Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
ACCV Request to include Renewed Root
474 views
Skip to first unread message
Kathleen Wilson
Apr 10, 2013, 2:37:26 PM4/10/13
to mozilla-dev-s...@lists.mozilla.org
ACCV has applied to add the �ACCVRAIZ1� root certificate and enable all
three trust bits. This root certificate will eventually replace the
�Root CA Generalitat Valenciana� root certificate that was included via
bug #274100.
The ACCV CA is operated by a government agency of Spain, and focuses its
activities mainly in Spain but is also collaborating in international
recognition of certificates. ACCV issues certificates for citizens for
their personal use and for its relations with the public administration
and business.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=811352
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#ACCV
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=727980
Noteworthy points:
* The primary documents are the CPS and CP for each certificate usage.
The CP documents are in Spanish, and the CPS has been translated into
English.
Document Repository:
http://www.accv.es/quienes-somos/practicas-y-politicas-de-certificacion/
CPS (EN):
http://www.accv.es/fileadmin/Archivos/Practicas_de_certificacion/ACCV-CPS-V3.0-EN.pdf
SSL CP:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-03V3.0-c.pdf
Code Signing CP:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-04V3.0-c.pdf
Qualified Certs CP for Public Employees:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-13V4.0-c.pdf
Qualified Certs CP for Citizens:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-07V5.0-c.pdf
The �ACCVRAIZ1� root certificate has signed two internally-operated
subordinate CA certificates, ACCVCA-110 and ACCVCA-120.
This request is to enable all three trust bits.
* Translation of SSL CP section 3.2.3: The authentication of the
identity of the requesting a certificate shall be made by the use of
recognized certificate of citizen or public employee of the ACCV to sign
the application server certificate with SSL support. The applicant must
also submit the necessary documentation to determine the ability of
represent the Public or private entity that owns the server that is
intended the certificate. This submission will be carried out using
telematic means that the ACCV available to users. The ACCV check both
data using for it the information available to personnel records and
domain, requiring the applicant or the Administration represented
clarifications or additional documents may be required. In case private
entities require authorization information from the applicant.
* Translation from SSL CP section 3.2.4 Checking the application domain
The ACCV verify that domains and addresses associated with the
certificate belong to the applicant by consulting the records assigned
by ICANN / IANA. This check will be made with using records WHOIS
queries enabled by the organization Red.es http://www.nic.es or
equivalent in national domains or those provided by Verisign for generic
domains (whois.verisigngrs. com) .
Besides WHOIS query connection will be tested by secure protocol (eg
HTTPS) with the domain in question if possible and test DNS response.
For any irregularity ACCV contact the applicant for the license and the
issuance of the certificate will be suspended until its cure. If this is
not remedied within the period of one month the application would be denied.
In the verification process, the information obtained from the WHOIS or
equivalent records was compared with that provided by the applicant,
sending personalized emails to technical and administrative contacts
obtained from both sources and if necessary to ensure that the data is
correct and that domain ownership is confirmed is make phone calls
asking for clarification.
* Snippets of Translations from Qualified Certs CP for Public Employees:
** Section 3.2.2: The license application defined in this policy is
limited Certification to public authorities or administrations with
which agreement has been established certification contract or some
other formula that implements the service by the ACCV.
** Section 3.2.3: The determination of the public employee status is the
responsibility of the Administration or Public entity applicant, which
shall check the condition of public employee, either in its database, if
it is updated, or by requesting the document by which the subscriber has
purchased This condition, if not any indication as to the Administration
or Public Entity applicant.
� The Autoritat of Certification of the Valencia only guarantee that the
email address stated on the certificate was provided by the
Administration or public entity that owns the subscriber in the upon
finalization of your application and / or shown as linked to subscriber
bases personal data of the Government or the Civil Service to which
belongs applicant.
* Civil servants certificates are issued from the official lists
supplied by the public administration concerned. These official lists
are drawn from selective processes with maximum guarantees (determine
who is a civil servant) and involve a process in person at the
registration point of administration. Public administration provides its
employees with email accounts for his work as a civil servant. These
email accounts are corporate and internally generated. The ACCV accepts
these mail accounts because they are imposed by the administration and
not by the user.
* Snippets of Translations from Qualified Certs CP for Citizens:
** Section 3.2.2 : The application for certificates associated to this
Certificate Policy is limited to public entities or administrations
which have established a certification agreement, contract or some other
formula that supports the ACCV service provision.
The public entity or administration identification process will be held
in the organization enrollment to be signed by an authorized
representative of the entity or administration.
** Section 3.2.3: The certificate applicant identity authentication will
be made in person while applying or during the certificate delivery.
Thus, Registration is delegated to the certificate issuing entity which
signed an agreement, contract or some other formula that supports the
ACCV service provision.
Presence of the civil servant to whom a certificate is issued will not
be required when his/her identity and civil servant status are already
recorded in the Personnel Registry of the Public or Corporate Entity or
Public Administration which the civil servant belongs to and where
his/her application is directed to.
The applicant public entity or administration has the entire
responsibility of determining the civil servant status. The public
entity or administration will check the public servant status in its
database if it is updated or by requesting a document where the
subscriber�s status is stated in case that the applicant public entity
or administration has not this record.
These certificates include the subscriber�s email address as a necessary
element to support digital signature and email encryption operations.
However, the Autoritat de Certificaci� de la Comunitat Valenciana does
not guarantee that this electronic address is linked to the certificate
subscriber, thus the confidence that this email is linked to the
certificate subscriber relates to the relying party only. The Autoritat
de Certificaci� de la Comunitat Valenciana just guarantees that the
email stated in the certificate was provided by the Administration or
Public Entity which the subscriber belonged to at the time that the
application was made and/or that this email is linked to the subscriber
in the Valencia Government or other Public Administration personnel data
base that the applicant belongs to.
** Section 4.1: This certificate request is responsibility of the Public
Entity or Administration which shall verify the certificate owner�s
civil servant status by checking their organization personnel registry.
* Translation of Code Signing CP section 3.2.3: The authentication of
the identity of the applicant for a certificate shall be made by the use
of recognized certificate of citizen or public employee of the ACCV to
sign the certificate request for code signing.
The applicant must also submit the necessary documentation to determine
the capacity of representing the public administration or private entity
on behalf of which, ultimately, is going to issue the certificate. This
Presentation is telematically using the means and Technology Agency of
Electronic Certification available to users.
Technology Agency of Electronic Certification and verify both data, the
ability to re-presentation of the applicant and the veracity of the data
of the company or organization, using information available from
personnel records, requiring the applicant or the Administration
represented the clarifications or additional documents may be required.
In case of private entities, will require information on the
authorization of the applicant and the information of the company
creating searchable in the appropriate register.
* EV Policy OID: Not requesting EV treatment.
* Root Cert URL
http://www.accv.es/fileadmin/Archivos/certificados/ACCVRAIZ1.crt
* Test Website: https://ulik2.accv.es/
* CRL
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
http://www.accv.es/fileadmin/Archivos/certificados/accvca110_der.crl
(NextUpdate: 3 days)
http://www.accv.es/fileadmin/Archivos/certificados/accvca120_der.crl
(NextUpdate: 3 days)
CPS section 4.9.9: ACCV shall publish a new CRL in its repository at
maximum intervals of 3 hours, even if there have been no modifications
to the CRL (changes to the status of certificates) during the
aforementioned period.
* OCSP: http://ocsp.accv.es
* Audit: ACCV is audited according to the WebTust CA criteria, and audit
statements are posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1352
* Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices)
** Delegation of validation to third parties.
*** CPS section 1.3.2: Bodies of the Autonomous Government of Valencia
as well as other entities can be Registration Authorities provided that
the corresponding collaboration agreement has been entered into. These
Registration Authorities are referred to as User Registration Points or
PRUs in the documentation relating to the Certification Authority of the
Community of Valencia, and they are entrusted with confirmation of the
requester�s identity and delivery of the certificate.
*** CPS section 5.2.1.7: Auditor� must verify all aspects mentioned in
the security policy, copies policies, certification practices,
Certification Policies, etc. in the group of ACCV systems and within the
ACCV personnel, as well as in the PRUs.
*** CPS section 9.6.2: The persons that operate in the RAs integrated
into the hierarchy of the ACCV � User Registration Point Operators � are
obliged to:
* Carry out their operations in accordance with this CPS.
* Carry out their operations in accordance with the Certification Policy
that is applicable for the type of certificate requested on each occasion.
* Exhaustively verify the identity of the persons granted the digital
certificate processed by the Operators, for which purpose they will
require the physical presence of the requester and the presentation of
their current National ID Card (not a photocopy), or a Spanish passport.
Non-Spanish users must present a Residence Card/Foreigner�s ID Card.
This begins the discussion of the request from ACCV to add the
�ACCVRAIZ1� root certificate and enable all three trust bits. At the
conclusion of this discussion I will provide a summary of issues noted
and action items. If there are outstanding issues, then an additional
discussion may be needed as follow-up. If there are no outstanding
issues, then I will recommend approval of this request in the bug.
Kathleen
three trust bits. This root certificate will eventually replace the
�Root CA Generalitat Valenciana� root certificate that was included via
bug #274100.
The ACCV CA is operated by a government agency of Spain, and focuses its
activities mainly in Spain but is also collaborating in international
recognition of certificates. ACCV issues certificates for citizens for
their personal use and for its relations with the public administration
and business.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=811352
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#ACCV
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=727980
Noteworthy points:
* The primary documents are the CPS and CP for each certificate usage.
The CP documents are in Spanish, and the CPS has been translated into
English.
Document Repository:
http://www.accv.es/quienes-somos/practicas-y-politicas-de-certificacion/
CPS (EN):
http://www.accv.es/fileadmin/Archivos/Practicas_de_certificacion/ACCV-CPS-V3.0-EN.pdf
SSL CP:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-03V3.0-c.pdf
Code Signing CP:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-04V3.0-c.pdf
Qualified Certs CP for Public Employees:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-13V4.0-c.pdf
Qualified Certs CP for Citizens:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-07V5.0-c.pdf
The �ACCVRAIZ1� root certificate has signed two internally-operated
subordinate CA certificates, ACCVCA-110 and ACCVCA-120.
This request is to enable all three trust bits.
* Translation of SSL CP section 3.2.3: The authentication of the
identity of the requesting a certificate shall be made by the use of
recognized certificate of citizen or public employee of the ACCV to sign
the application server certificate with SSL support. The applicant must
also submit the necessary documentation to determine the ability of
represent the Public or private entity that owns the server that is
intended the certificate. This submission will be carried out using
telematic means that the ACCV available to users. The ACCV check both
data using for it the information available to personnel records and
domain, requiring the applicant or the Administration represented
clarifications or additional documents may be required. In case private
entities require authorization information from the applicant.
* Translation from SSL CP section 3.2.4 Checking the application domain
The ACCV verify that domains and addresses associated with the
certificate belong to the applicant by consulting the records assigned
by ICANN / IANA. This check will be made with using records WHOIS
queries enabled by the organization Red.es http://www.nic.es or
equivalent in national domains or those provided by Verisign for generic
domains (whois.verisigngrs. com) .
Besides WHOIS query connection will be tested by secure protocol (eg
HTTPS) with the domain in question if possible and test DNS response.
For any irregularity ACCV contact the applicant for the license and the
issuance of the certificate will be suspended until its cure. If this is
not remedied within the period of one month the application would be denied.
In the verification process, the information obtained from the WHOIS or
equivalent records was compared with that provided by the applicant,
sending personalized emails to technical and administrative contacts
obtained from both sources and if necessary to ensure that the data is
correct and that domain ownership is confirmed is make phone calls
asking for clarification.
* Snippets of Translations from Qualified Certs CP for Public Employees:
** Section 3.2.2: The license application defined in this policy is
limited Certification to public authorities or administrations with
which agreement has been established certification contract or some
other formula that implements the service by the ACCV.
** Section 3.2.3: The determination of the public employee status is the
responsibility of the Administration or Public entity applicant, which
shall check the condition of public employee, either in its database, if
it is updated, or by requesting the document by which the subscriber has
purchased This condition, if not any indication as to the Administration
or Public Entity applicant.
� The Autoritat of Certification of the Valencia only guarantee that the
email address stated on the certificate was provided by the
Administration or public entity that owns the subscriber in the upon
finalization of your application and / or shown as linked to subscriber
bases personal data of the Government or the Civil Service to which
belongs applicant.
* Civil servants certificates are issued from the official lists
supplied by the public administration concerned. These official lists
are drawn from selective processes with maximum guarantees (determine
who is a civil servant) and involve a process in person at the
registration point of administration. Public administration provides its
employees with email accounts for his work as a civil servant. These
email accounts are corporate and internally generated. The ACCV accepts
these mail accounts because they are imposed by the administration and
not by the user.
* Snippets of Translations from Qualified Certs CP for Citizens:
** Section 3.2.2 : The application for certificates associated to this
Certificate Policy is limited to public entities or administrations
which have established a certification agreement, contract or some other
formula that supports the ACCV service provision.
The public entity or administration identification process will be held
in the organization enrollment to be signed by an authorized
representative of the entity or administration.
** Section 3.2.3: The certificate applicant identity authentication will
be made in person while applying or during the certificate delivery.
Thus, Registration is delegated to the certificate issuing entity which
signed an agreement, contract or some other formula that supports the
ACCV service provision.
Presence of the civil servant to whom a certificate is issued will not
be required when his/her identity and civil servant status are already
recorded in the Personnel Registry of the Public or Corporate Entity or
Public Administration which the civil servant belongs to and where
his/her application is directed to.
The applicant public entity or administration has the entire
responsibility of determining the civil servant status. The public
entity or administration will check the public servant status in its
database if it is updated or by requesting a document where the
subscriber�s status is stated in case that the applicant public entity
or administration has not this record.
These certificates include the subscriber�s email address as a necessary
element to support digital signature and email encryption operations.
However, the Autoritat de Certificaci� de la Comunitat Valenciana does
not guarantee that this electronic address is linked to the certificate
subscriber, thus the confidence that this email is linked to the
certificate subscriber relates to the relying party only. The Autoritat
de Certificaci� de la Comunitat Valenciana just guarantees that the
email stated in the certificate was provided by the Administration or
Public Entity which the subscriber belonged to at the time that the
application was made and/or that this email is linked to the subscriber
in the Valencia Government or other Public Administration personnel data
base that the applicant belongs to.
** Section 4.1: This certificate request is responsibility of the Public
Entity or Administration which shall verify the certificate owner�s
civil servant status by checking their organization personnel registry.
* Translation of Code Signing CP section 3.2.3: The authentication of
the identity of the applicant for a certificate shall be made by the use
of recognized certificate of citizen or public employee of the ACCV to
sign the certificate request for code signing.
The applicant must also submit the necessary documentation to determine
the capacity of representing the public administration or private entity
on behalf of which, ultimately, is going to issue the certificate. This
Presentation is telematically using the means and Technology Agency of
Electronic Certification available to users.
Technology Agency of Electronic Certification and verify both data, the
ability to re-presentation of the applicant and the veracity of the data
of the company or organization, using information available from
personnel records, requiring the applicant or the Administration
represented the clarifications or additional documents may be required.
In case of private entities, will require information on the
authorization of the applicant and the information of the company
creating searchable in the appropriate register.
* EV Policy OID: Not requesting EV treatment.
* Root Cert URL
http://www.accv.es/fileadmin/Archivos/certificados/ACCVRAIZ1.crt
* Test Website: https://ulik2.accv.es/
* CRL
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
http://www.accv.es/fileadmin/Archivos/certificados/accvca110_der.crl
(NextUpdate: 3 days)
http://www.accv.es/fileadmin/Archivos/certificados/accvca120_der.crl
(NextUpdate: 3 days)
CPS section 4.9.9: ACCV shall publish a new CRL in its repository at
maximum intervals of 3 hours, even if there have been no modifications
to the CRL (changes to the status of certificates) during the
aforementioned period.
* OCSP: http://ocsp.accv.es
* Audit: ACCV is audited according to the WebTust CA criteria, and audit
statements are posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1352
* Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices)
** Delegation of validation to third parties.
*** CPS section 1.3.2: Bodies of the Autonomous Government of Valencia
as well as other entities can be Registration Authorities provided that
the corresponding collaboration agreement has been entered into. These
Registration Authorities are referred to as User Registration Points or
PRUs in the documentation relating to the Certification Authority of the
Community of Valencia, and they are entrusted with confirmation of the
requester�s identity and delivery of the certificate.
*** CPS section 5.2.1.7: Auditor� must verify all aspects mentioned in
the security policy, copies policies, certification practices,
Certification Policies, etc. in the group of ACCV systems and within the
ACCV personnel, as well as in the PRUs.
*** CPS section 9.6.2: The persons that operate in the RAs integrated
into the hierarchy of the ACCV � User Registration Point Operators � are
obliged to:
* Carry out their operations in accordance with this CPS.
* Carry out their operations in accordance with the Certification Policy
that is applicable for the type of certificate requested on each occasion.
* Exhaustively verify the identity of the persons granted the digital
certificate processed by the Operators, for which purpose they will
require the physical presence of the requester and the presentation of
their current National ID Card (not a photocopy), or a Spanish passport.
Non-Spanish users must present a Residence Card/Foreigner�s ID Card.
This begins the discussion of the request from ACCV to add the
�ACCVRAIZ1� root certificate and enable all three trust bits. At the
conclusion of this discussion I will provide a summary of issues noted
and action items. If there are outstanding issues, then an additional
discussion may be needed as follow-up. If there are no outstanding
issues, then I will recommend approval of this request in the bug.
Kathleen
Kathleen Wilson
Apr 23, 2013, 8:03:43 PM4/23/13
to mozilla-dev-s...@lists.mozilla.org
On 4/10/13 11:37 AM, Kathleen Wilson wrote:
> ACCV has applied to add the �ACCVRAIZ1� root certificate and enable all
> three trust bits. This root certificate will eventually replace the
> �Root CA Generalitat Valenciana� root certificate that was included via
> bug #274100.
>
> The ACCV CA is operated by a government agency of Spain, and focuses its
> activities mainly in Spain but is also collaborating in international
> recognition of certificates. ACCV issues certificates for citizens for
> their personal use and for its relations with the public administration
> and business.
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=811352
>
> And in the pending certificates list here:
> http://www.mozilla.org/projects/security/certs/pending/#ACCV
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=727980
>
Are there any questions or comments about this request?
> ACCV has applied to add the �ACCVRAIZ1� root certificate and enable all
> three trust bits. This root certificate will eventually replace the
> �Root CA Generalitat Valenciana� root certificate that was included via
> bug #274100.
>
> The ACCV CA is operated by a government agency of Spain, and focuses its
> activities mainly in Spain but is also collaborating in international
> recognition of certificates. ACCV issues certificates for citizens for
> their personal use and for its relations with the public administration
> and business.
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=811352
>
> And in the pending certificates list here:
> http://www.mozilla.org/projects/security/certs/pending/#ACCV
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=727980
>
Thanks,
Kathleen
Erwann Abalea
Apr 24, 2013, 5:13:10 AM4/24/13
to
Le mercredi 10 avril 2013 20:37:26 UTC+2, Kathleen Wilson a écrit :
[...]
> * OCSP: http://ocsp.accv.es
I get a 404 when interrogating the OCSP responder using the GET method.
[...]
> * OCSP: http://ocsp.accv.es
I get a 404 when interrogating the OCSP responder using the GET method.
Jose Manuel Torres
Apr 24, 2013, 6:06:09 AM4/24/13
to mozilla-dev-s...@lists.mozilla.org
Hi !
Since the request is to enable all three trust bits, how it's performed
email validation in order to meet the Mozilla CA Certificate Inclusion
Policy's requirements?
At point 7 of that document it's said "for a certificate to be used for
digitally signing or encrypting email messages, the CA takes reasonable
measures to verify that the entity submitting the request controls the
email account associated with the email address referenced in the
certificate or has been authorized by the email account holder to act on
the account holder's behalf;"
IMHO It's not clear how ACCV meets this requirement on certificates of type
"Qualified Certs CP for Public Employees" and "Qualified Certs CP for
Citizens"
Thanks,
Jose
2013/4/24 Kathleen Wilson <kwi...@mozilla.com>
> On 4/10/13 11:37 AM, Kathleen Wilson wrote:
>
>> ACCV has applied to add the “ACCVRAIZ1” root certificate and enable all
> dev-security-policy mailing list
> dev-security-policy@lists.**mozilla.org<dev-secur...@lists.mozilla.org>
> https://lists.mozilla.org/**listinfo/dev-security-policy<https://lists.mozilla.org/listinfo/dev-security-policy>
>
Since the request is to enable all three trust bits, how it's performed
email validation in order to meet the Mozilla CA Certificate Inclusion
Policy's requirements?
At point 7 of that document it's said "for a certificate to be used for
digitally signing or encrypting email messages, the CA takes reasonable
measures to verify that the entity submitting the request controls the
email account associated with the email address referenced in the
certificate or has been authorized by the email account holder to act on
the account holder's behalf;"
IMHO It's not clear how ACCV meets this requirement on certificates of type
"Qualified Certs CP for Public Employees" and "Qualified Certs CP for
Citizens"
Thanks,
Jose
2013/4/24 Kathleen Wilson <kwi...@mozilla.com>
> On 4/10/13 11:37 AM, Kathleen Wilson wrote:
>
>> three trust bits. This root certificate will eventually replace the
>> “Root CA Generalitat Valenciana” root certificate that was included via
>> bug #274100.
>>
>> The ACCV CA is operated by a government agency of Spain, and focuses its
>> activities mainly in Spain but is also collaborating in international
>> recognition of certificates. ACCV issues certificates for citizens for
>> their personal use and for its relations with the public administration
>> and business.
>>
>> The request is documented in the following bug:
>> https://bugzilla.mozilla.org/**show_bug.cgi?id=811352<https://bugzilla.mozilla.org/show_bug.cgi?id=811352>
>>
>> The ACCV CA is operated by a government agency of Spain, and focuses its
>> activities mainly in Spain but is also collaborating in international
>> recognition of certificates. ACCV issues certificates for citizens for
>> their personal use and for its relations with the public administration
>> and business.
>>
>> The request is documented in the following bug:
>>
>> And in the pending certificates list here:
>> http://www.mozilla.org/**projects/security/certs/**pending/#ACCV<http://www.mozilla.org/projects/security/certs/pending/#ACCV>
>> And in the pending certificates list here:
>>
>> Summary of Information Gathered and Verified:
>> https://bugzilla.mozilla.org/**attachment.cgi?id=727980<https://bugzilla.mozilla.org/attachment.cgi?id=727980>
>> Summary of Information Gathered and Verified:
>>
>>
>
> Are there any questions or comments about this request?
>
> Thanks,
> Kathleen
>
>
> ______________________________**_________________
>>
>
> Are there any questions or comments about this request?
>
> Thanks,
> Kathleen
>
>
> dev-security-policy mailing list
> dev-security-policy@lists.**mozilla.org<dev-secur...@lists.mozilla.org>
> https://lists.mozilla.org/**listinfo/dev-security-policy<https://lists.mozilla.org/listinfo/dev-security-policy>
>
Erwann Abalea
Apr 24, 2013, 6:12:48 AM4/24/13
to
Here's a copy of the reply I received:
-----
The server we are using does not have GET activated because no one was using. All applications using POST.
if testing with the browser directly, you can see how it responds
"Note: You cannot get an OCSP-response via the GET Method! "
As I was saying, nobody is using by GET, always POST.
What is the OCSP client are you using to make the request using GET and which URL you're using? It is a commercial application?
-----
José, only Mozilla uses POST requests. All the other browsers use GET requests (think of IE, Opera, Safari, Chrome under Windows, ...). And the switch from POST to GET for Mozilla is a wanted feature.
CABForum BR version 1.1.3 make the support of GET requests mandatory from 2013-01-01.
José Amador Garcia
Apr 24, 2013, 7:19:28 AM4/24/13
to Jose Manuel Torres, mozilla-dev-s...@lists.mozilla.org
Hi Jose Manuel,
In all cases the final step involves the sending of an email to the address supplied. The user should follow the link provided in that email.
This email is the one reported in the register face to face and is listed in the user contract signed at the time.If any error is detected in the data, the entire process would be canceled.
In the case of public employees also the company supplies the email address associated with that employee (working email)so that adds an additional check.
Thank you very much.
Regards Jos� Antonio
El 24/04/2013 12:06, Jose Manuel Torres escribi�:
> Citizens"
>
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
--
ACCV
In all cases the final step involves the sending of an email to the address supplied. The user should follow the link provided in that email.
This email is the one reported in the register face to face and is listed in the user contract signed at the time.If any error is detected in the data, the entire process would be canceled.
In the case of public employees also the company supplies the email address associated with that employee (working email)so that adds an additional check.
Thank you very much.
Regards Jos� Antonio
El 24/04/2013 12:06, Jose Manuel Torres escribi�:
> Hi !
>
> Since the request is to enable all three trust bits, how it's performed
> email validation in order to meet the Mozilla CA Certificate Inclusion
> Policy's requirements?
>
> At point 7 of that document it's said "for a certificate to be used for
> digitally signing or encrypting email messages, the CA takes reasonable
> measures to verify that the entity submitting the request controls the
> email account associated with the email address referenced in the
> certificate or has been authorized by the email account holder to act on
> the account holder's behalf;"
>
> IMHO It's not clear how ACCV meets this requirement on certificates of type
> "Qualified Certs CP for Public Employees" and "Qualified Certs CP for
>
> Since the request is to enable all three trust bits, how it's performed
> email validation in order to meet the Mozilla CA Certificate Inclusion
> Policy's requirements?
>
> At point 7 of that document it's said "for a certificate to be used for
> digitally signing or encrypting email messages, the CA takes reasonable
> measures to verify that the entity submitting the request controls the
> email account associated with the email address referenced in the
> certificate or has been authorized by the email account holder to act on
> the account holder's behalf;"
>
> IMHO It's not clear how ACCV meets this requirement on certificates of type
> Citizens"
>
> Thanks,
> Jose
>
> 2013/4/24 Kathleen Wilson <kwi...@mozilla.com>
>
>> On 4/10/13 11:37 AM, Kathleen Wilson wrote:
>>
> Jose
>
> 2013/4/24 Kathleen Wilson <kwi...@mozilla.com>
>
>> On 4/10/13 11:37 AM, Kathleen Wilson wrote:
>>
>>> ACCV has applied to add the �ACCVRAIZ1� root certificate and enable all
>>> three trust bits. This root certificate will eventually replace the
>>> �Root CA Generalitat Valenciana� root certificate that was included via
>>> bug #274100.
>>>
>>> The ACCV CA is operated by a government agency of Spain, and focuses its
>>> activities mainly in Spain but is also collaborating in international
>>> recognition of certificates. ACCV issues certificates for citizens for
>>> their personal use and for its relations with the public administration
>>> and business.
>>>
>>> The request is documented in the following bug:
>>> https://bugzilla.mozilla.org/**show_bug.cgi?id=811352<https://bugzilla.mozilla.org/show_bug.cgi?id=811352>
>>> three trust bits. This root certificate will eventually replace the
>>> �Root CA Generalitat Valenciana� root certificate that was included via
>>> bug #274100.
>>>
>>> The ACCV CA is operated by a government agency of Spain, and focuses its
>>> activities mainly in Spain but is also collaborating in international
>>> recognition of certificates. ACCV issues certificates for citizens for
>>> their personal use and for its relations with the public administration
>>> and business.
>>>
>>> The request is documented in the following bug:
>>>
>>> And in the pending certificates list here:
>>> http://www.mozilla.org/**projects/security/certs/**pending/#ACCV<http://www.mozilla.org/projects/security/certs/pending/#ACCV>
>>> And in the pending certificates list here:
>>>
>>> Summary of Information Gathered and Verified:
>>> Summary of Information Gathered and Verified:
>>> https://bugzilla.mozilla.org/**attachment.cgi?id=727980<https://bugzilla.mozilla.org/attachment.cgi?id=727980>
>>>
>>>
>> Are there any questions or comments about this request?
>>
>> Thanks,
>> Kathleen
>>
>>
>> ______________________________**_________________
>> dev-security-policy mailing list
>> dev-security-policy@lists.**mozilla.org<dev-secur...@lists.mozilla.org>
>> https://lists.mozilla.org/**listinfo/dev-security-policy<https://lists.mozilla.org/listinfo/dev-security-policy>
>>
> _______________________________________________
>>>
>>>
>> Are there any questions or comments about this request?
>>
>> Thanks,
>> Kathleen
>>
>>
>> ______________________________**_________________
>> dev-security-policy mailing list
>> dev-security-policy@lists.**mozilla.org<dev-secur...@lists.mozilla.org>
>> https://lists.mozilla.org/**listinfo/dev-security-policy<https://lists.mozilla.org/listinfo/dev-security-policy>
>>
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
--
ACCV
José Amador Garcia
Apr 24, 2013, 5:54:42 AM4/24/13
to Erwann Abalea, dev-secur...@lists.mozilla.org
Hi Erwann,
The server we are using does not have GET activated because no one was
using. All applications using POST.
if testing with the browser directly, you can see how it responds
"Note: You cannot get an OCSP-response via the GET Method! "
As I was saying, nobody is using by GET, always POST.
What is the OCSP client are you using to make the requestusing GET and
Best regards Jose Antonio
PD: The previous post pending moderation can be removed. Do not add
anything. Just took a picture of the server's response.
El 24/04/2013 11:13, Erwann Abalea escribi�:
> Le mercredi 10 avril 2013 20:37:26 UTC+2, Kathleen Wilson a �crit :
*Jos� Antonio Amador Garc�a
*
*Responsable de Sistemas y Desarrollo
*
Pl. C�novas del Castillo, 1 5� Planta - 46005 Valencia
jam...@accv.es <mailto:jam...@accv.es>
Tel: 961 923 161
_______________________ AVISO LEGAL ______________________________
Este correo electr�nico procede de la Agencia de Tecnolog�a y Certificaci�n Electr�nica,
Pl. de C�novas del Castillo, 1. 46005 Valencia; www.accv.es. Este correo electr�nico
y cualquier documento adjunto pueden contener informaci�n confidencial/propiedad
intelectual/copyright, siendo su contenido de uso exclusivo para sus destinatarios.
Queda prohibida su copia, remisi�n, revelaci�n, grabaci�n o cualquier otro uso si usted
no es el destinatario o responsable de la entrega. Si recibe este mensaje por error,
por favor, comun�queselo al remitente y elimine el mensaje inmediatamente. Cualquier
correo electr�nico es susceptible de modificaci�n y su integridad no puede ser
garantizada, a menos que sea firmado electr�nicamente. La Agencia de Tecnolog�a y
Certificaci�n Electr�nica no ser� responsable si el mensaje fuera alterado, modificado,
falsificado o incluso corregido.
_______________________ AV�S LEGAL ______________________________
Aquest correu electr�nic procedeix de la Agencia de Tecnolog�a y Certificaci�n
Electr�nica, Pl. de C�novas del Castillo, 1. 46005 Val�ncia; www.accv.es. Aquest correu
electr�nic i qualsevol document adjunt poden contenir informaci� confidencial/propietat
intel�lectual/copyright, sent el seu contingut d'�s exclusiu per als seus destinataris.
Queda prohibida la seua c�pia, remissi�, revelaci�, enregistrament o qualsevol altre �s
si vost� no �s el destinatari o responsable del lliurament. Si rep aquest missatge per
error, per favor, comuniqui-li-ho al remitent i elimine el missatge immediatament.
Qualsevol correu electr�nic �s susceptible de modificaci� i la seva integritat no pot
ser garantida, tret que siga signat electr�nicament. La Agencia de Tecnolog�a y
Certificaci�n Electr�nica no ser� responsable si el missatge fos alterat, modificat,
falsificat o fins i tot corregit.
______________________ DISCLAIMER ________________________________
This email originates from Agencia de Tecnolog�a y Certificaci�n Electr�nica, Pl. de
C�novas del Castillo, 1. 46005 Valencia; www.accv.es. This email and any attachments may
contain confidential/intellectual property/copyright information and is only for the use
of the addressee(s). You are prohibited from copying, forwarding, disclosing, saving or
otherwise using it in any way if you are not the addressee(s) or responsible for
delivery.If you receive this email by mistake, please advise the sender and cancel it
immediately. Any email is susceptible to alteration and its integrity cannot be assured,
unless it is electronically signed. Agencia de Tecnolog�a y Certificaci�n Electr�nica
shall not be liable if the message is altered, modified, falsified, or even edited.
The server we are using does not have GET activated because no one was
using. All applications using POST.
if testing with the browser directly, you can see how it responds
"Note: You cannot get an OCSP-response via the GET Method! "
As I was saying, nobody is using by GET, always POST.
which URL you're using? It is a commercial application?
Thank you very much.
Best regards Jose Antonio
PD: The previous post pending moderation can be removed. Do not add
anything. Just took a picture of the server's response.
El 24/04/2013 11:13, Erwann Abalea escribi�:
> Le mercredi 10 avril 2013 20:37:26 UTC+2, Kathleen Wilson a �crit :
> [...]
>> * Test Website: https://ulik2.accv.es/
>>
>> * OCSP: http://ocsp.accv.es
> I get a 404 when interrogating the OCSP responder using the GET method.
>> * Test Website: https://ulik2.accv.es/
>>
>> * OCSP: http://ocsp.accv.es
> I get a 404 when interrogating the OCSP responder using the GET method.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
--
ACCV
Agencia de Tecnolog�a y Certificaci�n Electr�nica <http://www.accv.es>
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
--
ACCV
*Jos� Antonio Amador Garc�a
*
*Responsable de Sistemas y Desarrollo
*
Pl. C�novas del Castillo, 1 5� Planta - 46005 Valencia
jam...@accv.es <mailto:jam...@accv.es>
Tel: 961 923 161
_______________________ AVISO LEGAL ______________________________
Este correo electr�nico procede de la Agencia de Tecnolog�a y Certificaci�n Electr�nica,
Pl. de C�novas del Castillo, 1. 46005 Valencia; www.accv.es. Este correo electr�nico
y cualquier documento adjunto pueden contener informaci�n confidencial/propiedad
intelectual/copyright, siendo su contenido de uso exclusivo para sus destinatarios.
Queda prohibida su copia, remisi�n, revelaci�n, grabaci�n o cualquier otro uso si usted
no es el destinatario o responsable de la entrega. Si recibe este mensaje por error,
por favor, comun�queselo al remitente y elimine el mensaje inmediatamente. Cualquier
correo electr�nico es susceptible de modificaci�n y su integridad no puede ser
garantizada, a menos que sea firmado electr�nicamente. La Agencia de Tecnolog�a y
Certificaci�n Electr�nica no ser� responsable si el mensaje fuera alterado, modificado,
falsificado o incluso corregido.
_______________________ AV�S LEGAL ______________________________
Aquest correu electr�nic procedeix de la Agencia de Tecnolog�a y Certificaci�n
Electr�nica, Pl. de C�novas del Castillo, 1. 46005 Val�ncia; www.accv.es. Aquest correu
electr�nic i qualsevol document adjunt poden contenir informaci� confidencial/propietat
intel�lectual/copyright, sent el seu contingut d'�s exclusiu per als seus destinataris.
Queda prohibida la seua c�pia, remissi�, revelaci�, enregistrament o qualsevol altre �s
si vost� no �s el destinatari o responsable del lliurament. Si rep aquest missatge per
error, per favor, comuniqui-li-ho al remitent i elimine el missatge immediatament.
Qualsevol correu electr�nic �s susceptible de modificaci� i la seva integritat no pot
ser garantida, tret que siga signat electr�nicament. La Agencia de Tecnolog�a y
Certificaci�n Electr�nica no ser� responsable si el missatge fos alterat, modificat,
falsificat o fins i tot corregit.
______________________ DISCLAIMER ________________________________
This email originates from Agencia de Tecnolog�a y Certificaci�n Electr�nica, Pl. de
C�novas del Castillo, 1. 46005 Valencia; www.accv.es. This email and any attachments may
contain confidential/intellectual property/copyright information and is only for the use
of the addressee(s). You are prohibited from copying, forwarding, disclosing, saving or
otherwise using it in any way if you are not the addressee(s) or responsible for
delivery.If you receive this email by mistake, please advise the sender and cancel it
immediately. Any email is susceptible to alteration and its integrity cannot be assured,
unless it is electronically signed. Agencia de Tecnolog�a y Certificaci�n Electr�nica
shall not be liable if the message is altered, modified, falsified, or even edited.
José Amador Garcia
Apr 25, 2013, 10:10:30 AM4/25/13
to Erwann Abalea, dev-secur...@lists.mozilla.org
Hi Erwann,
Ok. No problem. We have activated the GET requests. Can you try again?We
had turned off to save resources by not taking requests.
After what you've said we will leave active support for GET requests always.
Thank you very much.
Best regards Jose Antonio.
El 24/04/2013 12:12, Erwann Abalea escribi�:
> Le mercredi 24 avril 2013 11:13:10 UTC+2, Erwann Abalea a �crit :
>> Le mercredi 10 avril 2013 20:37:26 UTC+2, Kathleen Wilson a �crit :
Ok. No problem. We have activated the GET requests. Can you try again?We
had turned off to save resources by not taking requests.
After what you've said we will leave active support for GET requests always.
Thank you very much.
Best regards Jose Antonio.
El 24/04/2013 12:12, Erwann Abalea escribi�:
> Le mercredi 24 avril 2013 11:13:10 UTC+2, Erwann Abalea a �crit :
>> Le mercredi 10 avril 2013 20:37:26 UTC+2, Kathleen Wilson a �crit :
>> [...]
>>> * Test Website:https://ulik2.accv.es/
>>>
>>> * OCSP:http://ocsp.accv.es
>> I get a 404 when interrogating the OCSP responder using the GET method.
> It seems Jos� Amador Garcia from ACCV has problems replying to the list (moderation pending).
>>> * Test Website:https://ulik2.accv.es/
>>>
>>> * OCSP:http://ocsp.accv.es
>> I get a 404 when interrogating the OCSP responder using the GET method.
>
> Here's a copy of the reply I received:
> -----
> The server we are using does not have GET activated because no one was using. All applications using POST.
>
> if testing with the browser directly, you can see how it responds
>
>
> "Note: You cannot get an OCSP-response via the GET Method!"
>
>
> As I was saying, nobody is using by GET, always POST.
>
> What is the OCSP client are you using to make the request using GET and which URL you're using? It is a commercial application?
> -----
>
> Jos�, only Mozilla uses POST requests. All the other browsers use GET requests (think of IE, Opera, Safari, Chrome under Windows, ...). And the switch from POST to GET for Mozilla is a wanted feature.
> Here's a copy of the reply I received:
> -----
> The server we are using does not have GET activated because no one was using. All applications using POST.
>
> if testing with the browser directly, you can see how it responds
>
>
> "Note: You cannot get an OCSP-response via the GET Method!"
>
>
> As I was saying, nobody is using by GET, always POST.
>
> What is the OCSP client are you using to make the request using GET and which URL you're using? It is a commercial application?
> -----
>
>
> CABForum BR version 1.1.3 make the support of GET requests mandatory from 2013-01-01.
> CABForum BR version 1.1.3 make the support of GET requests mandatory from 2013-01-01.
Erwann Abalea
Apr 25, 2013, 12:45:38 PM4/25/13
to
Le jeudi 25 avril 2013 16:10:30 UTC+2, Jose Amador a écrit :
> Ok. No problem. We have activated the GET requests. Can you try again?We
> had turned off to save resources by not taking requests.
>
> After what you've said we will leave active support for GET requests always.
It now works.
> Ok. No problem. We have activated the GET requests. Can you try again?We
> had turned off to save resources by not taking requests.
>
> After what you've said we will leave active support for GET requests always.
Kathleen Wilson
Apr 26, 2013, 9:05:34 PM4/26/13
to mozilla-dev-s...@lists.mozilla.org
On 4/24/13 4:19 AM, Jos� Amador Garcia wrote:
> Hi Jose Manuel,
>
> In all cases the final step involves the sending of an email to the
> address supplied. The user should follow the link provided in that
> email. This email is the one reported in the register face to face
> and is listed in the user contract signed at the time.If any
> error is detected in the data, the entire process would be canceled.
>
Is there information in the email that is unique to each recipient, so
> Hi Jose Manuel,
>
> In all cases the final step involves the sending of an email to the
> address supplied. The user should follow the link provided in that
> email. This email is the one reported in the register face to face
> and is listed in the user contract signed at the time.If any
> error is detected in the data, the entire process would be canceled.
>
that it could not be easily replicated by someone who did not control
that email address?
Kathleen
José Antonio Amador García
Apr 27, 2013, 4:45:12 AM4/27/13
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
Hi Kathleen,
Yes, the emailis associated with a code of 25 characters that is
delivered in the certification contract, which the user signs. This code
is unique per request.
Regards.
El 27/04/2013 3:05, Kathleen Wilson escribi�:
Yes, the emailis associated with a code of 25 characters that is
delivered in the certification contract, which the user signs. This code
is unique per request.
Regards.
El 27/04/2013 3:05, Kathleen Wilson escribi�:
> On 4/24/13 4:19 AM, Jos� Amador Garcia wrote:
>> Hi Jose Manuel,
>>
>> In all cases the final step involves the sending of an email to the
>> address supplied. The user should follow the link provided in that
>> email. This email is the one reported in the register face to face
>> and is listed in the user contract signed at the time.If any
>> error is detected in the data, the entire process would be canceled.
>>
>
>
>>
>> In all cases the final step involves the sending of an email to the
>> address supplied. The user should follow the link provided in that
>> email. This email is the one reported in the register face to face
>> and is listed in the user contract signed at the time.If any
>> error is detected in the data, the entire process would be canceled.
>>
>
>
> Is there information in the email that is unique to each recipient, so
> that it could not be easily replicated by someone who did not control
> that email address?
>
>
> Kathleen
>
> that it could not be easily replicated by someone who did not control
> that email address?
>
>
> Kathleen
>
Kathleen Wilson
May 1, 2013, 5:05:07 PM5/1/13
to mozilla-dev-s...@lists.mozilla.org
On 4/10/13 11:37 AM, Kathleen Wilson wrote:
participated in this discussion.
If there are no further comments or questions regarding this request,
then I will close this discussion and recommend approval in the bug.
Thanks,
Kathleen
Kathleen Wilson
May 7, 2013, 4:00:11 PM5/7/13
to mozilla-dev-s...@lists.mozilla.org
Thank you to those of you who reviewed and contributed to this
discussion about the request from ACCV to add the �ACCVRAIZ1� root
been resolved.
I am closing this discussion, and I will recommend approval in the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=811352
Any further follow-up on this request should be added directly to the bug.
Thanks,
Kathleen
discussion about the request from ACCV to add the �ACCVRAIZ1� root
certificate and enable all three trust bits.
The questions and issues that were raised during this discussion have
been resolved.
I am closing this discussion, and I will recommend approval in the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=811352
Any further follow-up on this request should be added directly to the bug.
Thanks,
Kathleen
0 new messages