ACCV Root Inclusion Request
Kathleen Wilson
to add the “Root CA Generalitat Valenciana” root certificate and turn on
all three trust bits.
ACCV is a CA operated by the government of the Valencia region of Spain.
ACCV issues certificates for persons (with email), web sites and for
signing code, in different policies, but with the same root. ACCV is a
public certificate service provider and the intended use for this root
certificate is to improve the electronic administration between citizens
and the administration.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=274100
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#ACCV
Information Gathering document (summary of info gathered and verified):
https://bugzilla.mozilla.org/attachment.cgi?id=516306
Noteworthy points:
* The CP and CPS documents are in Spanish. An English translation of the
ACCV CPS was attached to the bug. Translations from parts of the CP
documents are provided in the Information Gathering document.
CPS (English): https://bugzilla.mozilla.org/attachment.cgi?id=426960
CPS (Spanish):
http://www.accv.es/fileadmin/Archivos/Practicas_de_certificacion/ACCV-CPS-V2.1.pdf
CP Documents listed by certificate usage:
http://www.accv.es/quienes-somos/practicas-y-politicas-de-certificacion/politicas-de-certificacion/
SSL CP:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/PKIGVA-CP-03V2.0-c2010.pdf
Code Signing CP:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/nuevo_23_07_08/PKIGVA-CP-04V2.0-c.pdf
Qualified Certs CP for Public Employees:
http://www.accv.es/fileadmin/Archivos/Politicas_de_certificacion/ACCV-CP-13V2.0-c.pdf
Qualified Certs CP for Citizens:
http://www.accv.es/fileadmin/Archivos/politicas_certificacion/ACCV-CP-07V4.0-c.pdf
* This root has four internally-operated subordinate CAs which sign
end-entity certificates for individuals and organizations. The sub-CAs are:
** CAGVA - Issued end entity certificates; personal certificates, code
signing certificates and SSL certificates. This CA no longer issues
certificates (CRL signing only).
** ACCV-CA1 - Issues end entity certificates. Mainly company certificates.
** ACCV-CA2 - Replaces CAGVA. Issues end entity certificates; personal
certificates, code signing certificates and SSL certificates. ACCV
checks the data from end entities exhaustively (vital statistics and
data domain).
** ACCV-CA3 - Issues Windows logon certificates and DC certificates for
internal domains.
* The request is to enable all three trust bits.
** CPS section 9.6.2: The persons that operate in the RAs integrated
into the hierarchy of the ACCV – User Registration Point Operators – are
obliged to:
*** Carry out their operations in accordance with this CPS.
*** Carry out their operations in accordance with the Certification
Policy that is applicable for the type of certificate requested on each
occasion.
*** Exhaustively verify the identity of the persons granted the digital
certificate processed by the Operators, for which purpose they will
require the physical presence of the requester and the presentation of
their current National ID Card (not a photocopy), or a Spanish passport.
Non-Spanish users must present a Residence Card/Foreigner’s ID Card.
** SSL CP section 3.1.8: For applicants belonging to the scope of the
Generalitat Valenciana your order will be validated with information
from the official directory.
In case of not belonging to the Generalitat Valenciana, the applicant
must attach the publication of the official appointment or document the
job occupation or certificate issued by human resources department in
his organization, which clearly indicates his position and responsibility.
** Code Signing CP section 3.1.8: When the applicant belongs to the
Valencia Government staff, his/her application will be validated with
the information contained in the People and Services’ Guide.
If they are not Valencia Government staff members, the applicant must
submit the appointment publication (Government Gazette) or the civil
servants’ inauguration certificate or a certificate from his/her
organization personnel department specifying occupation and
responsibilities.
** Code Signing CP section 3.1.9: The identity authentication of a
certificate applicant shall be made by his/her personal digital
certificate that is used to sign the certificate application.
** SSL CP section 3.1.9: The authentication of the identity of
applicants for a certificate will be made through the use of their
personal digital certificate to sign the certificate request.
** Section 3.1.9 of the Code Signing CP and the SSL CP means that the
subscriber must have a qualified personal certificate before applying
for a Code Signing or SSL certificate. All requests for Code Signing and
SSL certs are digitally signed with qualified personal certificates.
