Step 6 of CA Application Process
<
https://wiki.mozilla.org/CA/Application_Process>: *Summary of Discussion
and Resulting Decision:*
One commenter stated that it appeared that a few certificates were
misissued, i.e. that the stateOrProvinceName field (“S” field) should
probably be the "Gyeonggi-do" as the "Seongnam-si" entered is a city. A
NAVER representative responded that it had fixed the DN structure with L
equal to "Seongnam-si" as city name and S field as "Gyeonggi-do" for
province name. NAVER also added a procedure, in compliance with ISO
3166-2, to put province information correctly in the S field of user DN for
newly issued certificates.
A second commenter noted that: (1) wording in the CPS could allow NAVER to
avoid revoking problematic certificates by relying on Korean law; (2)
“relevant legislation” was not referenced in
sections 9.14 and 9.16.3 as required by BR section 9.16.3; and (3) the list
of events logged did not include "All verification activities" as required
by BR section 5.4.1(2).
Responses to the foregoing included the following: (1) a certificate not
revoked because of Korean law would be a BR violation and the CA would be
required to previously disclose this according to BR section 9.16.3 (the
conflicting requirement could be modified “to the minimum extent necessary
to make the requirement valid and legal” and the CA would have to notify
the CA/Browser Forum of such practice change so that the Forum could react
appropriately. NAVER also stated, “we found that there are no South Korea’s
laws and regulations which affect or refuse the revocation of certificates
that violated the BRs issued by a commercial CA”. (2) A third commenter
stated, “Note that, in this case, the particular language you're concerned
about is part of the BRs themselves, in 4.9.5. However, this is about
‘when’ to revoke. I think you raise an interesting point that would
benefit from clarification from NAVER, because I think you're correct that
we should be concerned that the shift from ‘when’ to revoke has become
‘whether’ to revoke, and that is an important difference.” As a result of
these comments, NAVER amended sections 4.9.5, 9.14, and 9.16.3.
Section 4.9.5 of the NAVER CPS now reads, “The period from receipt of the
Certificate Problem Report or revocation-related notice to published
revocation must not exceed the time frame set forth in Section 4.9.1.1. The
date selected by NAVER Cloud will consider the following criteria: …
Relevant legislation.”
Section 9.14 of the NAVER CPS now states, “This CPS is governed, construed
and interpreted in accordance with the laws of Republic of Korea. This
choice of law is made to ensure uniform interpretation of this CPS,
regardless of the place of residence or place of use of NAVER Cloud
Certificates or other products and services. The law of Republic of Korea
applies also to all NAVER Cloud commercial or contractual relationships in
which this CPS may apply or quoted implicitly or explicitly in relation to
NAVER Cloud products and services where NAVER Cloud acts as a provider,
supplier, beneficiary receiver or otherwise.”
(Note that section 1.1 of the NAVER CPS states, “In the event of any
inconsistency between this CPS and the Baseline Requirements, the Baseline
Requirements take precedence over this document.”)
Section 9.16.3 has been amended by adding a paragraph reading, “In the
event of a conflict between CABF Baseline Requirements and a law,
regulation or government order (hereinafter ‘Law’) of any jurisdiction in
which a CA operates or issues certificates, NAVER Cloud modifies any
conflicting requirement to the minimum extent necessary to make the
requirement valid and legal in the jurisdiction. This applies only to
operations or certificate issuances that are subject to that Law. In such
event, NAVER Cloud immediately (and prior to issuing a certificate under
the modified requirement) includes in Section 9.16.3 of this CPS a detailed
reference to the Law requiring a modification of these Requirements under
this section, and the specific modification to these Requirements
implemented by NAVER Cloud.”
(3) Section 5.4.1 now states that “NAVER Cloud records at least the
following events: … 2. Subscriber Certificate lifecycle management events,
including: … b. All verification activities stipulated in these
Requirements and the CA’s Certification Practice Statement”.
A key take-away from a review of these comments and responses is the need
for each CA’s CPS language to provide a firm commitment to revoke
certificates on a timely basis. I think members of the Mozilla community do
not want to have to worry about “when” or “whether” a certificate will be
revoked. In sections 4.9.1.1 and 4.9.5 of the NAVER CPS, NAVER has adopted
essentially the 24-hour and 5-day timeframes of sections 4.9.1.1 and 4.9.5
of the Baseline Requirements. Certainly, all CAs could improve the
descriptions of their revocation processes, but this language in the NAVER
CPS meets the minimum requirements. Hopefully, NAVER and other CAs will not
only strive to improve their CPS revocation language, but also strive to
revoke certificates quickly when one of the criteria is met.
Are there any final comments or issues that have not been addressed? If
not, I will be closing public discussion tomorrow [Step 9] and giving
notice that it is Mozilla’s intent to approve NAVER's request for inclusion
[Step 10].
Thanks,
Ben
On Thu, Nov 5, 2020 at 8:55 AM Sooyoung Eo via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
> Thank you all for the comments during the public discussion phase.
> All matters raised in this public discussion has been fixed and then
> published
> our revised CPS, including changes in sections 4.9.3, 4.9.5, 5.4.1, 9.14,
> and 9.16.3.
>
> You can find the revised CPS v1.5.0 at our repository.
>
https://certificate.naver.com/bbs/initCrtfcJob.do
> (directly download link:
>
https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=8458f988c4994fc2b5fbae53a0c704c7.pdf&atch_real_file_nm=NAVER%20Cloud%20CPS%20v1.5.0.pdf
> )
>
> To minimize confusion, I would like to metion that "NAVER BUSINESS
> PLATFORM"
> has been renamed to "NAVER Cloud" without any changes on the ownership of
> the company and Certification Authority on October 26, 2020.
>
> Kind Regards,
> Sooyoung Eo
>
>
> 2020년 11월 4일 수요일 오전 7시 50분 27초 UTC+9에 Ben Wilson님이 작성한 내용: