Closed
Bug 957548
Opened 10 years ago
Closed 10 years ago
Enable EV for Actalis Authentication Root CA
Categories
(CA Program :: CA Certificate Root Program, task)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: adriano.santoni, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: EV enabled in Firefox 34)
Attachments
(4 files)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/32.0.1700.68 Safari/537.36 Steps to reproduce: We request to enable EV treatment for SSL Server certificates issued under Actalis Authentication Root CA. The root is already included in Firefox since version 16 (see bug #520557). The following policy OID identify EV SSL Server certificates issued by our CA: 1.3.159.1.17.1 Our CPS (English translation) can be found at http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/CPS_SSLServer_CodeSigning_v2.2.3_EN.pdf Our audit statement can be found at http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/ActalisCA_Audit_Statement.pdf Our test web site is https://ssltest-a.actalis.it:8443 I am also attaching a picture showing the result of our testing with Nightly, as per instructions at https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → kwilson
Component: Security: PSM → CA Certificates
Product: Core → mozilla.org
Version: unspecified → other
Assignee | ||
Comment 1•10 years ago
|
||
I am accepting this bug, and will work on it as soon as possible, but I have a large backlog. https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase I will update this bug when I begin the Information Verification phase. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Updated•10 years ago
|
Whiteboard: EV - information incomplete
Assignee | ||
Comment 2•10 years ago
|
||
The attached document summarizes the information that has been verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness, and provide the necessary information in this bug.
Reporter | ||
Comment 3•10 years ago
|
||
See our responses in the attachment.
Reporter | ||
Comment 4•10 years ago
|
||
Responses to questions and issues raised in "957548-CAInformation"
Assignee | ||
Comment 5•10 years ago
|
||
Thanks for the information. Please add a comment to this bug when the website has been updated to point to the new CPS documents, in particular: http://portal.actalis.it/Info/cmsContent?cmsRef=actalis/Info/Manuali
Reporter | ||
Comment 6•10 years ago
|
||
Our most recent CPS (v2.2.5) was already published on Feb 17th, but we forgot to align the EN-language section of our website. Now it's all updated, thank you for pointing that out.
Assignee | ||
Comment 7•10 years ago
|
||
Assignee | ||
Comment 8•10 years ago
|
||
I'll try to start the discussion soon. https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - information incomplete → EV - Information confirmed complete
Assignee | ||
Comment 9•10 years ago
|
||
I am now opening the first public discussion period for this request from Actalis to enable EV treatment for the “Actalis Authentication Root CA” root certificate that was included in NSS via bug #520557. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. The discussion thread is called “Actalis Request to Enable EV Treatment”. Please actively review, respond, and contribute to the discussion. A representative of Actalis must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In Public Discussion
Assignee | ||
Comment 10•10 years ago
|
||
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Policy at http://www.mozilla.org/about/governance/policies/security-group/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to enable EV treatment for the “Actalis Authentication Root CA” root certificate that was included in NSS via bug #520557. Section 4 [Technical]. I am not aware of instances where Actalis has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. Section 6 [Relevancy and Policy]. Actalis appears to provide a service relevant to Mozilla users: It is a public CA offering PKI services to a wide number of customers, mainly banks and local government. Actalis is a Qualified certification service provider according to the EU Signature Directive (Directive 1999/93/EC). Actalis designs, develops, delivers and manages services and solutions for online security, digital signatures and document certification; develops and offers PKI-enabling components, supplies complete digital signature and strong authentication kits (including hardware and software), delivers ICT security consultancy and training. Policies are documented in the documents published on their website and listed in the entry on the pending applications list. The main document of interest is the CPS for SSL and Code Signing Certs, which is provided in Italian and English. http://portal.actalis.it/Info/cmsContent?cmsRef=actalis/Info/Manuali CPS for SSL and Code Signing Certs (English): http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/CPS_SSLServer_CodeSigning_v2.2.5_EN.pdf Section 7 [Validation]. Actalis appears to meet the minimum requirements for subscriber verification, as follows: * SSL: Actalis verifies the legal existence of the organization requesting the certificate, the identity of the certificate subscriber, and that the certificate subscriber has the exclusive right to use the domain name(s) to be listed in the certificate. This is documented in sections 3.2 and 3.3 of the CPS for SSL and Code Signing Certs. * Email: Not Applicable. Actalis is not requesting the Email trust bit at this time. * Code: Actalis verifies the legal existence of the organization requesting the certificate, and the identity and authority of the certificate subscriber. This is documented in sections 3.2 and 3.3 of the CPS for SSL and Code Signing Certs. Section 18 [Certificate Hierarchy]. * The Actalis Authentication Root CA currently has one subordinate CA that is internally-operated. * EV Policy OID: 1.3.159.1.17.1 * OCSP http://portal.actalis.it/VA/AUTH-ROOT http://ocsp03.actalis.it/VA/AUTH-G2 OCSP responses have an expiration time of 1 day Sections 11-14 [Audit]. * Annual audits are performed by IMQ (http://www.imq.it/) according to the ETSI TS 102 042 criteria with reference to EV Guidelines v1.3. http://portal.actalis.it/cms/translations/en/actalis/Info/Solutions/Documents/ActalisCA_Audit_Statement.pdf (2013.10.18) In the audit statement: “During the Certification Authority audit it was also verified that the above-mentioned certification services meet the requirements of the following specification: “Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates”, v.1.1…” Based on this assessment I intend to approve this request to enable EV treatment for the “Actalis Authentication Root CA” root certificate.
Whiteboard: EV - In Public Discussion → EV - Pending approval
Assignee | ||
Comment 11•10 years ago
|
||
As per the summary in Comment #10, and on behalf of Mozilla I approve this request from Actalis to enable EV treatment for the following root certificate. ** ““Actalis Authentication Root CA” (websites, code signing), enable EV. I will file the PSM bug for the approved change.
Whiteboard: EV - Pending approval → EV - Approved - awaiting PSM
Assignee | ||
Comment 12•10 years ago
|
||
I have filed bug #991215 against PSM for the actual change.
Assignee | ||
Updated•10 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting PSM → EV enabled in Firefox 34
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•