These qualified certificates require that the user is physically present
in a registration point and proves his identity. Therefore, by the time
a request for a Code Signing or SSL cert arrives, ACCV has already
verified the identity of the applicant and the company in which the user
works.
** SSL CP section 3.1.10: The ACCV will check that domains and addresses
associated to the certificate actually belong to the applicant by
looking up the records assigned by ICANN/IANA. This checking will be
made by using WHOIS queries in the records authorized by the Red.es
agency at http://www.nic.es or its equivalent for national domains or
those provided by VeriSign for the generic domains
(whois.verisign-grs.com).
Besides WHOIS query, DNS response and connection tests using secure
protocol (e.g. HTTPS) with the domain under consideration will be made
when possible. In the light of any irregularity, the ACCV will contact
the certificate applicant and leave the certificate issuance pending
until correction. If this correction is not fixed within a month the
request will be denied.
** SSL CP section 4.2: The certificate issuing procedure will start once
the Registration Authority associated to this Certification Policy has
checked all necessary requirements for validating the certification
request. This Certification Policy will be the mechanism for determining
the nature and how to perform this checking.
Upon issuance of the certificate, the Registration Authority shall
notify the subscriber by sending a signed e-mail to the address included
in the request. The user must sign in to the non-personal certificate
management application (NPSC) available at
https://npsc.accv.es:8450/npsc to pick up the certificate by previously
signing the Certificate Agreement in this application with a personal
qualified certificate.
The Certificate Agreement is a document that must be digitally signed by
the applicant in order to bind him/her to the request action, the
knowledge of certificate use rules and the accuracy of provided data.
** Email: Civil servants certificates are issued from the official lists
supplied by the public administration concerned. These official lists
are drawn from selective processes with maximum guarantees (determine
who is a civil servant) and involve a process in person at the
registration point of administration. Public administration provides its
employees with email accounts for his work as a civil servant. These
email accounts are corporate and internally generated. The ACCV accepts
these mail accounts because they are imposed by the administration and
not by the user.
** Snippets of Translations from Qualified Certs CP for Public Employees…
*** Section 3.2.2: The license application defined in this policy is
limited Certification to public authorities or administrations with
which agreement has been established certification contract or some
other formula that implements the service by the ACCV.
*** Section 3.2.3: The determination of the public employee status is
the responsibility of the Administration or Public entity applicant,
which shall check the condition of public employee, either in its
database, if it is updated, or by requesting the document by which the
subscriber has purchased This condition, if not any indication as to the
Administration or Public Entity applicant.
… The Autoritat of Certification of the Valencia only guarantee that the
email address stated on the certificate was provided by the
Administration or public entity that owns the subscriber in the upon
finalization of your application and / or shown as linked to subscriber
bases personal data of the Government or the Civil Service to which
belongs applicant.
** Snippets of Translations from Qualified Certs CP for Citizens:
*** Section 3.2.2 : The application for certificates associated to this
Certificate Policy is limited to public entities or administrations
which have established a certification agreement, contract or some other
formula that supports the ACCV service provision.
The public entity or administration identification process will be held
in the organization enrollment to be signed by an authorized
representative of the entity or administration.
*** Section 3.2.3: The certificate applicant identity authentication
will be made in person while applying or during the certificate
delivery. Thus, Registration is delegated to the certificate issuing
entity which signed an agreement, contract or some other formula that
supports the ACCV service provision.
Presence of the civil servant to whom a certificate is issued will not
be required when his/her identity and civil servant status are already
recorded in the Personnel Registry of the Public or Corporate Entity or
Public Administration which the civil servant belongs to and where
his/her application is directed to.
The applicant public entity or administration has the entire
responsibility of determining the civil servant status. The public
entity or administration will check the public servant status in its
database if it is updated or by requesting a document where the
subscriber’s status is stated in case that the applicant public entity
or administration has not this record.
These certificates include the subscriber’s email address as a necessary
element to support digital signature and email encryption operations.
However, the Autoritat de Certificació de la Comunitat Valenciana does
not guarantee that this electronic address is linked to the certificate
subscriber, thus the confidence that this email is linked to the
certificate subscriber relates to the relying party only. The Autoritat
de Certificació de la Comunitat Valenciana just guarantees that the
email stated in the certificate was provided by the Administration or
Public Entity which the subscriber belonged to at the time that the
application was made and/or that this email is linked to the subscriber
in the Valencia Government or other Public Administration personnel data
base that the applicant belongs to.
