463989 - add Finnish Population Register Centre's Root CA Certificates

Status: RESOLVED WONTFIX

(CA Program :: CA Certificate Root Program, task)

Description

[vptuotanto]

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; InfoPath.1; .NET CLR 2.0.50727)
Build Identifier: 

*APPLICATION FOR DEFAULT CERTIFICATES FOR MOZILLA.ORG
Reference: http://www.mozilla.org/projects/security/certs/policy/ 

We are applying to add our CA certificates to Mozilla.org products as mentioned in the Mozilla CA Certificate Policy (Version 1.2).

*Number of roots we would like to submit
Root and subCA’s (1 + 5):
Certificate policies: 
http://www.fineid.fi/vrk/fineid/home.nsf/pages/8159D738E49D3251C2257054002D7EF4      
*1. VRK Gov. Root CA 
Link: http://vrk.fineid.fi/certs/vrkrootc.crt
Policy:  http://www.fineid.fi/vrk/fineid/files.nsf/files/77D57B47FB564530C225702600439C05/$file/cacp.PDF
CPS for root not publicly available, CPS’s for subCA’s, see below
Usage: PRC’s VRK Gov. Root CA is for signing PRC’s SUB CAs and thus creates a hierarchical trust web where it stands as a single trust anchor.
Extented Key Usages: see FINEID specification S2 - VRK (PRC) CA-model and certificate contents, v2.1
Desired extended key usages (EKUs)
•	1.3.6.1.5.5.7.3.1 serverAuth
•	1.3.6.1.5.5.7.3.2 clientAuth
•	1.3.6.1.5.5.7.3.4 emailProtection
•	1.3.6.1.4.1.311.20.2.2 kPSmartcardLogon
These actual EKU's are applicable to the different end-user certificates. (In addition, standard key usage & RFC822 name attributes etc. are included in certificates issued).

*1.1 VRK Gov. CA for Citizen Qualified Certificates 
Link: http://vrk.fineid.fi/certs/vrkcqc.crt
Policy: http://www.fineid.fi/cps1
Issued to: The certificates are issued to Finnish citizens and aliens living permanently in Finland. 
Extented Key Usages: 
-Authentication
-S/MIME
-Digital Signature
For more information see FINEID specification S2 – VRK (PRC) CA-model and certificate contents, v2.1 (http://www.fineid.fi/vrk/fineid/files.nsf/files/24EA4C4CD4A1EAA0C2257054002A55BD/$file/S2v21.pdf)

*1.2 VRK Gov. CA for Multiplatform Citizen Qualified Certificates 
Link: http://vrk.fineid.fi/certs/vrkmcqc.crt
Policy:  http://www.fineid.fi/cps4
Issued to: The certificates are issued to Finnish citizens and aliens living permanently in Finland and stored to a PKI-SIM. 
Extented Key Usages:
-Authentication
-S/MIME
-Digital Signature
For more information see FINEID specification S2 – VRK (PRC) CA-model and certificate contents, v2.1 

*1.3 VRK CA for Qualified Certificates 
Link: http://vrk.fineid.fi/certs/vrkqc.crt
Policy:  http://www.fineid.fi/cps2
Issued to: The certificates are issued to employees of company or organization or an associated group.
Extented Key Usages:
-Authentication
-S/MIME
-Digital Signature
-Smart Card Logon
For more information see FINEID specification S2 – VRK (PRC) CA-model and certificate contents, v2.1 (http://www.fineid.fi/vrk/fineid/files.nsf/files/24EA4C4CD4A1EAA0C2257054002A55BD/$file/S2v21.pdf)

*1.4 VRK CA for Service Providers
Link: http://vrk.fineid.fi/certs/vrksp.crt
Policy:  http://www.fineid.fi/cps3
Issued to: The certificates are issued for public and private sector services.
Extented Key Usages:
-Authentication
-S/MIME
-Digital Signature

*1.5 VRK CA for Temporary Certificates
Link: http://vrk.fineid.fi/certs/vrktc.crt
Policy: http://www.fineid.fi/cps5
Issued to: The certificates are issued to employees of company or organization or an associated group.
Extented Key Usages:
-Authentication
-S/MIME
-Digital Signature
-Smart Card Logon



Reproducible: Always

Steps to Reproduce:
1.
2.
3.



*Information on Population Register Centre of Finland

The Population Register Centre of Finland produces personal and building data services of the highest quality, as well as identification solutions for electronic services to cater for the different needs of the society. 
The Population Register Centre develops and maintains the national Population Information System, the guardianship register and the Public Sector Directory Service, and provides assistance for organising elections. The Population Register Centre serves as the Certification Authority for the State of Finland, as dictated in the Finnish legislation (Population Information Act (507/1993), Identity Card Act (829/1999), Act on Electronic Signatures (14/2003), Directive 1999/93/EC), and thus develops and maintains the national certificate services to Finnish Citizens, state workers and organizations.
The Population Register Centre was founded in 1969 and it operates under the Ministry of Finance. Our offices are located in Sörnäinen, Helsinki, at Tynnyrintekijänkatu 1 and in Kokkola, at Rantakatu 16. We employ 120 persons. 

*The role of Population Register Centre of Finland as a CA

The Population Register Centre has issued certificates since 1999 and has been Qualified Certification Authority since 2003.
The Population Register Centre issues Citizen Certificates to Finnish citizens and aliens residing permanently in Finland. Certificates are used e.g. in online services. All certificates issued to natural persons by the Population Register Centre are qualified certificates, i.e. European-wide certificates based on an EU Directive and Finnish legislation, ensuring a high level of information security and including a genuine ID.  
In addition, Population Register Centre also issues certificates which are used in Finnish biometric passports (the applicable root CA is not included this application).

*Two contacts from our organization

Development Manager, Jan Partanen, jan.partanen@vrk.fi, +358 50 462 0871
System Integrator, Erkki Wuoma, erkki.wuoma@vrk.fi, +358 9 2291 6741

*Company name and address information

Population Register Centre (Tynnyrintekijänkatu 1C)
P.O.Box 70, 00581 Helsinki, Finland

*Company Web page address

http://www.fineid.fi (technical data, Certificate Policies, Certification Practice Statements, PKI Disclosure Statements, FINEID specifications)
http://www.vrk.fi (about Population Register centre in general)

*Annual audits and inspections which PRC’s CA practise has Undergone

SFS-EN ISO 9001:2000, ISO/IEC 27001:2005 by Inspecta Finland (www.inspecta.com) and Finnish Communications Regulatory Authority (www.ficora.fi) http://www.ficora.fi/index/palvelut/palvelutaiheittain/sahkoinenallekirjoitus/varmentajarekisteri.html (last audit was done 1 July 2008)
FICORA supervises that qualified certificates are provided in Finland in compliance with the Act on Electronic Signatures and orders issued under it and that the qualified certificates and systems of qualified certificates comply with the provisions mentioned above. The supervision involves, among other things, annual inspections of qualified certificate operations.  As mentioned if the certification-service-provider or the product or service related to electronic signatures meets the requirements of these standards or technical specifications (e.g. ETSI TS 101 456), usually they also fulfil the requirements laid down in the Directive and the Act.

Comment 1

[Kathleen Wilson]

Attachment: Initial Information Gathering Document

The attached document summarizes the information that has been gathered and verified as per https://wiki.mozilla.org/CA:How_to_apply.
The yellow highlighting within the document shows where further clarification is needed. I will also summarize below. 

1) Please provide URLs to the CRLs for the intermediate CAs.

2) Please confirm that there are no subordinate CAs that are operated by third parties.  E.g. All of this root’s intermediate CAs are operated internally.

3) Please provide the locations of text in the CPS that demonstrates that reasonable measures are taken to verify the following information for end-entity certificates chaining up to this root, as per section 7 of http://www.mozilla.org/projects/security/certs/policy/.
a)for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf;
b)for a certificate to be used for digitally signing and/or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf; 
c) for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf;

4) If there are SSL certs chaining up to this root, please identify if all SSL certs chaining up to this root are OV, meaning that both the domain name referenced in the certificate is verified to be owned/controlled by the subscriber, and the value of the Organization attribute is verified to be that associated with the certificate subscriber.

