problem" emails I'll be highly
> amused (no name, and hardly objective from the sounds of it).
I did some searching, and I was not able to identify who the reviewer is
and if their opinion is objective.
Would at least one other person please review and comment on this request?
I have added the following to
https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
--
Note: If you have not contributed to a discussion before, wait no more!
The more you contribute to discussions, the more you establish yourself
as a knowledgeable and objective reviewer. Then when there is a request
that you are particularly interested in providing feedback on, your
contributions will be even more effective. Additionally, if you are a CA
with a request in the queue, participating in other discussions is a
great way to learn the expectations and be prepared for the discussion
of your request.
--
Thanks,
Kathleen
chemalogo
> On 09/15/2010 02:44 PM, From chemalogo:
>
> > Regarding this issue I would like to remark the following:
> > - There are TWO complementary controls. One Organizational and one
> > Technical.
> > - The legal enforcement is linked to the organizational control since
> > a contract is signed by a representative of the company.
> > - As far as we operate with Network Solutions we haven’t found any
> > problem
> > - And finally, as we stated on 30/06/2010, we would like to clarify
> > that the sole and only RA that can issue SSL (and Code-signing)
>
> I don't know what your name is, but your response is well thought and
> satisfies my answers mostly and specially the above removes most
> concerns. However, where can I read in the policy thatFirmaprofesional
> is the only RA performing the validations for web server and code
> signing certificates?
>
> Regarding verifying the WHOIS data, I suggest not to rely on Network
> Solutions web site (for various reasons), instead use the relevant
> authoritative WHOIS server which you can find here for every TLD (as far
> as they exist, otherwise web based search):http://www.iana.org/domains/root/db/
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
First of all, thanks for your comments and suggestions.
My name is Chema López González (my "Internet ID", chemalogo), and I
am CISA (Certified Information Systems Auditor), manager partner at
isigma (www.isigma.es) and Telecom Engineer (http://www.linkedin.com/
in/chemalogo)
We really appreciate your comments so we will include them in the next
Certification Policy.
Now, I'm going to attached the propose version to the bug and in a few
days, after revision by the Policy Authority, it will be publicly
available.
Here you can read an excerpt of document changes:
"Request can only be managed by Firmaprofesional RA.
Subject to the provisions of the relevant Certification Practices
Statement (CPS) of Firmaprofesional, to ensure that a requesting
entity has control over the domain (URL) claiming to be included in a
certificate, Firmaprofesional RA uses two types of checks:
** Organizational: requesting ownership of the domain name, certified
by a legal representative of the organization.
** Technical: The following services are queried whois authenticated:
o For domains “*.es”: https://www.nic.es/sgnd/dominio/publicInformacionDominios.action
o For the rest of domains:
- A query to http://www.iana.org/domains/root/db/, to find out
who is the authoritative WHOIS service
- A query to the corresponding WHOIS service
"
Thanks,
Chema.
Kathleen Wilson
> On 9/20/10 11:44 AM, Kurt Seifried wrote:
>> If this counts as one of the two "ok no problem" emails I'll be highly
>> amused (no name, and hardly objective from the sounds of it).
>
> I did some searching, and I was not able to identify who the reviewer is
> and if their opinion is objective.
>
I have to retract that statement now. I have found that
ramiro...@gmail.com has participated in previous discussions. I don't
know why his name, Ramiro Muñoz Muñoz, didn't show up as the sender this
time. While this particular email address is not the usual email address
that I use to communicate with him, it is one that he has used for
m.d.s.policy discussions in the past. This is indeed someone whom I have
worked with on previous requests, and who can be counted as a
knowledgeable and objective reviewer for this Firmaprofesional root
inclusion request.
Ramiro, I apologize for not realizing before that this request was from you.
Kathleen
Kathleen Wilson
The updated SSL CP is here:
https://bugzilla.mozilla.org/attachment.cgi?id=477539
The changes mentioned are on page 7, in section 4.1.a.
Kathleen
Kathleen Wilson
> Firmaprofesional CIF A62634068” root certificate, and to enable all
> three trust bits.
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=521439
>
> And in the pending certificates list here:
> http://www.mozilla.org/projects/security/certs/pending/#Firmaprofesional
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=464156
>
Thank you to those of you who have reviewed and commented on this
request from Firmaprofesional to add the “Autoridad de Certificacion
Firmaprofesional CIF A62634068” root certificate, and to enable all
three trust bits.
This discussion resulted in an update to Firmaprofesional’s SSL CP in
regards to the following two things. The proposed updated SSL CP is
attached to the bug.
https://bugzilla.mozilla.org/attachment.cgi?id=477539
1) Clarify that Firmaprofesional is the only RA performing the
validations for web server and code signing certificates that are signed
by intermediate CAs of this root.
2) Provide more information about how the Firmaprofesional RA verifies
ownership of the domain name to be included in the certificate.
There is one action item resulting from this discussion, which is for
Firmaprofesional to publish a new version of their SSL CP with these
changes.
I propose to close this discussion, recommend approval, and track the
action item in the bug.
Kathleen
Kathleen Wilson
> On 8/27/10 3:35 PM, Kathleen Wilson wrote:
>> Firmaprofesional has applied to add the “Autoridad de Certificacion
>> Firmaprofesional CIF A62634068” root certificate, and to enable all
>> three trust bits.
>>
>> The request is documented in the following bug:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=521439
>>
>> And in the pending certificates list here:
>> http://www.mozilla.org/projects/security/certs/pending/#Firmaprofesional
>>
>> Summary of Information Gathered and Verified:
>> https://bugzilla.mozilla.org/attachment.cgi?id=464156
>>
>
Again, thank you to those of you who have reviewed and commented on this
root inclusion request.
As a result of this discussion, Firmaprofesional has updated their SSL
CP to further clarify their verification process for SSL and code
signing certificates.
The remaining action item is for Firmaprofesional to publish their
updated SSL CP with these changes. This action item will be tracked in
the bug.
This concludes the public discussion about Firmaprofesional’s request to
add the “Autoridad de Certificacion Firmaprofesional CIF A62634068” root
certificate, and to enable all three trust bits.
I will post my recommendation for approval of this request in the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=521439
All follow-ups on this request should be posted directly in the bug.
Thank you to all of you who have participated in this discussion.
Kathleen