*** Section 4.1: This certificate request is responsibility of the
Public Entity or Administration which shall verify the certificate
owner’s civil servant status by checking their organization personnel
registry.
* EV Policy OID: Not EV
* Test Websites: https://www.accv.es/
* CRL:
** http://www.pki.gva.es/gestcert/rootgva_der.crl
** http://www.accv.es/gestcert/accv_ca2.crl (NextUpdate 2 days)
** CPS section 4.9.9. ACCV shall publish a new CRL in its repository at
maximum intervals of 3 hours, even if there have been no modifications
to the CRL (changes to the status of certificates) during the
aforementioned period.
* OCSP: http://ocsp.pki.gva.es/
* Audit: KPMG performed the audit according to the WebTrust CA criteria,
and the audit statement is posted on the webtrust.org website
(https://cert.webtrust.org/SealFile?seal=943). The current audit is in
progress, and final approval of this request will be contingent on the
new audit statement.
* Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices):
** Delegation of Domain / Email validation to third parties
*** CPS section 1.3.2: Bodies of the Autonomous Government of Valencia
as well as other entities can be Registration Authorities provided that
the corresponding collaboration agreement has been entered into. These
Registration Authorities are referred to as User Registration Points or
PRUs in the documentation relating to the Certification Authority of the
Community of Valencia, and they are entrusted with confirmation of the
requester’s identity and delivery of the certificate.
*** Obligations of the Registration Authority are defined in CPS section
9.6.2.
*** CPS section 5.2.1.7: Auditor… must verify all aspects mentioned in
the security policy, copies policies, certification practices,
Certification Policies, etc. in the group of ACCV systems and within the
ACCV personnel, as well as in the PRUs.
This begins the discussion of the request from ACCV to add the “Root CA
Generalitat Valenciana” root certificate and turn on all three trust
bits. At the conclusion of this discussion, I will provide a summary of
issues noted and action items. If there are no outstanding issues, then
this request can be approved. If there are outstanding issues or action
items, then an additional discussion may be needed as follow-up.
Kathleen
Kathleen Wilson
Corrections...
Code Signing CP:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/PKIGVA-CP-04V2.0-c.pdf
Audit URL: https://cert.webtrust.org/SealFile?seal=943&file=pdf
Kathleen
Jesús
I would like to get more info regarding with the established procedure
for dealing with the renewal requests and more specifically applied to
the SSL certificates.
In the CPS is stated that
********
3.3. Identification and authentication of key renewal requests.
3.3.1. Identification and authentication of routine requests for
renewal.
Identification and authentication for certificate renewal can be
carried out using the techniques for initial authentication and
identification or using digitally signed requests via the original
certificate intended for renewal, provided that the original
certificate has not expired or been revoked There are therefore two
alternative methods for renewal:
- Signed web forms in the Personal Certification Services Area,
available at www.accv.es.
- Personal attendance at any User Registration Point, with sufficient
identification documents (see section 3.2.3. of this CPS).
In addition, and in accordance with the stipulations of Article 13.4
b) of Act 59/2003 of 19 December on Electronic Signatures, certificate
renewal via digitally signed requests requires that the period of time
elapsed since personal identification must be less than five years
*********
Reading this topic I have several questions, here there go:
1.- Does the CA perform “certificate renewal” (same keys, new
certificate with longer expiry date) or “certificate re-key” (new
keys, new certificate with longer expiry date)?
2.- To my understanding the related parties identification /
authentication is done with the certificate itself (the one that is
going to be renewed o rekeyed), is this correct?
3.- What happens to the old certificate when such operation is
performed, is it revoked?
4.- Can an entity apply to the certificate renewal at any time of the
certificate life cycle as long as it is not revoked or expired?
Thanks all folks,
Regards
Jose Amador
Hi Jesús
Answering your questions:
1- Second option. New keys and new certificate with the lifetime
defined in our policy (in most cases three years).
2- Yes. With the certificate itself.
3- Yes. You're right. The old certificate is revoked before generating
the new, then the new keys and new certificates are generated and
reconnects the session to test that everything went well.
4- No. The renewal period begins 70 days before the expiration date.
The CA sends three emails alerting users, at 70 days, 30 days and 7
days.
Thank you very much for your interest.
Jesús
thank u very much for your quick response. I think now its clear.
Regards
Jose Manuel Torres
I've been reading SSL CP (SSL CP:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/PKIGVA-CP-03V2.0-c2010.pdf)
and I have doubt about the contents for SSL certificates issued by ACCV as
indicated in section 7 "Certificate and CRL Profile" :
- SSL certificates issued by ACCV don´t have the AuthorityInformationAccess
extension with ocsp pointer to validate such certificates by browsers ?
Thanks in advance.
Regards,
2011/3/4 Jesús <jesus...@gmail.com>
> OK,
>
> thank u very much for your quick response. I think now its clear.
>
> Regards
>
> On Mar 3, 10:19 am, Jose Amador <jama...@accv.es> wrote:
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
Jose Amador
> and I have doubt about the contents for SSL certificates issued by ACCV as
> indicated in section 7 "Certificate and CRL Profile" :
>
> - SSL certificates issued by ACCV don´t have the AuthorityInformationAccess
> extension with ocsp pointer to validate such certificates by browsers ?
>
> Thanks in advance.
>
> Regards,
>
> >https://lists.mozilla.org/listinfo/dev-security-policy
Hi
SSL certificates have AIA. In Policy only appears some distinctive
fields. Thanks for your input, we will add it in the next version.
Thank you very much.
Regards
Kathleen Wilson
Thank you to those of you who have reviewed and commented on this request.
There are a couple of clarifications that we would like ACCV to add to
their documentation. However, these are minor points, so we can track
these items separately and proceed with the approval phase if there are
no other comments for this discussion.
1) Add clarification to the CPS about the renewal process.
2) Update the SSL CP to clarify that SSL certs have the OCSP URI in the AIA.
Does anyone need more time to review and comment on this request?
Kathleen
Kathleen Wilson
All,
This discussion has been open for two weeks now, and two people have
provided input. (Thanks!)
There are a couple of minor clarifications that we would like ACCV to
make to their CP/CPS, but no concerns have been raised that affect
approval of this root inclusion request. The action items to add the
clarifications to their CP/CPS may be tracked separately from approval.
Therefore, I intend to close this discussion tomorrow and recommend
approval in the bug.
Kathleen
Kathleen Wilson
> On 3/7/11 2:14 PM, Kathleen Wilson wrote:
>> On 3/2/11 10:54 AM, Kathleen Wilson wrote:
>>> Autoritat de Certificacio de la Comunidat Valenciana (ACCV) has applied
>>> to add the “Root CA Generalitat Valenciana” root certificate and turn on
>>> all three trust bits.
>>>
>>> ACCV is a CA operated by the government of the Valencia region of Spain.
>>> ACCV issues certificates for persons (with email), web sites and for
>>> signing code, in different policies, but with the same root. ACCV is a
>>> public certificate service provider and the intended use for this root
>>> certificate is to improve the electronic administration between citizens
>>> and the administration.
>>>
>>> The request is documented in the following bug:
>>> https://bugzilla.mozilla.org/show_bug.cgi?id=274100
>>>
>>> And in the pending certificates list here:
>>> http://www.mozilla.org/projects/security/certs/pending/#ACCV
>>>
>>> Information Gathering document (summary of info gathered and verified):
>>> https://bugzilla.mozilla.org/attachment.cgi?id=516306
>>>
>>
>> their documentation. However, these are minor points, so we can track
>> these items separately and proceed with the approval phase if there are
>> no other comments for this discussion.
>>
>> 1) Add clarification to the CPS about the renewal process.
>>
>> 2) Update the SSL CP to clarify that SSL certs have the OCSP URI in the
>> AIA.
>>
Thanks again to those of you who reviewed and commented on this request.
I am now closing this discussion, and I will recommend approval for this
request from (ACCV) to add the “Root CA Generalitat Valenciana” root
certificate and turn on all three trust bits.
All remaining follow-up should be posted in the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=274100
I will also track the action items to add clarifications to the CPS and
SSL CP in the bug.
Kathleen
Kathleen Wilson
Correction: I will only recommend approval after I have received and
confirmed the authenticity of an updated audit statement.
Kathleen