5) Please review the potentially problematic practices at  http://wiki.mozilla.org/CA:Problematic_Practices and comment as to whether any of these are relevant. If relevant, provide further info.

6) Do you have a publishable statement or letter from the auditor(s) that states that they have reviewed the practices as outlined in the CP/CPS for this root, and that the CA does indeed follow these practices and meets the requirements of ETSI TS 101 456?

Comment 2

[vptuotanto]

Please see below the answers to open issues raised in the initial information gathering document

1) Please provide URLs to the CRLs for the intermediate CAs.

a. VRK Gov. CA for Citizen Qualified Certificates
http://proxy.fineid.fi/crl/vrkcqcc.crl

b. VRK Gov. CA for Multiplatform Citizen Qualified Certificates
Two different CRLs because of two different Teleoperators:
http://proxy.fineid.fi/crl/vrkcqt1c.crl
http://proxy.fineid.fi/crl/vrkcqe1c.crl

c. VRK CA for Qualified Certificates
http://proxy.fineid.fi/crl/vrkqcc.crl

d. VRK CA for Service Providers
http://proxy.fineid.fi/crl/vrkspc.crl

e. VRK CA for Temporary Certificates
http://proxy.fineid.fi/crl/vrktcc.crl

2) Please confirm that there are no subordinate CAs that are operated by third
parties.  E.g. All of this root’s intermediate CAs are operated internally.

Population Register Centre is responsible by Finnish law of the CA operations. Third parties are not subordinate CA operators. Maintenance of software and hardware for CA systems is outsourced to the third party. The maintenance is based on a contract where the third party is required to adhere to the same requirements as the Certification Authority is.

Population Register Centre audits its subcontractors responsible for CA systems maintenance before a contract is made. The Finnish Communications Regulation Authority audits Population Register Centre and its subcontractors on a regular basis.

3) Please provide the locations of text in the CPS that demonstrates that
reasonable measures are taken to verify the following information for
end-entity certificates chaining up to this root, as per section 7 of
http://www.mozilla.org/projects/security/certs/policy/.

a)for a certificate to be used for SSL-enabled servers, the CA takes reasonable
measures to verify that the entity submitting the certificate signing request
has registered the domain(s) referenced in the certificate or has been
authorized by the domain registrant to act on the registrant's behalf;

Service Provider for Server Use CPS Chapters 4.1-4.3
http://www.fineid.fi/vrk/fineid/files.nsf/files/B2BC1F39CB3F28AAC225742E004BA2DF/$file/srvcps20080501.pdf (in Finnish)

Main measures for verifying applicant identity are:
- The existence of company is checked on the Finnish Company Register
- Letter of authority is required for the person who is acting on behalf of the company
- The ownership of domain name must be proved with a certificate of domain name ownership from Finnish Communications Regulation Authority
- If the applicant is a person then he must prove his identity with valid ID  

b)for a certificate to be used for digitally signing and/or encrypting email
messages, the CA takes reasonable measures to verify that the entity submitting
the request controls the email account associated with the email address
referenced in the certificate or has been authorized by the email account
holder to act on the account holder's behalf;

Certificates on Smartcards:

Citizen Certificates CPS Chapters 4.1-4.3
http://www.fineid.fi/vrk/fineid/files.nsf/files/7AC8EFBD063A723BC225742C001EA6BC/$file/ccps20080501en.pdf

Qualified Certificates Chapters 4.1-4.3
http://www.fineid.fi/vrk/fineid/files.nsf/files/F7A72F2FAD5E83B3C225742C00372EFD/$file/ocps20080501en.pdf

Temporary Certificates CPS Chapters 4.1-4.3
http://www.fineid.fi/vrk/fineid/files.nsf/files/9BB25E8FA98D6D6FC22574F300410999/$file/tccps20081101.pdf (in Finnish)

Software Certificates:

Service Provider for Server Use CPS Chapters 4.1-4.3
http://www.fineid.fi/vrk/fineid/files.nsf/files/B2BC1F39CB3F28AAC225742E004BA2DF/$file/srvcps20080501.pdf (in Finnish)

Service Provider for E-mail Use CPS Chapters 4.1-4.3
http://www.fineid.fi/vrk/fineid/files.nsf/files/AAF4DE2FF17E1015C225742E004B8B3D/$file/spcps20080501.pdf (in Finnish)

c) for certificates to be used for digitally signing code objects, the CA takes
reasonable measures to verify that the entity submitting the certificate
signing request is the same entity referenced in the certificate or has been
authorized by the entity referenced in the certificate to act on that entity's
behalf;

See answers in section 3a.

4) If there are SSL certs chaining up to this root, please identify if all SSL
certs chaining up to this root are OV, meaning that both the domain name
referenced in the certificate is verified to be owned/controlled by the
subscriber, and the value of the Organization attribute is verified to be that
associated with the certificate subscriber.

See answers in section 3a.

5) Please review the potentially problematic practices at 
http://wiki.mozilla.org/CA:Problematic_Practices and comment as to whether any
of these are relevant. If relevant, provide further info.

Answers to open issues:

1.1 Long-lived DV certificates
Not a problem, certs issued for 1 to 2 years

1.2 Wildcard DV SSL certificates
Not a problem, Wildcards certs not issued.

1.6 Certificates referencing hostnames or private IP addresses
Certificates are issued to verified organisations, but not to private persons.

1.8 CRL with critical CIDP Extension
Not a problem, only full CRLs are issued.

6) Do you have a publishable statement or letter from the auditor(s) that
states that they have reviewed the practices as outlined in the CP/CPS for this
root, and that the CA does indeed follow these practices and meets the
requirements of ETSI TS 101 456?

Inspecta Finland does not audit the CA against ETSI requirements, but against ISO 9001 and ISO 27001 requirements. The audit letter is not publishable, but the certificates are public. The certificates can be found using certificate search (sertifikaattihaku) from the auditor’s webpage http://www.inspecta.fi/sfs 

ISO 27001 certificate (in Finnish)
http://www.inspecta.fi/sfs/sertifikaattihaku/haku_tulokset.php?type=haljar&nayta=1&id=1400

ISO 9001 certificate (in Finnish)
http://www.inspecta.fi/sfs/sertifikaattihaku/haku_tulokset.php?type=haljar&nayta=1&id=1401

7) Example certificate (url)

https://www.intermin.fi

Comment 3

[vptuotanto]

Attachment: SFS-EN ISO 9001:2000 Certificate

Comment 4

[vptuotanto]

Attachment: ISO/IEC 27001:2005 Certificate

Comment 5

[vptuotanto]

Attachments to question 6 added for clarification.

Comment 6

[Kathleen Wilson]

Thank you for your thorough response. 

I have updated the pending list to include this entry:
http://www.mozilla.org/projects/security/certs/pending/#Finnish%20Population%20Register

In regards to #3b, I see the text in the CPSs that  states that the ID of the subscriber is verified, but I was not able to find the text stating that the ownership/control of the email account associated with the email address referenced in the certificate is verified. Please provide further clarification.

Comment 7

[vptuotanto]

Response to comment #6:

The control of the domain name part in the email address is verified when the subscriber is an employee of an organization, the subscriber is not allowed to enter an email address with domain name not in the control of the organization. The ability to order certificates to company employees is based on a contract between the company and Population Register Center. The local part of the email address is not checked (it could be anything, like 123abc).

In regard to Citizen certificates the subscriber applies to the certificate at the Police office. The subscriber can ask his email address to be included in the certificate to be issued. The format of the email address is checked, but the control of the email address is not. For private persons the domain name part checking of the email address is not possible as the persons are not usually in control of a domain name but get their email from a service provider such as mail.com.

