Certinomis Root Inclusion Request
Kathleen Wilson
certificate and enable the websites trust bit.
Certinomis is a commercial CA that delivers certificates to the general
public in France, and is the Certificate Service Provider of "La Poste"
the French Postal Service.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=545614
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#Certinomis
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=498137
Noteworthy points:
* Root cert: http://www.certinomis.com/publi/rgs/ac-racine-g2.cer
* The CP and CPS documents are in French. English translations of
certain sections have been provided in the Information Gathering document.
CPS: http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
Root CP:
http://www.certinomis.com/publi/rgs/DT-FL-0905-001-PC-RACINE-1.2.pdf
CP Serveur SSL 1 étoile:
http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
CP Serveur SSL 2 étoiles:
http://www.certinomis.com/publi/rgs/DT-FL-0808-016-PC-SERV-2E-SSL-1.2.pdf
* This root has internally-operated subordinate CAs:
** “Certinomis AC 1 étoile” (OV verification for SSL),
** “Certinomis AC 2 étoiles” (EV like verification for SSL)
** “Certinomis - Autorité de Test” (for internal testing only),
** “Certinomis Corporate” (discontinued).
* The request is to enable the websites trust bit.
** There is a pre-check of the identity of the organization when the
subscriber creates its account on the Certinomis web site. Certinomis
uses the INSEE database to check the activity of the organization:
http://avis-situation-sirene.insee.fr/avisitu/jsp/avis.jsp
** Certinomis attached part of another document to the bug, which is the
section of their RA process documentation dealing with when the
organization is a new customer. It includes checking the existence of
the organization on the SIRENE directory:
http://avis-situationsirene.insee.fr/avisitu/jsp/avis.jsp. The RA must
retrieve the exact name from the directory and verify that the facility
exists and is not closed.
*** https://bugzilla.mozilla.org/attachment.cgi?id=498112
** The organization validation is based on official documents from the
French Government (French Trade Register). The documents must be
originals and date less than 3 months.
** Translation from CPS section 2.1.2.1: As a rule, the organization
must bring the proof of its existence and of its registration number
(unique number identification from a trade register or all other
official up-to-date lists.) This proof takes the form of a supporting
document. Generally, for a corporation, this is a copy of the extract
‘k-bis’ delivered by the transplants of courts of commerce of the seat
of the corporation. A list of supporting document accepted is available
in a supplementary procedure: FC_AE_OPC_JUSTIFS.
** Extract from FC_AE_OPC_JUSTIFS:
*** 1. A company registered at the French Trade Register
_ An original K-Bis certificate of incorporation dated less than 3
months, delivered by the registry
_ One valid copy of your company’s articles of association, bearing the
signature of its representatives
*** 2. French organisations registered at the SIRENE Register
_ a situation notice from the SIRENE register justifying your
registration number
_ a copy of the articles of association / minutes of the General
Assembly, or any other valid document bearing the signatures of the
organisation’s representatives
**** ELECTED REPRESENTATIVES: a copy of the minutes / the debate leading
to the election of the Mayor, the Chairman, etc. This copy is to bear
your organisation’s stamp and mention « certified true copy »
**** APPOINTED REPRESENTATIVES: a copy of the official gazette or
bulletin attesting to this appointment (if the page contains a lot of
text, please highlight the line involved).
*** 3. European organizations
_ copy of the document awarding your organisation its Intra-community
VAT Identification Number
_ copy of the registration at a trade and company register, « certified
true copy »
_ a copy of the articles of association / minutes of the General
Assembly, or any other valid document bearing the signatures of the
organisation’s representatives
** Translation from CP (both 1 and 2 étoiles) section 3.2.2: The
Registration Authority verifies the organization identity, the legal
representative identity and identity of all persons designated by the
representative, directly or indirectly, to represent the organization to
the CA or the RA. The legal representative and these persons are the
certificate “agents”.
** Translation from CP (both 1 and 2 étoiles) section 3.2.3.3: The
identification of the future device (or application) representing a
corporation needs, on one hand, the identification of this entity and,
on the other hand, the identification of the physical person in charge
of the device and at last the identity of the device. The identification
of the entity and person in charge of the device is realized following
the disposals of the item 3.2.3.1 and if the entity designates a
certificate agent, following disposals of the item 3.2.3.2.
*** RA verifies that the requester is authorized by his company to
receive certificates for the device or the application. The person or
the organization that presents a request must establish the proof of his
right of usage on the device or the application that will have the
requested certificate. In particular in the case of a web server, the
person will have to establish the proof that the domain name belongs to him.
** Translation from CPS section 2.1.3.1: The certificate’s common name
(CN) must be a FQDN. (Fully Qualified Domain Name). A FQDN starts with a
hostname (www, ftp…) et ends with an extension (.com, .eu, .fr, .org
etc.). This is the internet address to access to the server, with no
directory or files (not a full URL) ex. : www.certinomis.com ,
www.test-certinomis.com are FQDN. On the other hand,
www.certinomis.com/faq is not acceptable (directory). The following
chars are forbidden within a FQDN : slash(/), comma(,) spaces (and other
like tab). Dash(-) and dot (.) are accepted.
*** The operator (Registration Authority) must verify:
1. The link between the organization and the domain name to certify, if
needed, ask complements.
2. The ownership of the domain name, on these internet web sites:
▪ http://www.networksolutions.com/whois/index.jhtml. (domains .com,
..org, .net)
▪ http://www.afnic.fr/outils/whois (domains .fr)
▪ http://www.eurid.eu (domains .eu)
▪ http://www.norid.no/domenenavnbaser/domreg.html (other countries)
If the identified organization is not the owner of the domain, the
recorded owner of the domain must provide an authorization of usage of
domain name to the identified organization.
The domain contact information’s must be up-to-date. If not the domain
owner must update them. When done, he must notify the operator for
checking the domain name recording and then the operator can validate
the certificate request.
In addition, if the request is done under the form of a request
accompanied with a CSR, this one is checked by the back office tool in
order to verify the proof of possession of the private key.
* EV-enablement is not requested.
* Test Websites:
** https://class2.test-certinomis.com/
** https://class3.test-certinomis.com/
*CRL:
** ARL: http://crl.certinomis.com/AC_Racine/crl/crl-1.crl
** CRL 1 star: http://crl.certinomis.com/AC_1_ETOILE/crl/crl-2.crl
(NextUpdate: 7 days)
** CRL 2 stars: http://crl.certinomis.com/AC_2_ETOILES/crl/crl-2.crl
(NextUpdate: 7 days)
* OCSP:
** Currently none.
* Audit: LSTI performs the audits according to the ETSI 101 456
criteria. The current ETSI certificate is valid until 2012.11.03, and
is posted on the LSTI website at
http://www.lsti-certification.fr/index.php?option=com_content&view=article&id=58&Itemid=53&lang=en
Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices):
* Distributing generated private keys in PKCS#12 files
** Certinomis delivers PKCS#12 files:
*** The process is qualified; use of a SSCD with no copy of keys
*** The delivery is secured; the PKCS12 is burned on a CD and sent by mail.
*** The password (12 chars long) is delivered with secure mailer.
*** These operations are differed in space and time.
** Translation from “CP Serveur SSL 1 étoile” section 6.1.2: In the case
where the key pair is generated at the CA private key is transmitted to
the head of server securely, to ensure confidentiality and integrity.
The private key is transmitted to the carrier within a PKCS #12,
protected by a password passes, consisting of 12 alphanumeric
characters, the PKCS #12 and the password being transmitted by two
different mailings.
This begins the discussion of the request from Certinomis to add the
“Certinomis - Autorité Racine” root certificate, and enable the websites
trust bit. At the conclusion of this discussion, I will provide a
summary of issues noted and action items. If there are no outstanding
issues, then this request can be approved. If there are outstanding
issues or action items, then an additional discussion may be needed as
follow-up.
Kathleen
Sid Stamm
> Certinomis has applied to add the “Certinomis - Autorité Racine” root
> certificate and enable the websites trust bit.
I've reviewed the request and have two questions:
> * This root has internally-operated subordinate CAs:
> ** “Certinomis AC 1 étoile” (OV verification for SSL),
> ** “Certinomis AC 2 étoiles” (EV like verification for SSL)
> ** “Certinomis - Autorité de Test” (for internal testing only),
> ** “Certinomis Corporate” (discontinued).
Has the "Certinomis Corporate" certificate been revoked or is it just no
longer used to issue EE certificates?
> ** Translation from CP (both 1 and 2 étoiles) section 3.2.3.3: The
> identification of the future device (or application) representing a
> corporation needs, on one hand, the identification of this entity and,
> on the other hand, the identification of the physical person in charge
> of the device and at last the identity of the device. The identification
> of the entity and person in charge of the device is realized following
> the disposals of the item 3.2.3.1 and if the entity designates a
> certificate agent, following disposals of the item 3.2.3.2.
> *** RA verifies that the requester is authorized by his company to
> receive certificates for the device or the application. The person or
> the organization that presents a request must establish the proof of his
> right of usage on the device or the application that will have the
> requested certificate. In particular in the case of a web server, the
> person will have to establish the proof that the domain name belongs to
> him.
How is this proof of domain name ownership established?
Cheers,
Sid
Sid Stamm
I just re-read the request and came across an answer to my question:
> 2. The ownership of the domain name, on these internet web sites:
> ▪ http://www.networksolutions.com/whois/index.jhtml. (domains .com, ..org, .net)
> ▪ http://www.afnic.fr/outils/whois (domains .fr)
> ▪ http://www.eurid.eu (domains .eu)
> ▪ http://www.norid.no/domenenavnbaser/domreg.html (other countries)
> If the identified organization is not the owner of the domain, the recorded owner of the domain must provide an authorization of usage of domain name to the identified organization.
> The domain contact information’s must be up-to-date. If not the domain owner must update them. When done, he must notify the operator for checking the domain name recording and then the operator can validate the certificate request.
If I understand correctly, domain ownership is verified in only one way:
by checking WHOIS records to match the organization submitting the request.
Apologies for missing this the first time. Please disregard that question.
Cheers,
Sid
Franck Leroy
On 6 jan, 01:10, Sid Stamm <s...@mozilla.com> wrote:
> Has the "Certinomis Corporate" certificate been revoked or is it just no
> longer used to issue EE certificates?
>
Just no longer used.
A new Corporate CA will be generated under another root on January 27
2011.
Best regards
Franck Leroy
Certinomis CTO
Sid Stamm
> by checking WHOIS records to match the organization submitting the request.
I guess I'd still like to know more about domain ownership verification.
Is WHOIS queried for all types of certificates issued, or are other
domain control/ownership verification methods (such as email
challenge-response) used?
-Sid
Franck Leroy
Hi,
the WHOIS is used to check the link between FQDN and Organisation
Name.
Then the domain contact is notify (a phone call to the organisation
main phone number and asking to talk to the domain contact) for
checking the domain name recording.
The domain contact is asked about the FQDN value in order to avoid
mistake on sub-domain value.
Then the RA operator can validate the certificate request.
Regards
Franck Leroy
Certinomis CTO
Eddy Nigg
>
> ** Certinomis attached part of another document to the bug, which is
> the section of their RA process documentation dealing with when the
> organization is a new customer. It includes checking the existence of
> the organization on the SIRENE directory:
> http://avis-situationsirene.insee.fr/avisitu/jsp/avis.jsp. The RA must
> retrieve the exact name from the directory and verify that the
> facility exists and is not closed.
>
Except looking up the organization details through the SIREN number,
which other steps does Certinomis perform in order to make sure that the
applicant is authorized to represent the organization in question?
> **** ELECTED REPRESENTATIVES: a copy of the minutes / the debate
> leading to the election of the Mayor, the Chairman, etc. This copy is
> to bear your organisation’s stamp and mention « certified true copy »
> **** APPOINTED REPRESENTATIVES: a copy of the official gazette or
> bulletin attesting to this appointment (if the page contains a lot of
> text, please highlight the line involved).
Those are all user provided documents, I'm not sure yet that this
constitutes a reasonable verification procedure.
>
> ** Translation from CP (both 1 and 2 étoiles) section 3.2.2: The
> Registration Authority verifies the organization identity, the legal
> representative identity and identity of all persons designated by the
> representative, directly or indirectly, to represent the organization
> to the CA or the RA. The legal representative and these persons are
> the certificate “agents”.
Excellent - also here I'd like to understand more into detail which
steps are performed to validate the identities from above. Where is it
disclosed in the CP/CSP?
> If the identified organization is not the owner of the domain, the
> recorded owner of the domain must provide an authorization of usage of
> domain name to the identified organization.
Very good! How is the authorization of the domain owner verified?
> * Audit: LSTI performs the audits according to the ETSI 101 456
> criteria. The current ETSI certificate is valid until 2012.11.03, and
> is posted on the LSTI website at
> http://www.lsti-certification.fr/index.php?option=com_content&view=article&id=58&Itemid=53&lang=en
>
In noticed that the audit is not performed in a yearly cycle. This might
present a problem in the future if Mozilla should decide on a yearly
audit requirement.
>
> Potentially Problematic Practices
> (http://wiki.mozilla.org/CA:Problematic_Practices):
>
> * Distributing generated private keys in PKCS#12 files
>
No issue found with this, the procedures are reasonable and fairly secure.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Franck Leroy
I need a few days to answer, I am a little busy ; this is the annual
Audit with LSTI, that ends on wenesday.
Regards
Franck Leroy
Certinomis CTO.
Franck Leroy
>> **** ELECTED REPRESENTATIVES: a copy of the minutes / the debate
>> leading to the election of the Mayor, the Chairman, etc. This copy is
>> to bear your organisation’s stamp and mention « certified true copy »
>> **** APPOINTED REPRESENTATIVES: a copy of the official gazette or
>> bulletin attesting to this appointment (if the page contains a lot of
>> text, please highlight the line involved).
>Those are all user provided documents, I'm not sure yet that this
>constitutes a reasonable verification procedure.
Those documents are used to check that the organization exists and is
still active.
Is this not a verification of the applicant authorization. (see next
step)
>> ** Certinomis attached part of another document to the bug, which is
>> the section of their RA process documentation dealing with when the
>> organization is a new customer. It includes checking the existence of
>> the organization on the SIRENE directory:
>> http://avis-situationsirene.insee.fr/avisitu/jsp/avis.jsp. The RA must
>> retrieve the exact name from the directory and verify that the
>> facility exists and is not closed.
>Except looking up the organization details through the SIREN number,
>which other steps does Certinomis perform in order to make sure that the
>applicant is authorized to represent the organization in question?
First certinomis checks that the organization exists.
Then certinomis has to build a path from the organization and the
requested certificate.
The beginning of the chain is the representative who is designated by
the previous documents.
Certinomis ask a copy of the national ID card (to have an image of the
signature) of the representative.
A document is required that authorize certinomis to generate the
requested certificate.
This document has to be signed by the organization representative.
The representative can mandatates a "Certificate Agent" to sign this
authorization.
Then Certinomis ask a copy of the national ID card of the certificate
agent.
A document is required that mandates the certificate agent.
This document has to be signed by both organization representative and
certificate agent.
The authorization document contains the FQDN of the certificate and
person who will receive the certificate; we call this person the
"certificate manager"
Certinomis ask a copy of the national ID card of the certificate
manager.
A document is required from the certificate manager, this documents
contains the identity (name/email/address) of the manager and the FQDN
of the certificate.
This document has to be signed by the certificate manager.
Here is a example of the requested documents :
http://www.certinomis.com/fichiers/Dossier17051.pdf
Page 1/9 : ENREGISTREMENT DE L’ORGANISME : Identity of the
Organization and its representative
Page 2/9 : DESIGNATION D’UN MANDATAIRE DE CERTIFICATION : Identity of
the certificate agent
Page 3/9 : AUTORISATION D’EMISSION DE CERTIFICATS : Authorization of
certificate creation.
Page 4/9 : DEMANDE DE CERTIFICAT DE SERVEUR : Identity of certificate
manager and the requested FQDN.
On each page there is a section called : PIECES JUSTIFICATIVES A
FOURNI
This list the official documents requested to validation the provided
informations.
>> ** Translation from CP (both 1 and 2 étoiles) section 3.2.2: The
>> Registration Authority verifies the organization identity, the legal
>> representative identity and identity of all persons designated by the
>> representative, directly or indirectly, to represent the organization
>> to the CA or the RA. The legal representative and these persons are
>> the certificate “agents”.
>Excellent - also here I'd like to understand more into detail which
>steps are performed to validate the identities from above. Where is it
>disclosed in the CP/CSP?
The validation process : http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
2.1.1 Vérification de l’identité des personnes
-> Each person (representative/agent/manager) must proove his
identity
2.1.2 Validation de l'identité d'un organisme
-> Organization Identity validation
2.1.3.1 Dans le cas de l’utilisation d’un FQDN
-> FQDN validation
2.1.4.1 Document attestant de la qualité de représentant légal
-> representative validation
2.1.4.2 Procuration, pouvoir internes, chaîne des pouvoirs
-> certificate agent validation
I can try to translate if needed.
>> If the identified organization is not the owner of the domain, the
>> recorded owner of the domain must provide an authorization of usage of
>> domain name to the identified organization.
>Very good! How is the authorization of the domain owner verified?
The forms has to bear the organisation’s stamp (Can be replaced by a
letter printed on headed paper) and
signed by domain owner. (we cannot validate the signature so :)
During the phone call to the domain owner, the RA ask if he agrees the
certificate creation.
>> * Audit: LSTI performs the audits according to the ETSI 101 456
>> criteria. The current ETSI certificate is valid until 2012.11.03, and
>> is posted on the LSTI website at
>> http://www.lsti-certification.fr/index.php?option=com_content&view=ar...
>In noticed that the audit is not performed in a yearly cycle. This might
>present a problem in the future if Mozilla should decide on a yearly
>audit requirement.
The ETSI certificate is valid 3 years, but ETSI 101 456 ask for an
annual review by the Auditor.
The 2011 review just ends today !
Franck Leroy
>> **** ELECTED REPRESENTATIVES: a copy of the minutes / the debate
>> leading to the election of the Mayor, the Chairman, etc. This copy is
>> to bear your organisation’s stamp and mention « certified true copy »
>> **** APPOINTED REPRESENTATIVES: a copy of the official gazette or
>> bulletin attesting to this appointment (if the page contains a lot of
>> text, please highlight the line involved).
>Those are all user provided documents, I'm not sure yet that this
>constitutes a reasonable verification procedure.
Those documents are used to check that the organization exists and is
still active.
Is this not a verification of the applicant authorization. (see next
step)
>> ** Certinomis attached part of another document to the bug, which is
>> the section of their RA process documentation dealing with when the
>> organization is a new customer. It includes checking the existence of
>> the organization on the SIRENE directory:
>> http://avis-situationsirene.insee.fr/avisitu/jsp/avis.jsp. The RA must
>> retrieve the exact name from the directory and verify that the
>> facility exists and is not closed.
>Except looking up the organization details through the SIREN number,
>which other steps does Certinomis perform in order to make sure that the
>applicant is authorized to represent the organization in question?
First certinomis checks that the organization exists.
Then certinomis has to build a path from the organization and the
requested certificate.
The beginning of the chain is the representative who is designated by
the previous documents.
Certinomis ask a copy of the national ID card (to have an image of the
signature) of the representative.
A document is required that authorize certinomis to generate the
requested certificate.
This document has to be signed by the organization representative.
The representative can mandatates a "Certificate Agent" to sign this
authorization.
Then Certinomis ask a copy of the national ID card of the certificate
agent.
A document is required that mandates the certificate agent.
This document has to be signed by both organization representative and
certificate agent.
The authorization document contains the FQDN of the certificate and
person identity who will receive the certificate; we call this person
the "certificate manager"
Certinomis ask a copy of the national ID card of the certificate
manager.
A document is required from the certificate manager, this documents
contains the identity (name/email/address) of the manager and the FQDN
of the certificate.
This document has to be signed by the certificate manager.
Here is a example of the requested documents :
http://www.certinomis.com/fichiers/Dossier17051.pdf
Page 1/9 : ENREGISTREMENT DE L’ORGANISME : Identity of the
Organization and its representative
Page 2/9 : DESIGNATION D’UN MANDATAIRE DE CERTIFICATION : Identity of
the certificate agent
Page 3/9 : AUTORISATION D’EMISSION DE CERTIFICATS : Authorization of
certificate creation.
Page 4/9 : DEMANDE DE CERTIFICAT DE SERVEUR : Identity of certificate
manager and the requested FQDN.
On each page there is a section called : PIECES JUSTIFICATIVES A
FOURNI
This list the official documents requested to validation the provided
informations.
>> ** Translation from CP (both 1 and 2 étoiles) section 3.2.2: The
>> Registration Authority verifies the organization identity, the legal
>> representative identity and identity of all persons designated by the
>> representative, directly or indirectly, to represent the organization
>> to the CA or the RA. The legal representative and these persons are
>> the certificate “agents”.
>Excellent - also here I'd like to understand more into detail which
>steps are performed to validate the identities from above. Where is it
>disclosed in the CP/CSP?
The validation process : http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
2.1.1 Vérification de l’identité des personnes
-> Each person (representative/agent/manager) must proove his
identity
2.1.2 Validation de l'identité d'un organisme
-> Organization Identity validation
2.1.3.1 Dans le cas de l’utilisation d’un FQDN
-> FQDN validation
2.1.4.1 Document attestant de la qualité de représentant légal
-> representative validation
2.1.4.2 Procuration, pouvoir internes, chaîne des pouvoirs
-> certificate agent validation
I can try to translate if needed.
>> If the identified organization is not the owner of the domain, the
>> recorded owner of the domain must provide an authorization of usage of
>> domain name to the identified organization.
>Very good! How is the authorization of the domain owner verified?
The forms has to bear the organisation’s stamp (Can be replaced by a
letter printed on headed paper) and
signed by domain owner. (we cannot validate the signature so :)
During the phone call to the domain owner, the RA ask if he agrees the
certificate creation.
>> * Audit: LSTI performs the audits according to the ETSI 101 456
>> criteria. The current ETSI certificate is valid until 2012.11.03, and
>> is posted on the LSTI website at
>> http://www.lsti-certification.fr/index.php?option=com_content&view=ar...
>In noticed that the audit is not performed in a yearly cycle. This might
>present a problem in the future if Mozilla should decide on a yearly
>audit requirement.
The ETSI certificate is valid 3 years, but ETSI 101 456 ask for an
Eddy Nigg
> Hello
Hi Franck,
Thanks a lot for your reply. I believe a lot was clarified, one
question remains:
> First certinomis checks that the organization exists.
> Then certinomis has to build a path from the organization and the
> requested certificate.
> The beginning of the chain is the representative who is designated by
> the previous documents.
> Certinomis ask a copy of the national ID card (to have an image of the
> signature) of the representative.
How do you validate and confirm that the representative is, who he
claims to be? E.g. how do you make sure the national ID card belongs to
the person to whom you eventually will provide the certificate for the
organization or who is authorized to appoint somebody else for this purpose?
> The representative can mandatates a "Certificate Agent" to sign this
> authorization.
> Then Certinomis ask a copy of the national ID card of the certificate
> agent.
For here the same question from above applies.
> The authorization document contains the FQDN of the certificate and
> person who will receive the certificate; we call this person the
> "certificate manager"
> Certinomis ask a copy of the national ID card of the certificate
> manager.
Again, same as above. And finally, how do you verify that the
representative, certificate agent and/or certificate manager are
authorized to represent the company of which you confirmed its legal
existence?
Franck Leroy
>> First certinomis checks that the organization exists.
>> Then certinomis has to build a path from the organization and the
>> requested certificate.
>> The beginning of the chain is the representative who is designated by
>> the previous documents.
>> Certinomis ask a copy of the national ID card (to have an image of the
>> signature) of the representative.
>How do you validate and confirm that the representative is,
>E.g. how do you make sure the national ID card belongs to
>the person to whom you eventually will provide the certificate for the
>organization or who is authorized to appoint somebody else for this purpose?
The name of the reprentative is written on an official document
delivered
by the government for exemple a "An original K-Bis certificate of
incorporation"
The IDcard is also an government document and there is a signature.
The RA checks that ,the name and signature on documents, are the same
as on IDcard.
Then this is a chain, each time a signature and a copy on IDcard is
needed, the
RA checks all name/signatures.
For "1 étoile" (1 star) level, the IDcard checking is only done on
copies.
For "2 étoiles" (2 stars) level, the IDcard checking (only the cardID
at the end
of the chain, in that case the certificate manager) is done face-to-
face in a post
office.
>> The representative can mandatates a "Certificate Agent" to sign this
>> authorization.
>> Then Certinomis ask a copy of the national ID card of the certificate
>> agent.
>For here the same question from above applies.
same answer
>> The authorization document contains the FQDN of the certificate and
>> person who will receive the certificate; we call this person the
>> "certificate manager"
>> Certinomis ask a copy of the national ID card of the certificate
>> manager.
>Again, same as above. And finally, how do you verify that the
>representative, certificate agent and/or certificate manager are
>authorized to represent the company of which you confirmed its legal
>existence?
The representative is THE legal representative has writen on official
documents; for private
compagny it is a document from the Trade registry for example. For a
city the representative is the mayor, for
an associasion this is the president...
So this person legally represent the compagny.
Then the representative mandates the agent, thus the agent is
authorized by the document:
See : Page 2/9 DESIGNATION D’UN MANDATAIRE DE CERTIFICATION: is the
authorization
"LE MANDATAIRE DE CERTIFICATION DESIGNE CI-DESSUS DONT JE SUIS
CIVILEMENT RESPONSABLE EST
HABILITE A DEMANDER DES CERTIFICATS ELECTRONIQUES CERTINOMIS ET A
SIGNER LES CONTRATS CORRESPONDANTS,
AU NOM DE L’ORGANISME ET DES MEMBRES DUDIT ORGANISME DONT JE SUIS
REPRESENTANT LEGAL."
Translation (approx):
"The designated certificate agent is authorized to ask certinomis's
certificates and to sign contracts
by the name of the company and for members of that company which I am
the legal representative."
(Sure is this not good english !! sorry...)
And so on..
The certificate agent authorize the certificate manager to receive the
server certificate, by
signing page 3/9 AUTORISATION D’EMISSION DE CERTIFICATS
The certificate manager agrees to be responsible of the installation
and of the security of the
certificate by signing pages 4/9 and 6/9
Hope that my bad english helps ;-)
Eddy Nigg
> Hello Eddy
Hi Franck -
> For "1 étoile" (1 star) level, the IDcard checking is only done on
> copies.
OK, but how do you verify that the alleged representative of which you
received the ID card is indeed the person he claims to be?
> For "2 étoiles" (2 stars) level, the IDcard checking (only the cardID
> at the end of the chain, in that case the certificate manager) is done face-to-
> face in a post office.
Interesting! Can you explain who is doing the face to face verification
at the post office?
> Hope that my bad english helps ;-)
Your English is excellent and it helps a lot!
Franck Leroy
> On 01/13/2011 12:16 PM, From Franck Leroy:
>
Hi Eddy
> Hi Franck -
>
> > For "1 étoile" (1 star) level, the IDcard checking is only done on
> > copies.
>
> OK, but how do you verify that the alleged representative of which you
> received the ID card is indeed the person he claims to be?
Because this is the same name as on the official document.
For example for a french private company, certinomis asks for an
"extrait K-bis" that is delivered by the trade registry.
On this document is written the name / adress of the compagny and the
name of the CEO.
Then RA compares the name on the ID card, it must be the same.
The RA compares the signature on the ID card and on the documents, it
must be original and the same (not a photocopy nor the printed one).
