Closed Bug 667466 Opened 13 years ago Closed 5 years ago

Add PSC-FII AC Certificate as trust anchor

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Platform:
All
Other
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: mosorio, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: [ca-verifying] - Need BR Self Assessment)

Attachments

(22 files, 1 obsolete file)

Pantallazo.png
89.60 KB, image/png
Details
PSC_FII Certificate Policy
2.34 MB, application/octet-stream
Details
Third Party Validation Letter
192.47 KB, application/pdf
Details
Resume of Third Party Auditor
67.76 KB, application/pdf
Details
Initial CA Information Document
78.19 KB, application/pdf
Details
Aprobar-General_Information_CA.pdf
636.43 KB, application/pdf
Details
Aprobar-080-IPT-F091-POC-Mozilla1.pdf
621.42 KB, application/pdf
Details
comm pub FII 2015f.pdf
176.67 KB, application/pdf
Details
Aprobar-080-IPT-F091-Technical-Mozilla1.pdf
629.54 KB, application/pdf
Details
Aprobar-080-IPT-F091-Technical-Mozilla2.pdf
632.25 KB, application/pdf
Details
PSCPublicodelMppCTIIparaelEstadoVenezolano.cert
3.39 KB, application/x-x509-ca-cert
Details
667466-CAInformation.pdf
144.80 KB, application/pdf
Details
General_Information_CA.pdf
504.59 KB, application/pdf
Details
080-IPT-F091-POC-Mozilla1.pdf
493.09 KB, application/pdf
Details
Auditor_Report.PNG
72.69 KB, image/png
Details
080-IPT-F091-Technical-Mozilla1.pdf
491.70 KB, application/pdf
Details
080-IPT-F091-Technical-Mozilla2.pdf
493.92 KB, application/pdf
Details
Response listed in Comment #39
154.89 KB, application/pdf
Details
667466_CAInformation_PSCFII.pdf
159.63 KB, application/pdf
Details
Response listed in Comment #52.pdf
274.18 KB, application/pdf
Details
Response listed in Comment #56.pdf
216.16 KB, application/pdf
Details
1 PLAN DE AUDITORÍA TÉCNICA AL PSC FII 2017 Firmado.pdf
176.23 KB, application/pdf
Details
Attached image Pantallazo.png 
User Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build ID: 20110504060048

Steps to reproduce:

Our certificates are being used by major Venezuelan entities belonging to the Government on the security of your data. The users who have certificates we provide the requirement that certificates are supported by the Mozilla browser. By presidential decree, the public administration of the Venezuelan State must use all the tools on Free Software.
URL   ar.fii.gob.ve
1.when trying to connect to web servers with CA certificates generated by the PSC-FII indiccando An exception appears that the connection is unreliable
2.To enter the server exception must be confirmed
3.Another case is when users import the certificate to the browser fails to validate the chain of trust



Actual results:

Distrust of CA
Dissatisfied users.


Expected results:

Not display the exception, allowing the connection with the certificates of the PSC-FII CA is trusted
Group: core-security

    
    

    
  


  

    
    

    
  


  

    
    

    
  
Is this your application for inclusion per our certificate policy: http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html ?

    
    

    
  
(In reply to comment #4)
> Is this your application for inclusion per our certificate policy:
> http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html ?


if this is a request for inclusion in their certificate policy

    
    

    
  
Accepting this bug to begin processing as per:

https://wiki.mozilla.org/CA:How_to_apply
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

    
    

    
  

      
      
      
      

        Attached file
          
        PSC-FII Certificate (obsolete)
        — 
      

    


  

    
    

    
  
Please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP

I imported the “PSC Público del MCT para el Estado Venezolano” cert and tried to access https://ar.fii.gob.ve using my Firefox browser (with OCSP enforced), and I got the following error: 

An error occurred during a connection to ar.fii.gob.ve.
Invalid OCSP signing certificate in OCSP response.
(Error code: sec_error_ocsp_invalid_signing_cert)

    
    

    
  
Also, please provide all of the information listed in items #3, #4, and #5 of

https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

I did not find sufficient information regarding the verification procedures in DPC_English.doc.

    
    

    
  
Greetings, I would like to know if we can resume the process for inclusion in this certificate. and verify the information missing

thanks

    
    

    
  
(In reply to Marianella from comment #10)
> Greetings, I would like to know if we can resume the process for inclusion
> in this certificate. and verify the information missing

We can proceed after a representative of this CA provides responses to Comment #8 (need test website whose SSL cert chains up to this root), and Comment #9.

    
    

    
  
Please rerun test comment # 8

regards

Marianella

    
    

    
  
(In reply to Marianella from comment #12)
> Please rerun test comment # 8

I looked into this further, and I see that the SSL cert for https://ar.fii.gob.ve chains up to a different cert than the one currently in this request. 
Please provide the current information for:
http://www.mozilla.org/projects/security/certs/pending/#PSC-FII

    
    

    
  
(In reply to Kathleen Wilson from comment #13)

To download the certificate from our CA please go to this link:

https://ar.fii.gob.ve/cgi-bin/openca/pub/pki?cmd=getStaticPage&name=index

There are certificates for both the Sha1 algorithm as Sha256.

Thanks

    
    

    
  
greetings;

We would like to know how the process of verification of the requirements for inclusion.


Thank you ..

    
    

    
  
(In reply to Marianella from comment #14)
> To download the certificate from our CA please go to this link:
> https://ar.fii.gob.ve/cgi-bin/openca/pub/pki?cmd=getStaticPage&name=index
> There are certificates for both the Sha1 algorithm as Sha256.

I don't know Spanish, so you will have to provide the exact URL to the certificates. Are you requesting inclusion for both the Sha1 and Sha256 certs?

(In reply to Marianella from comment #15)
> We would like to know how the process of verification of the requirements
> for inclusion.

Please see Comment #9.

    
  
Whiteboard: Information incomplete

    
    

    
  


  
The attached document shows the current status of this request.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.

    
    

    
  
(In reply to Kathleen Wilson from comment #16)

We're just going to include the certificate Sha256, I was gathering the information requested to send.

thanks

    
    

    
  
Good afternoon, Kathleen.

I write to let you know that from now on I will be responsible for inclusion request of CA certificate PSC-FIIDT.

In this sense, I would like to know how the Audit Report from PSC-FIIIDT will be delivered to you, taking into consideration that it is a confidential document, and we do NOT want this information to be shown.

We are presently revieving all Mozilla requirements.

Regards.

    
    

    
  
(In reply to Mildred Osorio from comment #19)
> In this sense, I would like to know how the Audit Report from PSC-FIIIDT
> will be delivered to you, taking into consideration that it is a
> confidential document, and we do NOT want this information to be shown.


According to Mozilla policy and practices, audit statements (which are typically high-level summaries) are expected to be made publicly available.

http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html
"17. We rely on publicly disclosed documentation ... and publicly disclosed audit statements"

https://wiki.mozilla.org/CA:Recommended_Practices#Audit_Criteria
"All documents supplied as evidence should be publicly available."

You may find examples of public audit statements here:
http://www.mozilla.org/projects/security/certs/pending/

    
    

    
  
Maria, Please add a comments and attachments to this bug to provide the information listed here:
https://wiki.mozilla.org/CA:Information_checklist

    
    

    
  
(In reply to Kathleen Wilson from comment #21)
> Maria, Please add a comments and attachments to this bug to provide the
> information listed here:
> https://wiki.mozilla.org/CA:Information_checklist

Hi Hi Kathleen Wilson change the user account normalizacion.pscfii@gmail.com, to continue the process we are sending the file with the overview of the CA.

    
    

    
  


  
General Information CA PSC-FII

    
    

    
  


  
CA PRIMARY POINT OF CONTACT (POC)

    
    

    
  

      
      
      
      

        Attached file
          
        comm pub FII 2015f.pdf
      

    


  
CA Audit Report

    
    

    
  
PSC Publico del MppCTII para el Estado Venezolano (PSC-FII)  is a subCA under the venezuelan root of certification ("Sistema Nacional de Certificacion Electronica")

    
    

    
  


  
TECHNICAL INFORMATION OF  PSC PUBLICO DEL MPPCTII PARA EL ESTADO VENEZOLANO (PSC-FII)

    
    

    
  


  
TECHNICAL INFORMATION ABOUT EACH ROOT CERTIFICATE

    
    

    
  


  

        Attachment #542275 -
        Attachment is obsolete: true

    
    

    
  


  
I have entered the information for this request into Salesforce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to provide corrections and the additional requested information.

    
    

    
  
Hi Kathleen,

Sorry, I will upload the information again. The Attachments were to electronic signatures will try only to pdf.Thanks for the help.

Regards,
María Liendo

    
    

    
  


  
correct information by replacing obsolete attachments

    
    

    
  


  

    
    

    
  
correct information by replacing obsolete attachments

    
    

    
  

      
      
      
      

        Attached image
          
        Auditor_Report.PNG
      

    


  
Image Report of auditor

    
    

    
  


  
correct information by replacing obsolete attachments

    
    

    
  


  
correct information by replacing obsolete attachments

    
    

    
  
SUSCERTE certificate link: https://acraiz.suscerte.gob.ve/sites/default/files/certificados/CERTIFICADO-RAIZ-SHA384.crt

PSC-FII certificate link: https://ar.fii.gob.ve/pub/cacert/cacert.crt

PSC-FII is signaed by SUSCERTE ROOT.

    
    

    
  
(In reply to Kathleen Wilson from comment #30)
> Created attachment 8670019 [details]
> 667466-CAInformation.pdf
> 
> I have entered the information for this request into Salesforce.
> 
> Please review the attached document to make sure it is accurate and
> complete, and comment in this bug to provide corrections and the additional
> requested information.

I'm still not finding the information I need, so I'll list here what the CA needs to provide:

1) CA's response to each of the items listed in https://wiki.mozilla.org/CA:Recommended_Practices#CA_Recommended_Practices

2) CA's response to each of the items listed in https://wiki.mozilla.org/CA:Problematic_Practices#Potentially_problematic_CA_practices

3) resolve all errors returned by https://certificate.revocationcheck.com/publicador-psc.fii.gob.ve


4) Mozilla has the ability to name constrain root certs; e.g. to *.gov or *.mil. CA should consider if such constraints may be applied to their root cert

5) Can this certificate sign externally-operated subCA certificates?

6) Can any 3rd party directly cause the issuance of a certificate chaining up to this "PSC Publico del MppCTII para el Estado Venezolano" cert?

7) Need a BR audit as described here: https://wiki.mozilla.org/CA:BaselineRequirements

8) NEED section in the CP/CPS that has the commitment to comply with the BRs as described in section 2.2 of version 1.3 of the CA/Browser Forum's Baseline Requirements.

9) Sections of CP/CPS that sufficiently describe the verification steps that are taken to confirm the ownership/control of the domain name to be included in the SSL/TLS cert. (in English)
As per section 3 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

10) CP/CPS sections that describe identity and organization verification procedures for cert issuance. (in English)

11) Sections of CP/CPS that sufficiently describe the verification steps that are taken to confirm the ownership/control of the email address to be included in the cert. (in English)
As per section 4 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices
https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Email_Address_Control

12) CA response (and corresponding CP/CPS sections/text) to section 6 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

13) CA response (and corresponding CP/CPS sections/text) to section 7 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

    
    

    
  
Hi Kathleen Wilson 
Giving Continuity to the process of inclusion of the PSC-FII CA, we ask for the exclusion of following accounts:
mosorio@fii.gob.ve 
cperez@fii.gob.ve 
jpayne@fii.gob.ve 
karog@fii.gob.ve 
pcastillo@suscerte.gob.ve 
ycova@fii.gob.ve 
zorellyg@fii.gob.ve 
This request is due to this staff is no longer part of the PSC-FII. They must not receive notification about this process. 

Please include the following accounts:
kpichardo@fii.gob.ve (Karen Pichardo)
mliendo@fii.gob.ve (Maria Liendo)
dsandoval@fii.gob.ve (Daniel Sandoval)

The current responsible of the BUG 667466 is normalizacion.pscfii@gmail.com.
We are waiting for your prompt response.
Thanks a lot

    
    

    
  
(In reply to PSCFII from comment #40)
> Hi Kathleen Wilson 
> Giving Continuity to the process of inclusion of the PSC-FII CA, we ask for
> the exclusion of following accounts:
> mosorio@fii.gob.ve 
> cperez@fii.gob.ve 
> jpayne@fii.gob.ve 
> karog@fii.gob.ve 
> pcastillo@suscerte.gob.ve 
> ycova@fii.gob.ve 
> zorellyg@fii.gob.ve 
> This request is due to this staff is no longer part of the PSC-FII. They
> must not receive notification about this process. 

I removed them from the CC list in this bug.

> 
> Please include the following accounts:
> kpichardo@fii.gob.ve (Karen Pichardo)
> mliendo@fii.gob.ve (Maria Liendo)
> dsandoval@fii.gob.ve (Daniel Sandoval)

They will need to sign up for a Bugzilla account: https://bugzilla.mozilla.org/createaccount.cgi
Then add themselves to the CC list in this bug.

> 
> The current responsible of the BUG 667466 is normalizacion.pscfii@gmail.com.
> We are waiting for your prompt response.

I'm not sure what response you are waiting for from me.

A representative of the CA needs to provide the requested information, as listed in Comment #39.
Whiteboard: Information incomplete → Information incomplete -- See Comment #39

    
  
Blocks: 1302431

    
    

    
  


  
thanks for the recommendation to create accounts for dsandoval@fii.gob.ve, kpichardo@fii.gob.ve and mliendo@fii.gob.ve

At the same time we are sending the rsepuesta comment # 39 in the Attachment.

regards

    
    

    
  
Dear Katheleen Wilson

We are interested in knowing the answer to Mozilla about the file (667466-CAInformation - PSCFII.pdf) sent  to answer the information AC PSC-FII.

Regards.

    
    

    
  
(In reply to PSCFII from comment #42)
> Created attachment 8794293 [details]
> Response listed in Comment #39
> 
> thanks for the recommendation to create accounts for dsandoval@fii.gob.ve,
> kpichardo@fii.gob.ve and mliendo@fii.gob.ve
> 
> At the same time we are sending the --------- comment # 39 in the Attachment.
> 
> regards

thanks for the recommendation to create accounts for dsandoval@fii.gob.ve, kpichardo@fii.gob.ve and mliendo@fii.gob.ve

At the same time we are sending the response comment # 39 in the Attachment.

regards

    
    

    
  
Aaron and Francis, 
Please proceed with Information Verification for the document attached to Comment #42.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Thanks!

    
    

    
  
(In reply to Kathleen Wilson from comment #45)
> Aaron and Francis, 
> Please proceed with Information Verification for the document attached to
> Comment #42.
> https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
> Thanks!

Dear Kathleen, Aaron and Francis

On the File sent "667466-CAInformation - PSCFII" responses are edited using the comment published in PDF and highlighted in yellow.

We appreciate your attention, we welcome your comments..

Thank you very much Kathleen

Regards

    
    

    
  
hi PSCFII,

although you have provided updates, most of them still refer to CP/CPS in your original language.
i have tried to search on your website: https://publicador-psc.fii.gob.ve/pc/
in the English version of CP: https://publicador-psc.fii.gob.ve/docs/DPC_PC2016/PC/pc%20natural/080-PCN-F015-INGLES.pdf, section 4, 5, 11, 13 and more all refer to CPS (080-CPS-F014) which is not found.

in order to accelerate the process, please provide direct link for both CP and CPS in English version.

thank you very much

    
    

    
  
Hi Francis

As you say the CP make references to the CPS and the link to the English version it is:
https://publicador-psc.fii.gob.ve/docs/DPC_PC2016/DPC/080-DPC-F014-INGLES.pdf.

In the document or file will be able to observe all referenced sessions.

Grateful for the attention.

PSC-FII.

    
    

    
  
Hi Francis

Waiting're right, if they have questions of our DPC and PC inform us to respond.

Regards.

PSC-FII

    
    

    
  
Hi Francis

We reiterate our availability to let them get any document or answer any questions that a well considered in reference to our request.

Regards.

PSC-FII

    
    

    
  
Hi Francis 

If you need more information please warn us. 

Regards.


PSC-FII

    
    

    
  


  
hi PSCFII,

please refer to the attachment for the latest information verification status.
as Mozilla has added some new cases in the verification process, i would like to invite you to pay attention on following items:

1. in PSC-FII case:
there are '????' requires your feedback in both recommended practice and problematic practice. some of them may be partially answered in your CPS, but it is important that you read through our policy as acknowledgement and provide the exact section number. 
2. in Root case:
please check 'Need response from CA' item. Some of them were answered previously, but it requires further information.

thank you very much

    
    

    
  
Hi Francis


The PSC-FII case is as follows:

The PSC-FII is a Sub -CA of the “ Autoridad de Certificacion Raiz del Estado Venezolano” root certificate owned by SUSCERTE (Superintendencia de Servicios de Certificación Electrónica ), which is part of the Ministry of People's Power for Higher Education, Science and Technology  in the Bolivarian Republic of Venezuela. 
SUSCERTE is a national government CA that provides electronic certification services to the Bolivarian Republic of the Government of Venezuela.

We accept mozilla policies and we will send back the document for review. 

Thank you very much.
PSC-FII

    
    

    
  
hi PSCFII,

here it's a good example of CP/CPS, it may be helpful for you.

https://wiki.mozilla.org/CA:Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21

thank you very much
Assignee: kwilson → frlee

    
    

    
  
hi PSCFII,

besides the pdf file which i provided in comment 52, i have re-tested the revocation part and please find the result here: https://pageshot.net/u4BtbuuQxmRKUzG9/certificate.revocationcheck.com

all errors should be fixed except the last one 'We could not identify the issuer for this certificate'.

for your reference, please find the test instructions below:

In the Root Case for " PSC Publico del MppCTII para el Estado Venezolano"...
- Root Certificate Download URL -- https://bugzilla.mozilla.org/attachment.cgi?id=8670003
- 'View' button to Examine the CA certificate
- 'Details'
- 'Export...' button
- Save in Format "X.509 Certificate (PEM)". (e.g. PSCPublicodelMppCTIIparaelEstadoVenezolano.crt)
-  'Close' button
- 'Trust this CA to identify websites' checkbox, then 'OK'

Go back to the Root Case for "PSC Publico del MppCTII para el Estado Venezolano"...
- Test Website URL -- https://publicador-psc.fii.gob.ve/
-  green lock icon at the left of the URL entry area at the top of the window.
- ">"
- 'More Information'
- 'View Certificate'
- 'Details'
- Select which cert you want to save, then 'Export...' (e.g. publicador-pscfiigobve.crt)

View the certs
- https://people-mozilla.org/~dkeeler/certsplainer/
- 'Browse...'
- Select one of the .crt files, view the cert info.

in the revocation test website: https://certificate.revocationcheck.com/
- 'Certificate Upload'
- In 'Certificate' field copy/paste the data in the text box of certsplainer for the publicador-pscfiigobve.crt file, from "----BEGIN..." to "END CERTIFICATE-----".
- In 'Issuer Certificate' field copy/paste the data in the text box of certsplainer for the PSCPublicodelMppCTIIparaelEstadoVenezolano.crt file.
- 'Check Revocation Status'

Note: Be careful not to have extra spaces or line feeds before and after  "----BEGIN..." and "END CERTIFICATE-----".

thank you very much

    
    

    
  


  
Hi Francis

 Response listed in Comment #39

 Regards and thank

    
    

    
  


  
Hi Francis

 Response listed in Comment #56

 Regards and thank

    
    

    
  
hi PSCFII,

based on the responses you provided, there are still some items required clarification (ex. need to be mentioned in your CP/CPS) and testing errors need to be fixed. please refer to following items:

in the attachment 8814777 [details]

1. Response to Mozilla's list of Potentially Problematic Practices:

-Item #2:
your response regarding Wildcard DV SSL certificates was "not defined in the CPS nor the CP".  Since you are requesting that the Websites trust bit be enabled for this certificate, the CP or CPS must indicate your CA's policies in regards to wildcard SSL certificates. Can Wildcard SSL certificates be issued? If yes, what verification must be done regarding the domains to be included in the wildcard SSL certificates? There must be enough information in the CP or CPS for us to determine if the CA's publicly documented policies comply with the CA/Browser Forum's Baseline Requirements.

-Item #3 only applies if the CA's CP/CPS says that they can validate ownership of the domain name by exchanging email with the Domain’s administrator using an email address created by pre‐pending ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part, followed by the at‐sign (“@”), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN.
If CA can validate domain ownership/control in this way, then CA has to specify which of the above list may be used. If the CA verifies domain name ownership/control in a different way, then item #3 is not applicable.

-Item #9 does need to be addressed in the CA's CP/CPS, and must show compliance with the BRs. Either the CP/CPS needs to say that internal domain names are not allowed, or there needs to be proper authentication according to the BRs.

2. Test Results (When Requesting the SSL/TLS Trust Bit)

-We recommend CA to try the following test website so that errors can be fixed and verified. only mentioning 'The certificate of the CA of the PSC-FII, has as critical the extension keyUsage in CPS' is not enough to prove existing errors are fixed. Also, there are 2 others errors as listed below:

test website: https://crt.sh/
in CA/Browser Forum lint:
ERROR: CA certificates must set keyUsage extension as critical
in X.509 lint:
ERROR: Invalid type in SAN entry
ERROR: IP address in dns name

3. CA Hierarchy Information

-it is not enough to say 'No restriction in the CPS nor the CP' for cross singing. Moz needs to know if the CA is allowed to cross-sign with other entities or not. It is possible that SUSCERTE forbids that in their CP/CPS. But Moz needs to know if PSCFII allows it or not.

4. Verification Policies and Practices

-BR audit: Please provide BR statement file link for verification purpose.
in your CPS section 17.1, 17.2 and 17.4, it doesn't mention the actual audit result/details which proves that your certificate comply with BRs.

-BR Commitment to Comply: in CPS section 4, its hard to confirm that PSC-FII committed to comply with BR.
NEED section in the CP/CPS that has the commitment to comply with the BRs as described in section 2.2 of the CA/Browser Forum's Baseline Requirements (https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf). in CPS section 4, RFC 3647 was mentioned, but there's no statement such as whether PSCFII reviews CAA records? if so, any policy or practice on processing CAA Records for Fully Qualified Domain Names, etc.

thank you very much
Assignee: frlee → awu

    
  
Whiteboard: Information incomplete -- See Comment #39 → [ca-verification] -- See Comment #39

    
  
Whiteboard: [ca-verification] -- See Comment #39 → [ca-verifying] -- See Comment #39

    
    

    
  
Hi PSCFII,

Please also perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing

Phase-in plan is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ

Please let me know if you have any question, thank you!


Kind regards,
Aaron

    
  
Whiteboard: [ca-verifying] -- See Comment #39 → [ca-verifying] - Need BR Self Assessment

    
    

    
  
Mr. Aaron Wu

We are currently updating the identity authentication methods for issuing SSL certificates.

To proceed to the publication on our website https://ar.fii.gob.ve of the documents of the Certification Practice Statement (CPS) and Certificate Policy (CP). Execution of the annual technical audit to PSC-FII, by an external auditor.

At the end of the application, you will be asked to include the certificate of the PSC-FII in the Mozilla browser.

Thank you very much for the attention, we will be informing to reotmar the request and validation of the fulfillment of the requirements of Mozilla.

Regards and thank

    
  
Product: mozilla.org → NSS

    
    

    
  
Dear Mr. Aaron Wu
As for the special requirement of the issuance of the Audit Charter in English language, and its publication on the external auditor's website, you can access through the following links:

1. Indirect:

Http://www.penscric.com.ve/Principal/index.php/auditorias  

2. Direct:

Http://www.penscric.com.ve/Principal/images/6%20PSC%20FII%20Audit%20Chart.pdf 

Regards and thanks
Flags: needinfo?(awu)

    
    

    
  


  
External audit report to PSC-FII, June 05, 2017.

    
    

    
  
(In reply to PSCFII from comment #61)
> Dear Mr. Aaron Wu
> As for the special requirement of the issuance of the Audit Charter in
> English language, and its publication on the external auditor's website, you
> can access through the following links:
> 
> 1. Indirect:
> 
> Http://www.penscric.com.ve/Principal/index.php/auditorias  
> 
> 2. Direct:
> 
> Http://www.penscric.com.ve/Principal/images/6%20PSC%20FII%20Audit%20Chart.
> pdf 
> 
> Regards and thanks

Thanks for providing the document above, it seems I cannot access the link as Server not Found. Could you double check the url? Thank you!

Kind regards,
Aaron
Flags: needinfo?(awu)

    
    

    
  
(In reply to Aaron Wu from comment #63)
> (In reply to PSCFII from comment #61)
> > Dear Mr. Aaron Wu
> > As for the special requirement of the issuance of the Audit Charter in
> > English language, and its publication on the external auditor's website, you
> > can access through the following links:
> > 
> > 1. Indirect:
> > 
> > Http://www.penscric.com.ve/Principal/index.php/auditorias  
> > 
> > 2. Direct:
> > 
> > Http://www.penscric.com.ve/Principal/images/6%20PSC%20FII%20Audit%20Chart.
> > pdf 
> > 
> > Regards and thanks
> 
> Thanks for providing the document above, it seems I cannot access the link
> as Server not Found. Could you double check the url? Thank you!
> 
> Kind regards,
> Aaron

For the links above, I tried different browsers, location and computers, even asked two engineers to test but still cannot access. There may be an IP issue, please help to figure out the way to access. Thank you!

Kind regards,
Aaron

    
    

    
  
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson

    
    

    
  
Closed due to lack of response by CA.


Status: ASSIGNED → RESOLVED
Closed: 5 years ago
QA Contact: kwilson
Resolution: --- → WONTFIX
Product: NSS → CA Program

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: