Closed Bug 342426 Opened 18 years ago Closed 17 years ago

Add Firmaprofesional root CA certificate (Spain)

Categories

(CA Program :: CA Certificate Root Program, task)

PowerPC
macOS
task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: hecker, Assigned: hecker)

References

()

Details

I've received a request from Firmaprofesional SA, a CA in Spain, to add a root CA certificate. I've added information about Firmaprofesional to my CA certificate list (see the URL above).

Firmaprofesional has successfully completed a WebTrust audit. At this point I need to look more closely into the types of certificates they issue (through a subordinate CA) and what types of verification are done for those certificates.
Status: NEW → ASSIGNED
Here's more information about Firmaprofesional, based on the information on their public web site (also confirmed by a Firmaprofesional representative via email):

1. Firmaprofesional has a single root CA and a single subordinate CA under that root. End entity certs are issued only by the subordinate CA.

2. The FP subordinate CA issues two general types of certificates:

* individual certificates for use by members of professional associations and others
* SSL server certificates

Firmaprofesional is not really in the business of issuing code signing certificates (though they may have issued some in the past.)

2. For certificates issued to individuals Firmaprofesional validates identity using government-issued identity documents. Based on my reading of the relevant CP (guessing at the English translation) they appear to do this as well for SSL server certificates; I'm awaiting clarification on this.

Here are my quick thoughts on Firmaprofesional vis-a-vis the requirements of our CA certificate policy <http://www.mozilla.org/projects/security/pki/nss/ca-certificates/policy.html>:

Section 4. I'm not aware of any technical issues with certificates issued by
Firmaprofesional's root CA or subordinate CA. If anyone sees any technical problems with Firmaprofesional-issued certs please note it in this bug report.

Section 6. Firmprofesional appears to provide a service relevant to Mozilla users: As noted above, Firmaprofesional is a public commercial CA, similar to CAs we've previously approved that operate in particular countries around the world (e.g., ipsCA, another CA based in Spain). Firmaprofesional policies are documented in the CPS and CP documents listed on the ca-certificate-list page referenced above.

Section 7. Pending confirmation of its procedures for SSL certs, Firmaprofesional appears to meet the minimum requirements for subscriber
verification, doing validation of identity for all types of certificates that it issues.

Section 8-10. Firmaprofesional has successfully completed an independent audit using the WebTrust criteria; the auditors were Ernst & Young. For more certification-related information see <http://www.firmaprofesional.com/doc/certificaciones.htm>.

Section 13. As noted above, Firmaprofesional has a single subordinate CA under the single Firmaprofesional root, and that subordinate CA appears to issue certificates at the equivalent of a single validation level.

Other: Firmaprofesional issues its own CRLs for the root CA and subordinate CA; it's not yet clear to me what the CRL issuance schedule is. I haven't yet figured out what they do with regard to OCSP.

The bottom line: Based on the information available to me thus far I'm inclined
to approve inclusion of this CA certificate into the default Mozilla list, assuming I get final clarifications on stuff like the validation procedures for SSL certs. I'll allow a few days of comment and then make my final decision.
Ricardo Palomares Martinez translated section 3.1.7 of the Firmaprofesional CP document, the section dealing with verification procedures for SSL certificates. (Thanks!) As I had thought, Firmaprofesional does validate the identity of people requesting SSL certificates and for certificates issued to organizations verifies that the applicants are authorized to apply on behalf of their organizations.

Based on this confirmation and the comment period having ended, I'm now approving Firmaprofesional's request to have its root CA certificate included in Mozilla, and will proceed to file a corresponding bug against NSS.

Depends on: 343662
This is an enhancement request.
Severity: normal → enhancement
QA Contact: ca-certificates
The Firmaprofesional cert was added to NSS in September 2006, in bug 343662.

Resolving this one.

Gerv
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Summary: Request to add Firmaprofesional root CA certificate → Add Firmaprofesional root CA certificate (Spain)
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.