As Population Register Centre, as a Certification Authority, is a governmental organization, all certificates issued will be put in a governmental certificate register. In Finland, governmental registers are protected by the law. Therefore it is a criminal act for any person to try to misinform governmental register keepers and try to get false information to be put into governmental registers.

Comment 8

[Kathleen Wilson]

Attachment: Completed Information Gathering Document

This completes the Information Gathering and Verification phase as described in
https://wiki.mozilla.org/CA:How_to_apply.

I will update the pending list to reflect this status:
http://www.mozilla.org/projects/security/certs/pending/#Finnish%20Population%20Register

I will also add this request to the queue for public discussion:
https://wiki.mozilla.org/CA:Schedule

Comment 9

[Kathleen Wilson]

Attachment: Completed Information Gathering Document

Updating the Information Gathering Document in preparation for public discussion.

Comment 10

[Kathleen Wilson]

I am now opening the first public discussion period for this request from the Finland Population Register Centre to add the VRK Gov. Root CA root certificate to NSS and enable all three trust bits.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “Finnish Population Register Root Inclusion Request”

Please actively review, respond, and contribute to the discussion.

Comment 11

[Kathleen Wilson]

At the end of the discussion thread, I have posted a summary of the open questions and action items resulting from the discussion.

I would like to ask an official from the Finland Population Register to participate in the discussion by providing their clarifications/responses to the questions and action items.

Comment 12

[vptuotanto]

Population Register Centre / Jan Partanen answered to all open questions on the thread on 2.6.

One action item rose up: the audit letter from FICORA, this will be attached shortly to the bug.

//Jan Partanen

Comment 13

[vptuotanto]

Attachment: FICORA Audit letter to Mozilla

Population Register Centre is audited by the Finnish Communications Regulatory Authority FICORA, Viestintävirasto in Finnish, Kommunikationsverket in Swedish. 

FICORA is the governmental body that audits Qualified CA providers in Finland. This is required by the Finnish legislation. FICORA gives orders and recommendations for CA’s and audits them yearly. FICORA’s orders, recommendations and audit criteria are based on ETSI TS 101 456. 

FICORA home page in English:
http://www.ficora.fi/en/index.html

Register of audited qualified CA providers at FICORA site (in Finnish):
http://www.ficora.fi/index/palvelut/palvelutaiheittain/sahkoinenallekirjoitus/varmentajarekisteri.html

Comment 14

[Kathleen Wilson]

The first discussion for this request from the Finland Population Register Centre to add the VRK Gov. Root CA root certificate to NSS and enable all three trust bits, is now closed.

There are two open items resulting from this discussion:

1) Audit
The action item is for VRK to have a new audit performed which covers the CPS for website and code signing certificates, and meets the requirements of sections 8, 9, and 10 of http://www.mozilla.org/projects/security/certs/policy/. Once the audit is completed, please attach the auditor’s statement to the bug.

2) Email Trust Bit
I am recommending postponing the request for enabling the email trust bit. VRK has extensive procedures for verifying the identity of certificate subscribers. However, VRK is at this time unable to verify that the subscriber for Citizen Certificates controls the email address that is included within the certificate. If VRK finds a way to meet this requirement (eg does not include email address in Citizen Certs, or finds a way to verify the control of that email address), then VRK may open a new bug to request enablement of the email trust bit.

Comment 15

[vptuotanto]

Attachment: INSPECTA Audit letter

Comment 16

[vptuotanto]

Attachment: FICORA Audit letter

Comment 17

[vptuotanto]

The attachment for open item 1 added (INSPECTA Audit letter). 

Also added the latest audit letter for qualified certificates (FICORA Audit letter). 

As recommended we are postponing the request for enabling email trust bit. We will open this issue in a new bug when we have solved how to control email address in citizen certificates. 

Hopefully these clarificarions are sufficient so VRK Gov. Root CA root certificate can be added to NSS.

Comment 18

[Kathleen Wilson]

Thank you for the update.

I see that the audit statement from the Finnish Communications Regulatory Authority (FICORA) covers the Qualified Certificates, and states compliance with the ETSI TS 101 456 criteria.

However, the Inpsecta audit statement is not clear to me.

