Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Certum Root Renewal Request
426 views
Skip to first unread message
Kathleen Wilson
Oct 1, 2015, 6:45:05 PM10/1/15
to mozilla-dev-s...@lists.mozilla.org
Unizeto Certum has applied to include the “Certum Trusted Network CA 2”
root certificate, turn on all three trust bits, and enable EV treatment.
This is the next generation of the “Certum Trusted Network CA” root cert
that was included via bug #532377.
Certum is an organizational unit of Unizeto Technologies SA, providing
certification services related to electronic signatures. It is the
oldest public, commercial certification authority in Poland; operating
on a global scale - serving customers in over 50 countries worldwide.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=999378
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8644683
Noteworthy points:
* Documents are provided in Russian and English.
Document Repository: http://www.certum.eu/certum/179898.xml
CP:
http://www.certum.eu/upload_module/wysiwyg/certum/cert_doc/pc_nuc/CCP-DK02-ZK01_Certification_Policy_of_CERTUM_Certification_Services_v3_4_1.pdf
CPS:
http://www.certum.eu/upload_module/wysiwyg/certum/eu/documents/CCP-DK02-ZK02_Certification_Practice_Statement_v3_9.pdf
* CA Hierarchy
CPS section 1.3.1: authorities subordinate to Certum Trusted Network CA:
- Certum Class 1 CA, -- TEST CERTS
- Certum Class 1 CA SHA2, -- TEST CERTS
- Certum Code Signing CA,
- Certum Code Signing CA SHA2,
- Certum Domain Validation CA SHA2,
- Certum Organization Validation CA SHA2,
- Certum Extended Validation CA,
- Certum Extended Validation CA SHA2,
- Certum Global Services CA SHA2.
* This request is to turn on all three trust bits, and to enable EV
treatment.
** CP section 2.1: DV certificates are issued for two separate groups.
As a free test certificates for shorter period of validity and the
standard certificates with a full usage. Certificates of the first group
are issued by intermediate authorities Certum Level I CA, Certum Class 1
CA and Certum Class 1 CA SHA2. The second group of standard certificates
are issued by Certum Level II CA and Certum Domain Validation CA SHA2
authorities.
Test certificates are intended mainly for the application or device test
performance prior to purchasing final certificate. DV certificates are
issued for all types of applications: securing electronic
correspondence, encrypting binary objects and protecting data transmission.
CERTUM verifies all data provided by subscriber in the certification
process. The verification covers: a domain name, an email address,
contact details and the name of private person or representative of the
legal entity. Detailed information on identity verification requirements
are described in [the CPS]
** CPS section 3.2.2: CERTUM must confirms that the organization whose
name is in the content of the certificate actually existed at the time
of issuing the certificate.
The verification is performed based on the Qualified
Independent/Government Information Sources e.g.. publicly available
records of companies/organizations registries.
…
There are two basic ways of legal entity’s identity authentication. The
first one requires the legal entity’s authorized representative’s
personal attendance in the registration authority, or the registration
authority representative’s presence in person in the legal entity’s seat
(specified in the application). In the second case, the identity can be
authenticated on-line by means of messages exchanged directly with the
certification authority or its agent.
…
The registration authority is committed to verify the correctness and
truthfulness of all data provided in an application. In the case of EV
SSL certificates additional procedure shall be applied according to
Guidelines for the Issuance and Management of Extended Validation
Certificates requirements.
…
In the case of email certificates, the registration authority verifies
an email address. The aim of this action is to receive by the subscriber
an authentication data sent to the address which has previous placed in
the certification request.
** CPS section 3.2.5: In the case where a certificate request contains
the name of the organization (O), then this should be interpreted as the
person who requests for a certificate is affiliated or authorized to act
on behalf of the organization. This means that CERTUM verifies that the
individual who requests for a certificate was an employee organization
or its subcontractor at the time of issuance of the certificate and has
the right to act on behalf of the organization; the scope of
authorization and the period of validity may be regulated by separate
legislation or the relying party in the course of verification a digital
signature or decryption the received document and is outside the scope
of liability of CERTUM; individual’s identity and authorization may be
checked by CERTUM on the basis of available records or database, contact
by phone or e-mail to the organization.
** CPS section 3.2.6: For all SSL certificates, authentication of the
Applicant’s ownership or control of all requested Domain Name(s) is done
using one of the following methods:
- by uploading file with the specified name to the root directory of the
domain;
- by uploading specific metadata to the main page on the domain;
- by uploading specific metadata to the DNS text record of the domain;
- by direct confirmation with the contact listed by the Domain Name
Registrar in the WHOIS record or provided to CERTUM by the Domain Name
Registrar directly;
- by successfully replying to a challenge response email sent to one or
more of the following email addresses: owebm...@domain.com,
postmaster@domain, ad...@domain.com, admini...@domain.com,
hostm...@domain.com.
CERTUM only uses the WHOIS records linked to on the IANA root database
and the ICANN approved registrars.
* EV Policy OID: 2 1.2.616.1.113527.2.5.1.1
* Root Cert URL: https://bugzilla.mozilla.org/attachment.cgi?id=8614648
* Test Website: https://valid-certum-ctncav2.certificates.certum.pl/
* CRL: http://crl.certum.pl/evca2.crl
http://crl.certum.pl/ctnca2.crl
* OCSP: http://evca2.ocsp.certum.pl/
http://subca.ocsp-certum.com/
OCSP response is valid for 7 days.
* Audit: Certum is audited annually by Ernst & Young according to the
Webtrust audit criteria.
https://cert.webtrust.org/SealFile?seal=1901&file=pdf
https://cert.webtrust.org/SealFile?seal=1903&file=pdf
https://cert.webtrust.org/SealFile?seal=1902&file=pdf
* Potentially Problematic Practices – none noted
(http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from Certum to include the
“Certum Trusted Network CA 2” root certificate, turn on all three trust
bits, and enable EV treatment.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
root certificate, turn on all three trust bits, and enable EV treatment.
This is the next generation of the “Certum Trusted Network CA” root cert
that was included via bug #532377.
Certum is an organizational unit of Unizeto Technologies SA, providing
certification services related to electronic signatures. It is the
oldest public, commercial certification authority in Poland; operating
on a global scale - serving customers in over 50 countries worldwide.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=999378
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8644683
Noteworthy points:
* Documents are provided in Russian and English.
Document Repository: http://www.certum.eu/certum/179898.xml
CP:
http://www.certum.eu/upload_module/wysiwyg/certum/cert_doc/pc_nuc/CCP-DK02-ZK01_Certification_Policy_of_CERTUM_Certification_Services_v3_4_1.pdf
CPS:
http://www.certum.eu/upload_module/wysiwyg/certum/eu/documents/CCP-DK02-ZK02_Certification_Practice_Statement_v3_9.pdf
* CA Hierarchy
CPS section 1.3.1: authorities subordinate to Certum Trusted Network CA:
- Certum Class 1 CA, -- TEST CERTS
- Certum Class 1 CA SHA2, -- TEST CERTS
- Certum Code Signing CA,
- Certum Code Signing CA SHA2,
- Certum Domain Validation CA SHA2,
- Certum Organization Validation CA SHA2,
- Certum Extended Validation CA,
- Certum Extended Validation CA SHA2,
- Certum Global Services CA SHA2.
* This request is to turn on all three trust bits, and to enable EV
treatment.
** CP section 2.1: DV certificates are issued for two separate groups.
As a free test certificates for shorter period of validity and the
standard certificates with a full usage. Certificates of the first group
are issued by intermediate authorities Certum Level I CA, Certum Class 1
CA and Certum Class 1 CA SHA2. The second group of standard certificates
are issued by Certum Level II CA and Certum Domain Validation CA SHA2
authorities.
Test certificates are intended mainly for the application or device test
performance prior to purchasing final certificate. DV certificates are
issued for all types of applications: securing electronic
correspondence, encrypting binary objects and protecting data transmission.
CERTUM verifies all data provided by subscriber in the certification
process. The verification covers: a domain name, an email address,
contact details and the name of private person or representative of the
legal entity. Detailed information on identity verification requirements
are described in [the CPS]
** CPS section 3.2.2: CERTUM must confirms that the organization whose
name is in the content of the certificate actually existed at the time
of issuing the certificate.
The verification is performed based on the Qualified
Independent/Government Information Sources e.g.. publicly available
records of companies/organizations registries.
…
There are two basic ways of legal entity’s identity authentication. The
first one requires the legal entity’s authorized representative’s
personal attendance in the registration authority, or the registration
authority representative’s presence in person in the legal entity’s seat
(specified in the application). In the second case, the identity can be
authenticated on-line by means of messages exchanged directly with the
certification authority or its agent.
…
The registration authority is committed to verify the correctness and
truthfulness of all data provided in an application. In the case of EV
SSL certificates additional procedure shall be applied according to
Guidelines for the Issuance and Management of Extended Validation
Certificates requirements.
…
In the case of email certificates, the registration authority verifies
an email address. The aim of this action is to receive by the subscriber
an authentication data sent to the address which has previous placed in
the certification request.
** CPS section 3.2.5: In the case where a certificate request contains
the name of the organization (O), then this should be interpreted as the
person who requests for a certificate is affiliated or authorized to act
on behalf of the organization. This means that CERTUM verifies that the
individual who requests for a certificate was an employee organization
or its subcontractor at the time of issuance of the certificate and has
the right to act on behalf of the organization; the scope of
authorization and the period of validity may be regulated by separate
legislation or the relying party in the course of verification a digital
signature or decryption the received document and is outside the scope
of liability of CERTUM; individual’s identity and authorization may be
checked by CERTUM on the basis of available records or database, contact
by phone or e-mail to the organization.
** CPS section 3.2.6: For all SSL certificates, authentication of the
Applicant’s ownership or control of all requested Domain Name(s) is done
using one of the following methods:
- by uploading file with the specified name to the root directory of the
domain;
- by uploading specific metadata to the main page on the domain;
- by uploading specific metadata to the DNS text record of the domain;
- by direct confirmation with the contact listed by the Domain Name
Registrar in the WHOIS record or provided to CERTUM by the Domain Name
Registrar directly;
- by successfully replying to a challenge response email sent to one or
more of the following email addresses: owebm...@domain.com,
postmaster@domain, ad...@domain.com, admini...@domain.com,
hostm...@domain.com.
CERTUM only uses the WHOIS records linked to on the IANA root database
and the ICANN approved registrars.
* EV Policy OID: 2 1.2.616.1.113527.2.5.1.1
* Root Cert URL: https://bugzilla.mozilla.org/attachment.cgi?id=8614648
* Test Website: https://valid-certum-ctncav2.certificates.certum.pl/
* CRL: http://crl.certum.pl/evca2.crl
http://crl.certum.pl/ctnca2.crl
* OCSP: http://evca2.ocsp.certum.pl/
http://subca.ocsp-certum.com/
OCSP response is valid for 7 days.
* Audit: Certum is audited annually by Ernst & Young according to the
Webtrust audit criteria.
https://cert.webtrust.org/SealFile?seal=1901&file=pdf
https://cert.webtrust.org/SealFile?seal=1903&file=pdf
https://cert.webtrust.org/SealFile?seal=1902&file=pdf
* Potentially Problematic Practices – none noted
(http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from Certum to include the
“Certum Trusted Network CA 2” root certificate, turn on all three trust
bits, and enable EV treatment.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen
Kathleen Wilson
Oct 21, 2015, 3:28:39 PM10/21/15
to mozilla-dev-s...@lists.mozilla.org
On 10/1/15 3:44 PM, Kathleen Wilson wrote:
> Unizeto Certum has applied to include the “Certum Trusted Network CA 2”
> root certificate, turn on all three trust bits, and enable EV treatment.
> This is the next generation of the “Certum Trusted Network CA” root cert
> that was included via bug #532377.
>
Does anyone have any comments, questions, or concerns about this request
> Unizeto Certum has applied to include the “Certum Trusted Network CA 2”
> root certificate, turn on all three trust bits, and enable EV treatment.
> This is the next generation of the “Certum Trusted Network CA” root cert
> that was included via bug #532377.
>
from Unizeto Certum?
Kathleen
Peter Kurrasch
Oct 21, 2015, 6:35:48 PM10/21/15
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
Hi Kathleen,
I recommend we not allow the code signing bit to be enabled for this root. Even though removing code signing is not yet official policy I don't think it makes much sense to activate it for this root if only to remove it a year later (or whatever the timeframe). It might be good to at least let Unizeto Certum know that the change is in the works.
Speaking for myself, I'd be interested in knowing why they wanted code signing trust in the first place. Do they have specific customers or use-cases in mind or??? This could be a good learning opportunity, if there's anything that Unizeto Certum would like to share with the community.
Original Message
From: Kathleen Wilson
Sent: Wednesday, October 21, 2015 2:28 PM
On 10/1/15 3:44 PM, Kathleen Wilson wrote:
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
I recommend we not allow the code signing bit to be enabled for this root. Even though removing code signing is not yet official policy I don't think it makes much sense to activate it for this root if only to remove it a year later (or whatever the timeframe). It might be good to at least let Unizeto Certum know that the change is in the works.
Speaking for myself, I'd be interested in knowing why they wanted code signing trust in the first place. Do they have specific customers or use-cases in mind or??? This could be a good learning opportunity, if there's anything that Unizeto Certum would like to share with the community.
Original Message
From: Kathleen Wilson
Sent: Wednesday, October 21, 2015 2:28 PM
On 10/1/15 3:44 PM, Kathleen Wilson wrote:
> Unizeto Certum has applied to include the “Certum Trusted Network CA 2”
> root certificate, turn on all three trust bits, and enable EV treatment.
> This is the next generation of the “Certum Trusted Network CA” root cert
> that was included via bug #532377.
>
> root certificate, turn on all three trust bits, and enable EV treatment.
> This is the next generation of the “Certum Trusted Network CA” root cert
> that was included via bug #532377.
>
Does anyone have any comments, questions, or concerns about this request
from Unizeto Certum?
Kathleen
_______________________________________________
from Unizeto Certum?
Kathleen
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
arkadiusz...@unizeto.pl
Nov 19, 2015, 1:22:49 PM11/19/15
to mozilla-dev-s...@lists.mozilla.org
Hi
We've provided code signing certificates to our customers for many years. Also, at this time, the new root CTNCA 2 is going to be used for this purpose.
When it comes to a specific group of customers, I would say it appears that we don't have customers who need to use our root from NSS root store for code signing purposes. Tt is possible that they exist but we do not know anything about it.
Therefore, we are not opposed to the removal of trust bits from our and other root certificates.
Yours Sincerely
Arkadiusz Ławniczak
We've provided code signing certificates to our customers for many years. Also, at this time, the new root CTNCA 2 is going to be used for this purpose.
When it comes to a specific group of customers, I would say it appears that we don't have customers who need to use our root from NSS root store for code signing purposes. Tt is possible that they exist but we do not know anything about it.
Therefore, we are not opposed to the removal of trust bits from our and other root certificates.
Yours Sincerely
Arkadiusz Ławniczak
Kathleen Wilson
Nov 19, 2015, 3:22:28 PM11/19/15
to mozilla-dev-s...@lists.mozilla.org
with recommending approve with the caveat that we are no longer turning
on the code signing trust bit for roots?
Thanks,
Kathleen
Kathleen Wilson
Dec 3, 2015, 7:01:10 PM12/3/15
to mozilla-dev-s...@lists.mozilla.org
Please let me know if you need more time to review this request from
Unizeto Certum to include the “Certum Trusted Network CA 2” root
certificate, turn on the websites and email trust bits, and enable EV
forward with recommending approval.
Thanks,
Kathleen
Unizeto Certum to include the “Certum Trusted Network CA 2” root
certificate, turn on the websites and email trust bits, and enable EV
treatment. This is the next generation of the “Certum Trusted Network
CA” root cert that was included via bug #532377.
Otherwise, I will assume everyone is OK with this request, and move
CA” root cert that was included via bug #532377.
forward with recommending approval.
Thanks,
Kathleen
Kathleen Wilson
Dec 10, 2015, 12:09:03 PM12/10/15
to mozilla-dev-s...@lists.mozilla.org
was raised (and resolved). Therefore, I am now closing this discussion
and will recommend approval of this request in the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=999378
Any further follow-up on this request should be added directly to the bug.
Thanks,
Kathleen
0 new messages