> > For "2 étoiles" (2 stars) level, the IDcard checking (only the cardID
> > at the end of the chain, in that case the certificate manager) is done face-to-
> > face in a post office.
>
> Interesting! Can you explain who is doing the face to face verification
> at the post office?
The server certificate manager (or the certificate agent) receives a
mail from certinomis with the address of the post office.
The post office manager receives a mail from certinomis with the name
of the personn to ckeck by face-to-face.
When the server certificate manager arrives at the post office, the
post office manager takes the document from certinomis and checks that
the name is the same as on the ID card, and he checks that person is
the same as on the photograph on the ID card.
Then the post office manager fills the document sent by certinomis, he
writes the ID card number, the date and he signs the documents. The
server certificate manager also sign this document.
Finnally the post office manager returns this document to certinomis.
Kathleen Wilson
> On 14 jan, 21:18, Eddy Nigg<eddy_n...@startcom.org> wrote:
>> On 01/13/2011 12:16 PM, From Franck Leroy:
>>
>
> Hi Eddy
>
>
>> Hi Franck -
>>
>>> For "1 étoile" (1 star) level, the IDcard checking is only done on
>>> copies.
>>
>> OK, but how do you verify that the alleged representative of which you
>> received the ID card is indeed the person he claims to be?
>
> Because this is the same name as on the official document.
> For example for a french private company, certinomis asks for an
> "extrait K-bis" that is delivered by the trade registry.
> On this document is written the name / adress of the compagny and the
> name of the CEO.
>
> Then RA compares the name on the ID card, it must be the same.
> The RA compares the signature on the ID card and on the documents, it
> must be original and the same (not a photocopy nor the printed one).
>
Is the official document provided by the certificate subscriber? Or does
Certinomis request the document directly from the trade registry?
We are adding the following requirement to Version 2.0 of the Mozilla CA
Certificate Policy:
"all information that is supplied by the certificate subscriber must be
verified by using an independent source of information or an alternative
communication channel before it is included in the certificate;"
In our opinion it is not sufficient for the certificate subscriber to
provide the documents. There must also be some way to confirm the
authenticity of the documents that the certificate subscriber provides.
Kathleen
Franck Leroy
> In our opinion it is not sufficient for the certificate subscriber to
> provide the documents. There must also be some way to confirm the
> authenticity of the documents that the certificate subscriber provides.
>
> Kathleen- Masquer le texte des messages précédents -
>
> - Afficher le texte des messages précédents -
Hello
There is a thrid part checking of the identity of the organization
when the
subscriber creates its account on the Certinomis web site. Certinomis
uses the INSEE database to check the name and the activity of the
organization:
http://avis-situation-sirene.insee.fr/avisitu/jsp/avis.jsp
Best regards.
Franck Leroy
Certinomis CTO
Kathleen Wilson
Thank you to those of you who have contributed to the discussion of this
request from Certinomis to add the “Certinomis - Autorité Racine” root
certificate and enable the websites trust bit.
In this discussion, a few things were clarified about the steps that
Certinomis takes to verify information provided by the certificate
subscriber. Therefore, the result of this discussion is the following
action item.
ACTION Certinomis: Update the CP/CPS documentation to clarify the
following information.
a) For domain verification, WHOIS is used to check the link between FQDN
and Organisation Name. Then the domain contact is notified (a phone call
to the organization main phone number and asking to talk to the domain
contact) for checking the domain name recording. The domain contact is
asked about the FQDN value in order to avoid mistake on sub-domain
value. During the phone call to the domain owner, the RA ask if he
agrees the certificate creation.
b) After Certinomis confirms that the organization exists, then
Certinomis verifies that the applicant is authorized to represent the
organization in question. This is done by requiring national ID cards
and an authorization document signed by both the organization
representative and the certificate agent. The authorization document
contains the FQDN of the certificate and names the certificate manager
(the person who will receive the certificate). The certificate manager
must also provide a copy of the national ID card and another signed
document.
c) Certinomis confirms that the representative is who he claims to be as
follows.
When the subscriber creates an account on the Certinomis web site.
Certinomis uses the INSEE database to check the name and the activity of
the organization:
http://avis-situation-sirene.insee.fr/avisitu/jsp/avis.jsp
For "1 étoile" level, the identity of the certificate subscriber is
verified by using the ID card and the extrait K-bis from the Trade
Registry.
For "2 étoiles" level, the identity of the certificate subscriber is
verified by a face-to-face in a post office.
Does this sufficiently summarize the action to be taken by Certinomis in
response to this discussion?
Does anyone else have input/suggestions for this CA before I close this
discussion?
Thanks,
Kathleen
Franck Leroy
> On 12/21/10 1:28 PM, Kathleen Wilson wrote:
>
>
>
>
>
> > Certinomis has applied to add the “Certinomis - Autorité Racine” root
> > certificate and enable the websites trust bit.
>
> > Certinomis is a commercial CA that delivers certificates to the general
> > public in France, and is the Certificate Service Provider of "La Poste"
> > the French Postal Service.
>
> > The request is documented in the following bug:
> >https://bugzilla.mozilla.org/show_bug.cgi?id=545614
>
> > And in the pending certificates list here:
> >http://www.mozilla.org/projects/security/certs/pending/#Certinomis
>
> > Summary of Information Gathered and Verified:
> >https://bugzilla.mozilla.org/attachment.cgi?id=498137
>
> > Noteworthy points:
>
> > * Root cert:http://www.certinomis.com/publi/rgs/ac-racine-g2.cer
>
> > * The CP and CPS documents are in French. English translations of
> > certain sections have been provided in the Information Gathering document.
>
> > CPS:http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
> > Root CP:
> >http://www.certinomis.com/publi/rgs/DT-FL-0905-001-PC-RACINE-1.2.pdf
>
> > CP Serveur SSL 1 étoile:
>
> > CP Serveur SSL 2 étoiles:
>
> - Afficher le texte des messages précédents -
Hello.
I can update the CP/CPS documents but with about one week delay.
Best regards
Franck Leroy
Certinomis CTO.
Kathleen Wilson
That's fine. I'll leave this discussion open, and you can post the links
to the updated documents in this discussion.
Kathleen
Franck Leroy
Hi
most of the requested informations already exist in this document that
is pointed by the CPS:
https://www.certinomis.com/publi/rgs/FC_AE_OPC_JUSTIFS_091216.pdf
Franck Leroy
here are the pointers to the existing documents for the requested
informations:
>a) For domain verification, WHOIS is used to check the link between FQDN
>and Organisation Name. Then the domain contact is notified (a phone call
>to the organization main phone number and asking to talk to the domain
>contact) for checking the domain name recording. The domain contact is
>asked about the FQDN value in order to avoid mistake on sub-domain
>value. During the phone call to the domain owner, the RA ask if he
>agrees the certificate creation.
WHOIS & PHONE CALL:
CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
3.2.3.3 Enregistrement d'un dispositif ou d’une application
CPS: http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
2.1.3.1 Dans le cas de l’utilisation d’un FQDN
PROC : http://www.certinomis.com/publi/rgs/PR-SC-CDR-0036-06.pdf
1.2 VERIFICATIONS TELEPHONIQUES
>b) After Certinomis confirms that the organization exists, then
>Certinomis verifies that the applicant is authorized to represent the
>organization in question. This is done by requiring national ID cards
>and an authorization document signed by both the organization
>representative and the certificate agent. The authorization document
>contains the FQDN of the certificate and names the certificate manager
>(the person who will receive the certificate). The certificate manager
>must also provide a copy of the national ID card and another signed
>document.
ID card :
CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
3.2.3.1 Enregistrement d'un individu
CPS : http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
2.1.1 Vérification de l’identité des personnes
PROC : https://www.certinomis.com/publi/rgs/FC_AE_OPC_JUSTIFS_091216.pdf
2.1.1 JUSTIFICATIFS D’IDENTITE LORS DE LA DEMANDE
(typo on chapter
number in the doc 1.1.1 written...)
Authorization :
CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
3.2.3.3 Enregistrement d'un dispositif ou d’une application
CPS : http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
3.1.2 Certificats 1 étoile (see the [serveur] part)
>c) Certinomis confirms that the representative is who he claims to be as
>follows.
>When the subscriber creates an account on the Certinomis web site.
>Certinomis uses the INSEE database to check the name and the activity of
>the organization:
>http://avis-situation-sirene.insee.fr/avisitu/jsp/avis.jsp
>For "1 étoile" level, the identity of the certificate subscriber is
>verified by using the ID card and the extrait K-bis from the Trade
>Registry.
>For "2 étoiles" level, the identity of the certificate subscriber is
>verified by a face-to-face in a post office.
OV :
CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
3.2.2 Validation de l'identité d'un organisme
CPS : http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
2.1.2 Validation de l'identité d'un organisme
PROC: https://www.certinomis.com/publi/rgs/FC_AE_OPC_JUSTIFS_091216.pdf
1.2.2 ORGANISATIONS FRANÇAISES
& 1.2.3 ORGANISMES ÉTRANGERS
& 1.3 existence de l’organisme, représentant légal et pouvoirs
ID card :
CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
3.2.3.1 Enregistrement d'un individu
Face2Face:
CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-016-PC-SERV-2E-SSL-1.2.pdf
3.2.3.1 Enregistrement d'un individu
Kathleen Wilson
copy-and-paste the text from the PROC document into the Translator (I
think I'm missing something on my system).
Franck, Would you please provide translations into English of the
relevant sections from the PROC document? Also, please correct any of
the following translations as needed.
>> a) For domain verification, WHOIS is used to check the link between FQDN
>> and Organisation Name. Then the domain contact is notified (a phone call
>> to the organization main phone number and asking to talk to the domain
>> contact) for checking the domain name recording. The domain contact is
>> asked about the FQDN value in order to avoid mistake on sub-domain
>> value. During the phone call to the domain owner, the RA ask if he
>> agrees the certificate creation.
>
> WHOIS& PHONE CALL:
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
> 3.2.3.3 Enregistrement d'un dispositif ou d’une application
The identification of the future device (or application) representing a
corporation needs, on one hand, the identification of this entity and,
on the other hand, the identification of the physical person in charge
of the device and at last the identity of the device.
The identification of the entity and person in charge of the device is
realized following the disposals of the item 3.2.3.1 and if the entity
designates a certificate agent, following disposals of the item 3.2.3.2.
RA verifies that the requester is authorized by his company to receive
certificates for the device or the application. The person or the
organization that presents a request must establish the proof of his
right of usage on the device or the application that will have the
requested certificate. In particular in the case of a web server, the
person will have to establish the proof that the domain name belongs to him.
RA verifies that the request contains the following documents:
· A written request of certificate, dated back to less than 3 months,
signed by a legal representative of the entity or by the certificate
agent, containing the server FQDN.
· A signed mandate, and dated back to less than 3 months, by a legal
representative of the organization or by the certificate agent
designating the future holder to which the certificate must be
delivered. This mandate must be signed for acceptance by the future
certificate holder.
· A proof of possession by the entity of the domain name corresponding
to the FQDN of the server.
The RA preserves the documents received for the recording of the holder,
examines the given pieces and documents with a reasonable care and
verifies if they appear to be conformant and valid.
> CPS: http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
> 2.1.3.1 Dans le cas de l’utilisation d’un FQDN
The certificate’s common name (CN) must be a FQDN. (Fully Qualified
Domain Name). A FQDN starts with a hostname (www, ftp…) et ends with an
extension (.com, .eu, .fr, .org etc.). This is the internet address to
access to the server, with no directory or files (not a full URL) ex. :
www.certinomis.com , www.test-certinomis.com are FQDN.
On the other hand, www.certinomis.com/faq is not acceptable (directory).
The following chars are forbidden within a FQDN : slash(/), comma(,)
spaces (and other like tab).
Dash(-) and dot (.) are accepted.
The operator (RA) must verify:
1. The link between the organization and the domain name to certify, if
needed, ask complements.
2. The ownership of the domain name, on these internet web sites:
▪ http://www.networksolutions.com/whois/index.jhtml. (domains .com,
..org, .net)
▪ http://www.afnic.fr/outils/whois (domains .fr)
▪ http://www.eurid.eu (domains .eu)
▪ http://www.norid.no/domenenavnbaser/domreg.html (other countries)
If the identified organization is not the owner of the domain, the
recorded owner of the domain must provide an authorization of usage of
domain name to the identified organization.
The domain’s contact information must be up-to-date. If not the domain
owner must update them. When done, he must notify the operator for
checking the domain name recording and then the operator can validate
the certificate request.
In addition, if the request is done under the form of a request
accompanied with a CSR, this one is checked by the back office tool in
order to verify the proof of possession of the private key.
> PROC : http://www.certinomis.com/publi/rgs/PR-SC-CDR-0036-06.pdf
> 1.2 VERIFICATIONS TELEPHONIQUES
>
>> b) After Certinomis confirms that the organization exists, then
>> Certinomis verifies that the applicant is authorized to represent the
>> organization in question. This is done by requiring national ID cards
>> and an authorization document signed by both the organization
>> representative and the certificate agent. The authorization document
>> contains the FQDN of the certificate and names the certificate manager
>> (the person who will receive the certificate). The certificate manager
>> must also provide a copy of the national ID card and another signed
>> document.
>
> ID card :
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
> 3.2.3.1 Enregistrement d'un individu
The identification of the future carrier (person) representing an entity
requires, first, identification of the entity and, secondly, the
identification of the individual.
The identification of the entity is performed under the terms of Article
3.2.2.
The RA verifies the photocopy of at least one piece of official
identification of valid recipient containing a photograph and signature,
preceded by the words "certified true copy of the original", dated
within three (3) months from the date of filing of documents deemed to
be the date in the postmark.
The EA maintains the documents received for registration of the
beneficiary, examines the evidence and documents provided with
reasonable care and checks whether or not present the appearance of
compliance and validity.
> CPS : http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
> 2.1.1 Vérification de l’identité des personnes
Each person named in an application file, it makes the applicant's
behalf or on behalf of his company, must provide proof of its existence.
This evidence takes the form of an official identity document valid. A
list of documents accepted subject to the additional sheet:
[FC_AE_OPC_JUSTIFS]
Extract from FC_AE_OPC_JUSTIFS:
1. A company registered at the French Trade Register
_ An original K-Bis certificate of incorporation dated less than 3
months, delivered by the registry
_ One valid copy of your company’s articles of association, bearing the
signature of its representatives
2. French organisations registered at the SIRENE Register
_ a situation notice from the SIRENE register justifying your
registration number
_ a copy of the articles of association / minutes of the General
Assembly, or any other valid document bearing the signatures of the
organisation’s representatives
_ ELECTED REPRESENTATIVES : a copy of the minutes / the debate leading
to the election of the Mayor, the Chairman, etc. This copy is to bear
your organisation’s stamp and mention « certified true copy »
_ APPOINTED REPRESENTATIVES : a copy of the official gazette or bulletin
attesting to this appointment (if the page contains a lot of text,
please highlight the line involved).
3. European organizations
_ copy of the document awarding your organisation its Intra-community
VAT Identification Number
_ copy of the registration at a trade and company register, « certified
true copy »
_ a copy of the articles of association / minutes of the General
Assembly, or any other valid document bearing the signatures of the
organisation’s representatives
> PROC : https://www.certinomis.com/publi/rgs/FC_AE_OPC_JUSTIFS_091216.pdf
> 2.1.1 JUSTIFICATIFS D’IDENTITE LORS DE LA DEMANDE
> (typo on chapter
> number in the doc 1.1.1 written...)
>
> Authorization :
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
> 3.2.3.3 Enregistrement d'un dispositif ou d’une application
The identification device of the future (or application) representing an
entity requires, firstly, the identification of the entity and,
secondly, the identification of the person responsible and the device
and finally the identity of device.
The identification of the responsible entity and the device is made
under the provisions of section 3.2.3.1 and the entity designates an MC
under section 3.2.3.2.
The RA verifies that the applicant is entitled to receive certificates
for the device or application.
The person or organization submitting an application must prove its
right to use the device or application to which reference will be made
in the certificate. Especially in the case of a web server, it must
prove that the domain name belongs to him.
The RA verifies that the application contains the following parts:
· A written request for a certificate, dated within 3 months, signed by
a legal representative of the entity or by the MC and with the FQDN of
the server affected by this request,
• A mandate, dated less than 3 months, appointing the future as eligible
to CAAN CAAN be for the computer server which the server certificate
must be issued. This warrant must be signed by a legal representative of
the entity or the MC and co-signed for acceptance by the future CAAN
· A proof of possession by the entity of the domain name corresponding
to the FQDN of the server.
The EA maintains the documents received for registration of the device,
examine the evidence and documents provided with reasonable care and
checks whether or not present the appearance of compliance and validity.
> CPS : http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
> 3.1.2 Certificats 1 étoile (see the [serveur] part)
[SERVER]
An authorization to issue a certificate that includes:
the name and identification number of the organization, the full name of
the technical contact, the server name.
>> A proxy of the legal representative (present conditional)
This must be informed if the agent designated certification is not the
legal representative of the entity he represents. This form contains the
name, business contact of the legal representative's name,
identification number of the organization, and remember: the full name
and address of the representative professional certification.
This document states explicitly the role and powers of attorney
submitted to management certification certificate requests on behalf of
the organization.
> This document is optional if the legal representative of the company
is only mandatory for certification.
> May be replaced by: any document or power of attorney within the
organization to the extent the powers are set out at least equivalent to
the powers set out in the
Document record type.
>> A warrant, dated within 3 months, appointing the future RCSI as
eligible to be RCSI for the computer server which the server certificate
must be issued. This warrant must be signed by a legal representative of
the entity or the MC and co-signed for acceptance by the future RCSI,
>> A request form that includes:
The information contained in the CSR (Certificate Signing Request, or
certificate signing request). The CSR is generated by the client on the
server before being pasted on the forms
certificate application online.
>> A customer agreement signed and dated, or the reference of this
contract and the customer agreement relating thereto.
>> A customer's purchase order or an order of service partners
(depending on the billing).
The file also includes documents requested to verify the information
given on this application.
>
>> c) Certinomis confirms that the representative is who he claims to be as
>> follows.
>> When the subscriber creates an account on the Certinomis web site.
>> Certinomis uses the INSEE database to check the name and the activity of
>> the organization:
>> http://avis-situation-sirene.insee.fr/avisitu/jsp/avis.jsp
>> For "1 étoile" level, the identity of the certificate subscriber is
>> verified by using the ID card and the extrait K-bis from the Trade
>> Registry.
>> For "2 étoiles" level, the identity of the certificate subscriber is
>> verified by a face-to-face in a post office.
>
> OV :
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
> 3.2.2 Validation de l'identité d'un organisme
The RA verifies that the application contains the following parts:
• A warrant signed and dated within 3 months by a legal representative
of the entity designating the MC. This warrant must be signed by the MC
for acceptance
• A commitment signed and dated within 3 months of the MC, with HQ, to
perform properly and independently controls the records of applicants,
• A commitment signed and dated within 3 months of the MC to report his
departure to EI entity,
• A formal identity document valid MC with a photo ID (such as national
identity card, passport or stay), which is presented to EI which retains
a copy.
The RA verifies the photocopy of at least one official ID of the
recipient being validity with his photo and signature, preceded by the
words "certified copy true to the original "dated less than three (3)
months from the date of filing of documents deemed to be the date in the
postmark.
The EA maintains the documents received for registration of the
beneficiary, and examines parts documents provided with reasonable care
and checks whether or not present the appearance of compliance and validity.
> CPS : http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
> 2.1.2 Validation de l'identité d'un organisme
In a license application, the organization must provide evidence of its
existence, the proof of the identity of his legal representative and the
chain of giving their money to agents to certification.
2.1.2.1 Existence of the organization
In principle, the organization must provide proof of his existence and
his identification number (unique registration number and identified
with a commercial register or any other official list and update.)
This evidence takes the form of a supporting document. In the most
common case, this is a K-Bis issued by the registries of commercial
courts of the company's headquarters, in the case of a company.
A list of documents accepted subject to the additional sheet:
[FC_AE_OPC_JUSTIFS]
> PROC: https://www.certinomis.com/publi/rgs/FC_AE_OPC_JUSTIFS_091216.pdf
> 1.2.2 ORGANISATIONS FRANÇAISES
> & 1.2.3 ORGANISMES ÉTRANGERS
> & 1.3 existence de l’organisme, représentant légal et pouvoirs
>
> ID card :
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
> 3.2.3.1 Enregistrement d'un individu
The identification of the future carrier (person) representing an entity
requires, firstly, the identification of the entity and, secondly, the
identification of the individual.
The identification of the entity is performed under the terms of Article
3.2.2.
The RA verifies the photocopy of at least one piece of official
identification of valid recipient containing a photograph and signature,
preceded by the words "certified true copy of the original", dated
within three (3 ) months from the date of filing of documents deemed to
be the date in the postmark.
The EA maintains the documents received for registration of the
beneficiary, examines the evidence and documents provided with
reasonable care and checks whether or not present the appearance of
compliance and validity.
> Face2Face:
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-016-PC-SERV-2E-SSL-1.2.pdf
> 3.2.3.1 Enregistrement d'un individu
The identification of the future carrier (person) representing an entity
requires, firstly, the identification of the entity and, secondly, the
identification of the individual.
The identification of the entity is performed under the terms of Article
3.2.2.
The RA verifies the photocopy of at least one piece of official
identification of valid recipient containing a photograph and signature,
dated less than three (3) months from the date of filing of documents
deemed to be the date contained in the postmark.
The EA maintains the documents received for registration of the
beneficiary, examines the evidence and documents provided with
reasonable care and checks whether or not present the appearance of
compliance and validity.
The distribution of EI can be made directly to the recipient or the
agent of certification.
· In the case of the beneficiary before distribution, the RA verifies
face-to-face, that is to say in the presence of the beneficiary of an
original official identity of the beneficiary valid with photograph and
signature.
· In the case of the agent certification before distribution, the EA
checks face-AFAC is to say, in the presence of the agent certification,
an original piece of official identification agent certification valid
with photograph and signature. The attorney subsequently distribute the
load across the NWAC-evidence has been submitted, the beneficiary.
Kathleen
Franck Leroy
>> a) For domain verification, WHOIS is used to check the link between FQDN
>> and Organisation Name. Then the domain contact is notified (a phone call
>> to the organization main phone number and asking to talk to the domain
>> contact) for checking the domain name recording. The domain contact is
>> asked about the FQDN value in order to avoid mistake on sub-domain
>> value. During the phone call to the domain owner, the RA ask if he
>> agrees the certificate creation.
> WHOIS& PHONE CALL:
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2...
The goal of telephone verification procedure is to check:
• The provided contact works in the corporation that did the
request.
• He agrees the certificate request
• He confirms the addresses e-mail
• He is authorized to do a certificate request, to receive it and to
install it.
This verification must be carried out by a strictly different person
of the person that carried out the preceding verifications.
The verification of the number of telephone can be done on the
following official sites: www.verif.com www.pagesjaunes.com
Or by the telephone services (118 008, 118 712, 118 000, 118 218
etc.).
If the number of seized telephone is a number of cellular telephone:
the technical contact must produce a right proof indicating the link
between this number and the corporation ( telephone bill with the name
of the Organization for example).
At the time of the telephone call, the operator puts a number of
questions to validate the certificate request:
If you obtain all the responses to your questions, you can validate
this step of verification and emit the certificate
If certain information are lacking or erroneous, you must indicate to
the customer the elements to provide in order to rectify his
request.
You will find a model of script of telephone verifications in annex
§2.2
==============================
==============================
==============================
>> b) After Certinomis confirms that the organization exists, then
>> Certinomis verifies that the applicant is authorized to represent the
>> organization in question. This is done by requiring national ID cards
>> and an authorization document signed by both the organization
>> representative and the certificate agent. The authorization document
>> contains the FQDN of the certificate and names the certificate manager
>> (the person who will receive the certificate). The certificate manager
>> must also provide a copy of the national ID card and another signed
>> document.
> ID card :
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2...
> 3.2.3.1 Enregistrement d'un individu
The identification of the future holder (person) representing an
entity
requires, first, identification of the entity and, secondly, the
identification of the individual.
The identification of the entity is performed under the terms of
Article
3.2.2.
The RA verifies the photocopy of at least one piece of official
identification of valid recipient containing a photograph and
signature,
preceded by the words "certified true copy of the original", dated
within three (3) months from the date of filing of documents deemed
to
be the date in the postmark.
The EA maintains the documents received for registration of the
beneficiary, examines the evidence and documents provided with
reasonable care and checks whether or not present the appearance of
compliance and validity.
> CPS : http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
> 2.1.1 Vérification de l’identité des personnes
Each person named in an application file, it makes the applicant's
behalf or on behalf of his company, must provide proof of its
existence.
This evidence takes the form of an valid official identity document.
The photocopies (both sides) of the following pieces are accepted
justifying the identity and of a person. These pieces must include
the photograph of their owner, duly signed by him, and including a
photograph.
These pieces are used at the time of the certificate request to
testify existence of the people, on the other hand, at the time of the
face-to-face of the support (2 stars only).
2.1.1 Accepted documents to proove the identity:
+ Nationnal Id card
+ International Passport
+ Resident permit
+ Driving Licence (less than 10 years)
+ Administrative Id card
> Authorization :
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2...
> 3.2.3.3 Enregistrement d'un dispositif ou d’une application
The identification device of the future (or application) representing
an
entity requires, firstly, the identification of the entity and,
secondly, the identification of the person responsible and the device
and finally the identity of device.
The identification of the responsible entity and the device is made
under the provisions of section 3.2.3.1 and the entity designates
(certificate agent)
under section 3.2.3.2.
The RA verifies that the applicant is entitled to receive
certificates
for the device or application.
The person or organization submitting an application must prove its
right to use the device or application to which reference will be
made
in the certificate. Especially in the case of a web server, it must
prove that the domain name belongs to him.
The RA verifies that the application contains the following parts:
· A written request for a certificate, dated within 3 months, signed
by
a legal representative of the entity or by the certificate agent and
with the FQDN of
the server affected by this request,
• A mandate, dated less than 3 months, appointing the future server
manager as eligible
to server manager be for the computer server which the server
certificate
must be issued. This warrant must be signed by a legal representative
of
the entity or the certificate agent and co-signed for acceptance by
the future server manager
· A proof of possession by the entity of the domain name
corresponding
to the FQDN of the server.
The RA maintains the documents received for registration of the
device,
examine the evidence and documents provided with reasonable care and
checks whether or not present the appearance of compliance and
validity.
> CPS : http://www.certinomis.com/publi/rgs/PR_AE_OpC_100125.pdf
> 3.1.2 Certificats 1 étoile (see the [serveur] part)
[SERVER]
An authorization to issue a certificate that includes:
the name and identification number of the organization, the full name
of
the technical contact, the server name.
>> A proxy of the legal representative (present conditional)
This must be informed if the designated certificate agent is not the
legal representative of the entity he represents. This form contains
the
name, business contact of the legal representative's name,
identification number of the organization, and remember: the full
name
and address of the representative professional certification.
This document states explicitly the role and powers of attorney
submitted to management certification certificate requests on behalf
of
the organization.
> This document is optional if the legal representative of the
company
is only mandatory for certification.
> May be replaced by: any document or power of attorney within the
organization to the extent the powers are set out at least equivalent
to
the powers set out in the
Document record type.
>> A warrant, dated within 3 months, appointing the future server
manager as
eligible to be server manager for the computer server which the server
certificate
must be issued. This warrant must be signed by a legal representative
of
the entity or the certificate agent and co-signed for acceptance by
the future server manager,
>> A request form that includes:
The information contained in the CSR (Certificate Signing Request, or
certificate signing request). The CSR is generated by the client on
the
server before being pasted on the forms
certificate application online.
>> A customer agreement signed and dated, or the reference of this
contract and the customer agreement relating thereto.
>> A customer's purchase order or an order of service partners
(depending on the billing).
The file also includes documents requested to verify the information
given on this application.
==============================
==============================
==============================
>> c) Certinomis confirms that the representative is who he claims to be as
>> follows.
>> When the subscriber creates an account on the Certinomis web site.
>> Certinomis uses the INSEE database to check the name and the activity of
>> the organization:
>> http://avis-situation-sirene.insee.fr/avisitu/jsp/avis.jsp
>> For "1 étoile" level, the identity of the certificate subscriber is
>> verified by using the ID card and the extrait K-bis from the Trade
>> Registry.
>> For "2 étoiles" level, the identity of the certificate subscriber is
>> verified by a face-to-face in a post office.
> OV :
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2...
> 3.2.2 Validation de l'identité d'un organisme
The RA verifies that the application contains the following parts:
• A warrant signed and dated within 3 months by a legal
representative
of the entity designating the certificate agent. This warrant must be
signed by
the certificate agent for acceptance
• A commitment signed and dated within 3 months of the certificate
agent, with HQ, to
perform properly and independently controls the records of
applicants,
• A commitment signed and dated within 3 months of the certificate
agent to report his
departure to EI entity,
• A formal identity document valid certificate agent with a photo ID
(such as national
identity card, passport or stay), which is presented to EI which
retains
a copy.
The RA verifies the photocopy of at least one official ID of the
recipient being validity with his photo and signature, preceded by
the
words "certified copy true to the original "dated less than three (3)
months from the date of filing of documents deemed to be the date in
the
postmark.
The RA maintains the documents received for registration of the
1.2.2 FRENCH COMPANIES
For the French organisms, the identification number is necessarily the
number SIREN or SIRET. The SIRET consisting of a code establishment.
It is useful for the businesses that would have several establishments
to record.
VERIFICATION AND SUPPORTING PIECE : original k-bis Extract delivered
less than three months before the reception of the file for treatment
to the RA.
hardcopy of the catalog SIRENE available on the site of the INSEE, to
this url: http://avis-situation-sirene.insee.fr/avisituV2/jsp/avis.jsp
1.2.3 FOREIGN COMPANIES
The recording of the foreign organisms, that do not have any number of
SIREN, can be done under different numbers. When it does not exist
any code ICD for the catalog from which is originating from this
number, it is not necessary that the identifying starts with 4
digits. If the identifying starts with 4 digits that could be
confused with an ICD, we will employ a code before.
Verification URLs:
http://ec.europa.eu/taxation_customs/vies/lang.do?fromWhichPage=vieshome&selectedLanguage=FR
http://www.dnb.com
http://kbo-bce-ps.economie.fgov.be/ps/kbo_ps/kbo_search.jsp?Action=SONT
https://www.rcsl.lu/mjrcs/webapp/data/mjrcs/static/informationsfaq.html#question_15
http://www.rci.gouv.mc/ . Code pays de Monaco : MC.
1.3 existence of the organism, legal representative and authorization
For the recorded corporations to the Register of the Commerce and
Corporations:
o the supporting piece is extracted it original k-bis delivered less
than three months before the reception of the file for treatment to
the RA
o if necessary, the internal delegations of strength to the
corporation. these delegations must be at least equivalent to, or
include the range of the strengths described by the card "proxy of the
legal representative" contained in any file of request of certificate
in the name of an organization.
o a copy of the status of the business, in course of validity,
carrying signature of its representatives
Administrations, local and groups territorial:
o for the legal elected representatives: copies minutes /
deliberations naming the Mayor, President etc. This copy will have to
include the seal the organism to record. If need be, the copies of
the deliberations of the counsels (municipal, regional) indicating the
name of the responsible elected official of a sector of which the
framework includes the ask electronic certi
ficates
o for the legal named representatives: the copy of the newspaper or
official bulletin testifying this nomination. This copy will have to
include the seal the organism to record
o if necessary, the internal delegations of strength to the organism.
these delegations must be at least equivalent to, or include the range
of the strengths described by the card "proxy of the legal
representative" contained in any file of request of certificate in the
name of an organization.
Associations:
o copies it minutes / deliberations naming or electing the president
of the association
o copies it statutes of the association.
o a verbal process of the general assembly carrying the signature of
its representatives
Craftsmen, liberal professions:
O A certificate of their order, room, or union, furnishing the proof
of belonging it person to this order, room or union.
For the recorded corporations in a register of the foreign commerce:
o lists it official dated back to the legal representative, copies
statutes, or any other document (following the country) likely to
prove the legal identity of his representative as well as the chain of
eventual mandates require.
o copies it card of recording or any certificate delivered by the
register of the foreign commerce. This copy will have to be signed
and certified conforms by the legal representative of the business, or
any person designated by him by mandate.
> ID card :
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2...
> 3.2.3.1 Enregistrement d'un individu
The identification of the future carrier (person) representing an
entity
requires, firstly, the identification of the entity and, secondly,
the
identification of the individual.
The identification of the entity is performed under the terms of
Article
3.2.2.
The RA verifies the photocopy of at least one piece of official
identification of valid recipient containing a photograph and
signature,
preceded by the words "certified true copy of the original", dated
within three (3 ) months from the date of filing of documents deemed
to
be the date in the postmark.
The RA maintains the documents received for registration of the
beneficiary, examines the evidence and documents provided with
reasonable care and checks whether or not present the appearance of
compliance and validity.
> Face2Face:
> CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-016-PC-SERV-2E-SSL-1.2...
> 3.2.3.1 Enregistrement d'un individu
The identification of the future carrier (person) representing an
entity
requires, firstly, the identification of the entity and, secondly,
the
identification of the individual.
The identification of the entity is performed under the terms of
Article
3.2.2.
The RA verifies the photocopy of at least one piece of official
identification of valid recipient containing a photograph and
signature,
dated less than three (3) months from the date of filing of documents
deemed to be the date contained in the postmark.
The RA maintains the documents received for registration of the
beneficiary, examines the evidence and documents provided with
reasonable care and checks whether or not present the appearance of
compliance and validity.
The distribution of certificate can be made directly to the recipient
or the
certification agent.
· In the case of the beneficiary distribution, the RA verifies
face-to-face, that is to say in the presence of the beneficiary of an
original official identity of the beneficiary valid with photograph
and
signature.
· In the case of the certificate agent distribution, the RA
checks face to face is to say, in the presence of the certificate
agent,
an original piece of official identification certificate agent valid
with photograph and signature. Then the certificate agent must
distribute the
certificate in face-to-face to the beneficiary of the certificate.
Kathleen Wilson
> Here are some (corrected automatic) translations (so not perfect...)
>
Franck, Thank you for the translations.
All, Does this satisfy the questions that were raised about the steps
that Certinomis takes to verify information provided by the certificate
subscriber?
Are there any other comments or questions about this request from
Certinomis to add the �Certinomis - Autorit� Racine� root certificate,
and enable the websites trust bit?
Kathleen
Kathleen Wilson
> On 2/8/11 7:10 AM, Franck Leroy wrote:
>> Here are some (corrected automatic) translations (so not perfect...)
>>
>
> Franck, Thank you for the translations.
>
> All, Does this satisfy the questions that were raised about the steps
> that Certinomis takes to verify information provided by the certificate
> subscriber?
>
> Are there any other comments or questions about this request from
> and enable the websites trust bit?
>
> Kathleen
Does anyone need more time to review the translations?
If not, I will close this discussion and recommend approval in the bug.
Kathleen
Kathleen Wilson
> certificate and enable the websites trust bit.
>
> Certinomis is a commercial CA that delivers certificates to the general
> public in France, and is the Certificate Service Provider of "La Poste"
> the French Postal Service.
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=545614
>
> And in the pending certificates list here:
> http://www.mozilla.org/projects/security/certs/pending/#Certinomis
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=498137
>
Thank you to those of you who have reviewed and commented on this
request. Your contributions are greatly appreciated.
There are no remaining action items resulting from this discussion.
Therefore, I am closing this discussion, and I will recommend approval
for this request from Certinomis to add the “Certinomis - Autorité
Racine” root certificate and enable the websites trust bit.
All remaining follow-up should be posted in the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=545614
Thanks,
Kathleen
Franck Leroy
The "telephone verification" from the PROC document has been inserted
into the CPS.
The updated CPS document is available at :
http://www.certinomis.com/publi/rgs/PR_AE_OpC_110075.pdf
See new chapters: 2.1.3.3 and 3.4.4
This is the same text, so the translation is the same :
> VERIFICATIONS TELEPHONIQUES
Best regards
Franck Leroy
Certinomis CTO
Kathleen Wilson
Franck,
It is somewhat confusing to try to compare this to the new text that was
added to the CPS. For instance, in a bullet above it says "He confirms
the addresses e-mail", while in the updated CPS it appears to say "He
confirms the FQDN". Also, I am having difficulty with the translations
of the additional text in 3.4.4.1 and 3.4.4.2 that is not provided above.
Please provide clear translations from the following sections of the
updated CPS: 2.1.3.3, 3.4.4, 3.4.4.1, and 3.4.4.2.
Kathleen
Kathleen Wilson
Also, based on your previous postings of translations to explain the
verification procedures, it looks to me like there is more information
that needs to be moved from the PROC to the CPS.
---
PROC: https://www.certinomis.com/publi/rgs/FC_AE_OPC_JUSTIFS_091216.pdf
2.1.1 JUSTIFICATIFS D’IDENTITE LORS DE LA DEMANDE
(typo on chapter number in the doc 1.1.1 written...)
The photocopies (both sides) of the following pieces are accepted
justifying the identity and of a person. These pieces must include the
photograph of their owner, duly signed by him, and including a photograph.
These pieces are used at the time of the certificate request to testify
existence of the people, on the other hand, at the time of the
face-to-face of the support (2 stars only).
2.1.1 Accepted documents to proove the identity:
+ Nationnal Id card
+ International Passport
+ Resident permit
+ Driving Licence (less than 10 years)
+ Administrative Id card
---
PROC: https://www.certinomis.com/publi/rgs/FC_AE_OPC_JUSTIFS_091216.pdf
--
Kathleen Wilson
All,
I have re-opened this discussion.
After I recommended approval in the bug, a French native speaker
reviewed the PROC document and asked a few questions.
https://bugzilla.mozilla.org/show_bug.cgi?id=545614#c21
I am now of the opinion that the PROC document may not be considered in
regards to inclusion of the “Certinomis - Autorité Racine” root
certificate. Therefore, all of the information that was used from the
PROC to answer questions in this discussion must be moved to the CP or CPS.
I have asked the representative of Certinomis to update the CP/CPS and
then provide the corresponding translations in this discussion. After
that I will leave this discussion open for another week for further
review. If there are no concerns about the updates, then I will
re-recommend approval in the bug.
Kathleen
Franck Leroy
sorry for the delay, a bit busy last few days...
> I have re-opened this discussion.
>
>
> I have asked the representative of Certinomis to update the CP/CPS and
> then provide the corresponding translations in this discussion.
Here are the translations of the added parts of the SSL CPS.
2.1.3.3 SSL Certificat
RA must verify :
• The link between the organization and the requested FQDN
• If necessary, ask complements
In order to verify the operator must phone to the technical contact to
validate the FQDN, by following the complementary process describe in
3.4.4
3.4.4 Phone Verifications
The goal of telephone verification procedure is to check:
• The provided contact works in the corporation that did the request.
• He agrees the certificate request
• He confirms the FQDN value
• He is authorized to do a certificate request, to receive it and to
install it.
This verification must be carried out by a strictly different person
of the person that carried out the preceding verifications.
3.4.4.1 Phone Verifications : reachable contact
The verification of the number of telephone can be done on the
following official sites: www.verif.com www.pagesjaunes.com
Or by the telephone services (118 008, 118 712, 118 000, 118 218
etc.).
If the number of seized telephone is a number of cellular telephone:
the technical contact must produce a right proof indicating the link
between this number and the corporation ( telephone bill with the
name
of the Organization for example).
At the time of the telephone call, the RA operator puts a number of
questions to validate the certificate request:
If you obtain all the responses to your questions, you can
validate
this step of verification and emit the certificate
If certain information are lacking or erroneous, you must
indicate to
the customer the elements to provide in order to rectify his
request.
There is a calling script in annex 2.2
Specific case (revocation request):
A specific phone check is done by the RA operator in case of
revocation request from FQDN administration contact.
In order not to revoke arbitrarily, the RA operator check the validity
of the revocation request by a phone call to the administraive contact
of the domain.
If the contact confirms the revocation request and give motivation
for, then the RA operator revokes the certificate.
3.4.4.2 Phone Verifications : UNreachable contact
The phone verification may failed :
• the person is unreachable
• the person has neither vocal messaging system nor personnal
assistant to deliver a message
• the contacted person is not the one who made the certificate request
• the technical contact is not granted to ask for certificate
In all cases, if you have to let a message, in order to be phone back,
dont forget to :
• tell the goal of the phone call
• tell that it is "urgent" (without phone call verification, the SSL
certificat will not be issued)
• let your information contact and to precise the opening hours of
certinomis office.
The maximum phone try to reach the person to do the phone
verifications is 3.
After 3 failed phone call, send an email. After 24H, the certificat
request is in stand-by (the certificate is not issued) until the
person call back.
There is a email template in annex.
>After
> that I will leave this discussion open for another week for further
> review. If there are no concerns about the updates, then I will
> re-recommend approval in the bug.
>
> Kathleen
Best regards
Franck Leroy
Certinomis CTO
Franck Leroy
I have attached 2 translation documents (CP and CPS) in the bug ;
https://bugzilla.mozilla.org/show_bug.cgi?id=545614#c21
There are only the translations of the discuted parts of those
documents.
You will be able to view the translated documents side-by-side
with the original documents to be assured they are the same, and you
will be
able to read directly through the English documents to get a firm
understanding of
the verification procedures. ;-)
Originals ones :
CP : http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2
CPS : http://www.certinomis.com/publi/rgs/PR_AE_OpC_110075.pdf
Kind regards
Franck Leroy
Certinomis CTO
Franck Leroy
The third and last document, also attached to bugzilla : PROC parts
translation (id validation process)
Original one :
http://www.certinomis.com/publi/rgs/FC_AE_OPC_JUSTIFS_110207.pdf
Kathleen Wilson
All,
Here is a summary of the actions that have been taken. This discussion
is still open, so please post questions and comments here.
The CPS has been updated, and the url of the RA Procedures document that
is referenced in the CPS has been provided. English translations of
sections of the CPS, CP (1 star), and the RA Procedures documents have
been attached to the bug.
CPS (French): http://www.certinomis.com/publi/rgs/PR_AE_OpC_110075.pdf
English Translations of Sections 2.1 and 3.4:
https://bugzilla.mozilla.org/attachment.cgi?id=517740
CP Serveur SSL 1 étoile (French):
http://www.certinomis.com/publi/rgs/DT-FL-0808-006-PC-SERV-1E-SSL-1.2.pdf
English Translation of Section 3.2:
https://bugzilla.mozilla.org/attachment.cgi?id=517725
RA Procedures Document – PROC (French):
http://www.certinomis.com/publi/rgs/FC_AE_OPC_JUSTIFS_110207.pdf
English Translations of Sections 1.2, 1.3, and 2:
https://bugzilla.mozilla.org/attachment.cgi?id=518021
In my original recommendation for approval
(https://bugzilla.mozilla.org/show_bug.cgi?id=545614#c20)
I made the following assertions to demonstrate that appropriate
public-facing and audited documentation is provided to meet the
requirements of sections 7 and 14 of the Mozilla CA Certificate Policy.
http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html
I will indicate in {} where this information may be found in the
documents listed above.
* Section 7 [Validation]. Certinomis appears to meet the minimum
requirements for subscriber verification, as follows:
** For domain verification, WHOIS is used to check the link between FQDN
and Organisation Name.
{CPS 2.1.3.1}
Then the domain contact is notified (a phone call to the organization
main phone number and asking to talk to the domain contact) for checking
the domain name recording.
{CPS 2.1.3.3}
The domain contact is asked about the FQDN value in order to avoid
mistake on sub-domain value. During the phone call to the domain owner,
the RA ask if he agrees the certificate creation.
{CPS 3.4.4}
** After Certinomis confirms that the organization exists, then
Certinomis verifies that the applicant is authorized to represent the
organization in question. This is done by requiring national ID cards
and an authorization document signed by both the organization
representative and the certificate agent. The authorization document
contains the FQDN of the certificate and names the certificate manager
(the person who will receive the certificate). The certificate manager
must also provide a copy of the national ID card and another signed
document.
{CP 3.2.3.1. CP 3.2.3.2, and CP 3.2.3.3}
** Certinomis confirms that the representative is who he claims to be as
follows.
*** When the subscriber creates an account on the Certinomis web site.
Certinomis uses the INSEE database to check the name and the activity of
the organization:
http://avis-situation-sirene.insee.fr/avisitu/jsp/avis.jsp
{RA Procedures 1.2.2 -- In this chapter there is a tab, in the first
columns in front of the URL it is written: "MOYEN DE VERIFICATION ET
PIECE JUSTIFICATIVE" that means "verify means and justifying documents"
which means the RA must verify with this. The document called “3rd party
OV validation” which is attachment #498112 in the bug, describes how the
INSEE website is used to verify the SIREN.}
*** For "1 étoile" level, the identity of the certificate subscriber is
verified by using the ID card
{CP 3.2.3.2}
and the extract K-bis from the Trade Registry.
{CP 3.2.2; note that K-bis are printed on a specific paper (with
watermark) that cannot be photocopied.}
*** For "2 étoiles" level, the identity of the certificate subscriber is
verified by a face-to-face
{RA Procedures section 2}
Now that I believe all of the information that has been requested has
been provided, I will leave this discussion open for one more week. If
no further concerns are raised, then I will re-recommend approval in the
bug.
Kathleen
Kathleen Wilson
Thanks again to all of you who have reviewed and commented on this root
inclusion request from Certinomis.
I believe that all concerns that were raised during this discussion have
been addressed and the CPS documentation has been appropriately updated.
alwayshisf...@gmail.com
Ronald Crane
> How do I remove the cert root?
"view certificates". Select "authorities" tab. Now examine the list
until you find the certificate(s) you want to distrust, select them, and
click "delete or distrust" then "OK".
-R