On November 17, 2020, the public discussion period [Step 4 of the Mozilla
Root Store CA Application Process
<
https://wiki.mozilla.org/CA/Application_Process>] began on FNMT’s
inclusion request.
*Summary of Discussion and Completion of Action Items [Steps 5-8]:*
On November 18, 2020, FNMT clarified that it is audited to both ETSI EN 319
411-2 and ETSI 319 411-1.
Also, on that day, a comment was received with the following observations:
(1) certificate profiles could not be located for review - as indicated
subsequently in the thread, FNMT provided links to the certificate profiles
for end entity certificates;
(2) cross-references to a document called the “DGPC” were difficult to
follow - an overall comment was that FNMT’s Certification Practices
Statement (CPS) was confusing with its numerous cross-references to its
DGPC (CPS for its Root CA). FNMT republished its CPS with these
cross-references removed and replaced them with applicable text. There
were also references to the "DPPP" (FNMT’s CPS), which were replaced by
“CPS”;
(3) there were numerous observations about the CPS (e.g. it lacked a
commitment to communicate back to third parties within 24 hours of
receiving a Certificate Problem Report, etc.) - see
https://groups.google.com/g/mozilla.dev.security.policy/c/T5bYrPznCXQ/m/Rv4ddGh6BQAJ,
and the subsequent response from FNMT, and my similar summary of these
issues in this thread; and
(4) a final suggestion was “[to] have them compare [the CPS] side-by-side
with the BR, and have it at least document their commitment to each of the
baseline requirements explicitly in their CPS”. FNMT responded, “We have
updated a new BRs Self-Assessment document with CPS v1.6:
https://bug1559342.bmoattachments.org/attachment.cgi?id=9189942”. I
believe that the BR self-assessment serves this purpose.
This is notice that I am closing public discussion [Step 9] and that it is
Mozilla’s intent to approve FNMT's request for inclusion [Step 10].
This begins a 7-day “last call” period for any final objections.
Thanks,
Ben
On Wed, Dec 9, 2020 at 12:09 PM Ben Wilson <
bwi...@mozilla.com> wrote:
> Just a reminder - today, the public discussion period will close and then
> I'll be preparing a summary of the discussion. In addition to reviewing
> FNMT's response of 27-November, I also reviewed the CPS v. 1.6 and make the
> following observations:
> Matthias van de Meent wrote:
>
> I'm having trouble finding the end entity certificate profiles in this CPS.
> According to the CPS s7.1.2, they are supposed to be available at
>
http://www.cert.fnmt.es/dpcs/, but that redirects me to a repository [0]
> of which the only english-language document [1] does not contain any end
> entity certificate profiles, but only the root and ICA profiles in
> attachments. Similarly, I cannot find the CPS you linked in their
> repository.
>
> I noticed that the CPS defers a great amount of sections (section 5, 6.2,
> 6.4, 8.2 - 8.7 and large parts of section 9) to the DGPC, which probably
> is [1] but that is never explicitly confirmed in the CPS - there is no
> explicit link to any repository in section 1.6.1 where the acronym is
> defined, nor are there any other indications that this DGPC is located in
> the repository under the link of [0]. This is confusing, and detrimental
> to the readability of the document.
>
> I noticed that the acronym "DPPP" has been replaced with "CPS" and that
> language from the "DGPC" has been copied into the CPS.
>
> CPS s4.9.2 and s1.5.2 both mention that third parties may send certificate
> problem reports, and select parties may send revocation requests, which
> is great; but I cannot find a commitment to communicating a preliminary
> report within 24 hours to the reporter as stipulated by BR 4.9.5.
>
> CPS section 4.9.5 now states that "Within 24 hours after receiving a CPR,
> the CA will investigate the facts and circumstances related to the CPR and
> provide a preliminary report to both the Subscriber and the entity who
> filed the CPR."
>
> CPS / DGPC s5.2.2 includes by reference an internal policy, which may or
> may not comply with the "at least dual control for CA private key backup/storage/recovery"
> requirement of BR 5.2.2.
>
> CPS section 5.2.2 now states, "The FNMTs Private Key are backed up,
> stored, and recovered only by personnel in trusted roles using, at least,
> dual control in a physically secured environment."
>
> CPS / DGPC s5.3.1 only guarantee the "experience and knowledge", not the
> "trustworthiness and identity" of the operators.
>
> CPS section 5.3.1 now states, "These requirements are guaranteed by the
> corresponding criteria in the personnel selection processes, verifying the
> identity and trustworthiness of such person and that the employee's
> professional profile is as appropriate as possible to the characteristics
> of the tasks to be developed. The trustworthiness and suitability of the
> assigned trusted roles are reviewed periodically."
>
> CPS / DGPC s5.3.3 does not provide information on the specific topics that
> are SHALL-qualified in BR s5.3.3. This same can be said about s5.3.4 and
> s5.3.7.
>
> As noted by FNMT, these sections now reference its Annual Training Plan,
> the periodicity of its revision and the verification of compliance of the
> required experience and knowledge in case of hiring independent contractors
> for trusted duties.
>
> CPS / DGPC s5.4.1 does definately not mention logging rejection/acceptance
> of certificate requests (BR s5.4.1(1)(3)), and probably also doesn't
> cover some other parts, but the language is very opaque (i.e. unclear). ...
> looks further ... those specific events are apparently included in 5.5.1
> Types of Records Archived (?)
>
> Subsections a) and b) in section 5.4.1 now mention "Approval and rejection
> of certificate requests".
>
> CPS / DGPC s5.4.3 does not comply with BR 5.4.3: Audit log retention of
> 15 years is not enough to cover the CA certificate event record log retention
> timespan of 2 years past the latest of 1.) the destruction of the CA
> private key, and 2.) the revocation or expiration of the final CA
> certificate of that private key. Unless of course you expect to revoke
> the root and destroy the CA keys within 13 years after creation.
>
> As noted, BR section 5.4.3 only requires retention for two years after
> expiration. As now worded in the CPS (with 15-year retention), the BRs are
> satisfied.
>
> CPS / DGPC s6.1.1.1 (CA Key Pair Generation) fails to include the procedure
> with which CA keys are generated. More specifically, the current
> implication is that the auditor could not be witness of the CA key
> generation ceremony, nor have seen any evidence other than the report,
> and sign this report. This fails to apply BR 6.1.1.1(1) items 2 and 3,
> and BR 6.1.1.1(2)(2). The procedure included by reference is not
> accessible [3] and may add requirements, but those requirements need not
> meet the baseline of the BR.
>
> CPS Section 6.1.1.1 now specifies, "Following this procedure, the FNMT-RCM
> will prepare and follow a Key Generation Script, have a Qualified Auditor
> witness the CA Key Pair generation process, and have a Qualified Auditor
> issue a report opining that the CA followed its key ceremony during its Key
> and Certificate generation process and the controls used to ensure the
> integrity and confidentiality of the Key Pair."
>
> CPS s6.2 points to a section s6.2 in the DGPC, which is blank. Therefore,
> I'm missing the documentation on that the CA is committed to securing the
> CA private key material in a BR-compliant manner.
>
> Section 6.2 now states, "FNMT-RCM shall protect its Private Key(s) in
> accordance with the provisions of this CPS and in a compliance with
> CA/Browser Forum's Baseline Requirements"
>
> CPS / DGPC s6.2.4 does not apply the requirements of BR 6.2 nor 5.2.2 to
> their private key backup procedure.
>
> Section 6.2.4 of the CPS now states, "Backup copies of CA Private Keys
> shall be backed up by multiple persons in Trusted Role position sand only
> be stored in encrypted form on cryptographic modules that meet the
> requirements specified in Section 6.2.1."
>
> CPS delegates s6.2.5 fully to the DGPC, but that s6.2.5 requires the CPS
> to at least specify a maximum number of copies of the private key, which
> is not specified.
>
> Section 6.2.5 now states, "Only the FNMT-RCM may make a backup of the
> Private keys, guaranteeing that the security level of the copied data is at
> least equal to that of the original data and that the number of data
> duplicated does not exceed the minimum necessary to assure service
> continuity. The Signature creation data are not duplicated for any other
> purpose."
>
> CPS / DGPC s6.2.6 has the interesting construction "Consequently, the Keys
> cannot be transferred, although there is a recovery procedure", which
> implies a procedure to extract and transfer keys exists.
>
> CPS Section 6.2.6 now states, "The Certification Authorities’ Private keys
> are generated as described in point “6.1 Key generation and installation”.
> In the event that a Private Key is to be transported from one Cryptographic
> Module to another, the Private Key must be encrypted during transport.
> Private Keys must never exist in plain text form outside the Cryptographic
> Module boundary."
>
> CPS / DGPC s6.2.7 fails to commit FNMT to using devices meeting FIPS 140
> level 3 or higher (as that is apparently located in DGPC 6.2.1 and 6.2.8
> (?))
>
> Section 6.2.7 now states, "Root CA private keys of the FNMT-RCM are
> generated and stored inside cryptographic modules which meet the
> requirements of 6.2.1 of this CPS"
>
> CPS / DGPC does not mention "factor" or "2fa" according to my search, even
> though BR 6.5.2 specifies 'The CA SHALL enforce multi-factor authentication
> for all accounts capable of directly causing certificate issuance.".
>
> Section 6.5.1 now states, "The FNMT-RCM shall enforce multi-factor
> authentication for all accounts capable of directly causing certificate
> issuance."
>
> ... skipped over similar issues in 7: failure to document a commitment to
> the relevant sections of the BR ... skipped over similar issues in 8:
> failure to document a commitment to the relevant sections of the BR
>
> FNMT indicated "Sections 7 and 8 have been reviewed and more detailed
> information has been included in CPS v.1.6 sections 7.1.2, 8, 8.1, and 8.5.
> "
>
>
>
> On Fri, Dec 4, 2020 at 12:40 PM Santiago Brox via dev-security-policy <
>
dev-secur...@lists.mozilla.org> wrote:
>
>> El viernes, 4 de diciembre de 2020 a las 18:20:41 UTC+1, Matthias van de
>> Thanks Matthias. We will work with the web content management team to
>> evaluate possible improvements in the distribution of our CPSs site.