> “The auditor has also studied the audit reports of the Finish Communications
> Regulatory Authority(FICORA) concerning the issue of qualified certificates
> by the Population Register Center in Finland.
> From the study and interviews the auditor has concluded that the server
> certificates are produced in the same secure environment as the qualified
> certificates.”

What does this mean? Is the auditor saying that the server certificates also comply with the ETSI TS 101 456 criteria? If yes, the auditor should state such in the report.

Does the term “server certificates” in this statement cover both SSL and Code Signing certificates? 

> “I am of the opinion that the Population Register Center in Finland server 
> certificate operations and systems used in the operations meet the
> requirements expressed in the FINEID – S10: FINEID Certificate Policy: For a
> service certificate OID 1.2.246.517.2.1”

I’m not sure what this is referring to. I could not find that OID.  Is this referring to a new Service Provider for Server CPS?  If yes, please provide the url to the new document.

Comment 19

[vptuotanto]

Attachment: INSPECTA Audit letter

Comment 20

[vptuotanto]

(In reply to comment #18)

Thank you for your quick reply. We apologize for the delay in answering your questions.

We have included updated INSPECTA Audit letter.

> Thank you for the update.
> I see that the audit statement from the Finnish Communications Regulatory
> Authority (FICORA) covers the Qualified Certificates, and states compliance
> with the ETSI TS 101 456 criteria.
> However, the Inpsecta audit statement is not clear to me.

> > “The auditor has also studied the audit reports of the Finish Communications
> > Regulatory Authority(FICORA) concerning the issue of qualified certificates
> > by the Population Register Center in Finland.
> > From the study and interviews the auditor has concluded that the server
> > certificates are produced in the same secure environment as the qualified
> > certificates.”

> What does this mean? Is the auditor saying that the server certificates also
> comply with the ETSI TS 101 456 criteria? If yes, the auditor should state such
> in the report.

The server sertificates do not comply with ETSI TS 101 456 which is for qualified certificates. The qualified certificates are issued only to natural 
persons. The server certificate CA is as the auditor mentions operated in the same secure environment as the qualified certificate CAs. As mentioned before the maintenance of software and hardware for CA systems is outsourced to the third party. The maintenance is based on a contract where the third party is required to adhere to the same requirements as the Certification Authority is. The server certificate CA's private keys are stored in the hardware security modules (HSM) which fullfil the requirements of FIPS 140-1,level 3 with regard to their security level.

> Does the term “server certificates” in this statement cover both SSL and Code
> Signing certificates? 

The server certificates covered in this statement cover only SSL certificates.

> > “I am of the opinion that the Population Register Center in Finland server 
> > certificate operations and systems used in the operations meet the
> > requirements expressed in the FINEID – S10: FINEID Certificate Policy: For a
> > service certificate OID 1.2.246.517.2.1”
> I’m not sure what this is referring to. I could not find that OID.  Is this
> referring to a new Service Provider for Server CPS?  If yes, please provide the
> url to the new document.

We apologize for the mistake in the audit report. The audit was in finnish and the certificate practise statement "Varmennuskäytäntö Väestörekisterikeskuksen palvelinvarmennetta varten OID: 1.2.246.517.1.10.4.1" was used. When the auditor wrote the audit report in english she checked from the website htt://www.fineid.fi the name of the document but referred mistakenly to now obsoleted FINSIGN CA for Servers OID 1.2.246.517.2.1.

Comment 21

[Kathleen Wilson]

> We have included updated INSPECTA Audit letter.

Thank you for the updated information and audit letter.

According to the Mozilla CA Certificate Policy, the audit needs to use one of the ETSI TS 1010 456, ETSI TS 102 042, or WebTrust CA audit criteria or equivalent. I am not finding a statement in the auditor’s letter that any of these criteria (or equivalent) were used to audit the CA operations relating to SSL certificates. Please point me to this information.

Copied from the policy, http://www.mozilla.org/projects/security/certs/policy/:
We consider the criteria for CA operations published in any of the following documents to be acceptable: - -- Annex B, "(Normative) Certification Authority Control Objectives", of ANSI X9.79-1:2001, Part 1: PKI Practices and Policy Framework; Clause 7, "Requirements on CA practice", in ETSI TS 101 456 V1.2.1 (2002-04) or later version, Policy requirements for certification authorities issuing qualified certificates (as applicable to either the "QCP public" or "QCP public + SSCD" certificate policies); 
-- Clause 7, "Requirements on CA practice", in ETSI TS 102 042 V1.1.1 (2002-04) or later version, Policy requirements for certification authorities issuing public key certificates (as applicable to any of the "NCP", "NCP+", or "LCP" certificate policies); 
-- "WebTrust Principles and Criteria for Certification Authorities" in AICPA/CICA WebTrust Program for Certification Authorities, Version 1.0; or 
-- "WebTrust for Certification Authorities—Extended Validation Audit Criteria" in WebTrust for Certification Authorities—Extended Validation Audit Criteria (or, for CA requests received on or before June 30, 2008, the November 20, 2006 draft of these criteria) (in conjunction with "WebTrust Principles and Criteria for Certification Authorities").


>> Does the term “server certificates” in this statement cover both SSL and 
>> Code Signing certificates? 
>
> The server certificates covered in this statement cover only SSL certificates.

Are the CA operations relating to Code Signing certificates covered in either of these audits?  If not, we should not request enablement of the Code Signing trust bit.

Comment 22

[vptuotanto]

Attachment: FICORA Audit letter

Comment 23

[vptuotanto]

Attachment: INSPECTA Audit letter

Comment 24

[vptuotanto]

We have finally proceed with this case.

I have attached the latest audit reports. Our latest policy can be found here:
http://www.fineid.fi/default.aspx?id=520

We are requesting the website trust bit only, not the code signing trust bit.

Comment 25

[Kathleen Wilson]

Some of the URLs have changed. Would you please provide the new URLs for the following?

Root CA Cert Download URL: http://www.fineid.fi/certs/vrkrootc.crt

Intermediate CAs:
http://www.fineid.fi/vrk/fineid/home.nsf/pages/FA842EE9BB3C7AA5C2257054002D3FA9

FINEID specification S2 – VRK (PRC) CA-model and certificate contents, v2.1
http://www.fineid.fi/vrk/fineid/files.nsf/files/24EA4C4CD4A1EAA0C2257054002A55BD/$file/S2v21.pdf

Comment 26

[vptuotanto]

Sorry. Here are the new URLs:

Root CA Cert Download URL:
http://vrk.fineid.fi/certs/vrkrootc.crt

FINEID specification S2 – VRK (PRC) CA-model and certificate contents, v2.1:
http://www.fineid.fi/default.aspx?id=590

What do you want from 'Intermediate CA' -link? I couldn't find the
link you gave nor the words 'Intermediate CA' from this discussion.
Policies? Download? Is this link enough:
http://www.fineid.fi/default.aspx?id=596

Comment 27

[Kathleen Wilson]

Attachment: Updated Information Gathering Document

Please review the attached Updated Information Gathering Document for accuracy and completeness. Please also respond to the items highlighted in yellow.

Comment 28

[vptuotanto]

Attachment: Inspecta audit letter server certificate

Comment 29

[vptuotanto]

Attachment: Ficora audit letter

Comment 30

[Kathleen Wilson]

(In reply to Kathleen Wilson from comment #27)
> Created attachment 532285 [details]
> Updated Information Gathering Document
> 
> Please review the attached Updated Information Gathering Document for
> accuracy and completeness. Please also respond to the items highlighted in
> yellow.


There are still items highlighted in yellow in the attached document that need to be addressed. It's possible that the information is simply outdated. If so, please provide current information.

Also,please provide responses to the recent CA Communication.
https://wiki.mozilla.org/CA:Communications#January_10.2C_2013

Comment 31

[Kathleen Wilson]

Closing this bug due to inactivity.

If root inclusion is needed, please file a new bug as described here:
https://wiki.mozilla.org/CA:How_to_apply