Closed Bug 957548 Opened 10 years ago Closed 10 years ago

Enable EV for Actalis Authentication Root CA

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Platform:
x86_64
Windows 7
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: adriano.santoni, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: EV enabled in Firefox 34)

Attachments

(4 files)

Actalis_EV_test_singlehost.png
194.32 KB, image/png
Details
Initial CA Information Document
86.62 KB, application/pdf
Details
957548-CAInformation - Actalis revised.docx
36.70 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
Completed CA Information Document
92.98 KB, application/pdf
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.68 Safari/537.36

Steps to reproduce:

We request to enable EV treatment for SSL Server certificates issued under Actalis Authentication Root CA. 

The root is already included in Firefox since version 16 (see bug #520557).

The following policy OID identify EV SSL Server certificates issued by our CA:
1.3.159.1.17.1

Our CPS (English translation) can be found at
http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/CPS_SSLServer_CodeSigning_v2.2.3_EN.pdf

Our audit statement can be found at
http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/ActalisCA_Audit_Statement.pdf

Our test web site is https://ssltest-a.actalis.it:8443

I am also attaching a picture showing the result of our testing with Nightly, as per instructions at
https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
Assignee: nobody → kwilson
Component: Security: PSM → CA Certificates
Product: Core → mozilla.org
Version: unspecified → other
I am accepting this bug, and will work on it as soon as possible, but I have a large backlog.
https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase

I will update this bug when I begin the Information Verification phase.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV - information incomplete
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness, and provide the necessary information in this bug.
See our responses in the attachment.
Responses to questions and issues raised in "957548-CAInformation"
Thanks for the information.

Please add a comment to this bug when the website has been updated to point to the new CPS documents, in particular:
http://portal.actalis.it/Info/cmsContent?cmsRef=actalis/Info/Manuali
Our most recent CPS (v2.2.5) was already published on Feb 17th, but we forgot to align the EN-language section of our website. Now it's all updated, thank you for pointing that out.

    
    

    
  
I'll try to start the discussion soon.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - information incomplete → EV - Information confirmed complete

    
    

    
  
I am now opening the first public discussion period for this request from Actalis to enable EV treatment for the “Actalis Authentication Root CA” root certificate that was included in NSS via bug #520557.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “Actalis Request to Enable EV Treatment”.

Please actively review, respond, and contribute to the discussion.

A representative of Actalis must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In Public Discussion

    
    

    
  
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/about/governance/policies/security-group/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to enable EV treatment for the “Actalis Authentication Root CA” root certificate that was included in NSS via bug #520557.

Section 4 [Technical]. I am not aware of instances where Actalis has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Section 6 [Relevancy and Policy]. Actalis appears to provide a service relevant to Mozilla users: It is a public CA offering PKI services to a wide number of customers, mainly banks and local government. Actalis is a Qualified certification service provider according to the EU Signature Directive (Directive 1999/93/EC).  Actalis designs, develops, delivers and manages services and solutions for online security, digital signatures and document certification; develops and offers PKI-enabling components, supplies complete digital signature and strong authentication kits (including hardware and software), delivers ICT security consultancy and training.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list. The main document of interest is the CPS for SSL and Code Signing Certs, which is provided in Italian and English.

http://portal.actalis.it/Info/cmsContent?cmsRef=actalis/Info/Manuali 

CPS for SSL and Code Signing Certs (English):
http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/CPS_SSLServer_CodeSigning_v2.2.5_EN.pdf 

Section 7 [Validation]. Actalis appears to meet the minimum requirements for subscriber verification, as follows:

* SSL: Actalis verifies the legal existence of the organization requesting the certificate, the identity of the certificate subscriber, and that the certificate subscriber has the exclusive right to use the domain name(s) to be listed in the certificate. This is documented in sections 3.2 and 3.3 of the CPS for SSL and Code Signing Certs.

* Email: Not Applicable. Actalis is not requesting the Email trust bit at this time.

* Code: Actalis verifies the legal existence of the organization requesting the certificate, and the identity and authority of the certificate subscriber. This is documented in sections 3.2 and 3.3 of the CPS for SSL and Code Signing Certs.


Section 18 [Certificate Hierarchy]. 
* The Actalis Authentication Root CA currently has one subordinate CA that is internally-operated.

* EV Policy OID: 1.3.159.1.17.1

* OCSP
http://portal.actalis.it/VA/AUTH-ROOT
http://ocsp03.actalis.it/VA/AUTH-G2 
OCSP responses have an expiration time of 1 day

Sections 11-14 [Audit].  
* Annual audits are performed by IMQ (http://www.imq.it/) according to the ETSI TS 102 042 criteria with reference to EV Guidelines v1.3.
http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/ActalisCA_Audit_Statement.pdf (2013.10.18)
In the audit statement: “During the Certification Authority audit it was also verified that the above-mentioned certification services meet the requirements of the following specification: “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates”, v.1.1…”

Based on this assessment I intend to approve this request to enable EV treatment for the “Actalis Authentication Root CA” root certificate.
Whiteboard: EV - In Public Discussion → EV - Pending approval

    
    

    
  
As per the summary in Comment #10, and on behalf of Mozilla I approve this request from Actalis to enable EV treatment for the following root certificate.

** ““Actalis Authentication Root CA” (websites, code signing), enable EV.

I will file the PSM bug for the approved change.
Whiteboard: EV - Pending approval → EV - Approved - awaiting PSM

    
  
Depends on: 991215

    
    

    
  
I have filed bug #991215 against PSM for the actual change.

    
  
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting PSM → EV enabled in Firefox 34

    
  
Product: mozilla.org → NSS
Product: NSS → CA Program

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: