Closed Bug 1267049 Opened 4 years ago Closed 3 years ago

Izenpe: EV certificate with various issues

Categories

(NSS :: CA Certificate Compliance, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kurt, Assigned: kwilson)

References

Details

(Whiteboard: [ca-compliance])

Hi,

The following EV certificate has various issues:
https://crt.sh/?id=17046158&opt=x509lint,cablint

- It does not have a localityName, which is required for EV certificates
- The Subject Alternative Name has entries for email and DirName which are not allowed by the BR requirements.
- The policy extension's user notice explicitText is using a VisibleString with is forbidden in rfc5280, it should use an UTF8String, but may use IA5String.
Iñigo, please respond in this bug to the issues listed above.
Assignee: kwilson → i-barreira
Yes, it´s true and known. 
This issue is due to a specific certificate defined by the ministry of public administrations of Spain which by law mandated all public administration web sites to use a SSL certificate called "sede electrónica" which has this unfortunate definition.
We´ve discussing with them letting them know of the issues but haven´t paid attention until now due to the new eIDAS regulation, so I helped them to define the new "sede electrónica" SSL cert which will be a Qualified Website Authentication Certificate as defined and regulated by eIDAS which is going to be based in the EV certificate profile plus some additional atributes like the QcStatemtents indicating these are qualified certificates. 
To issue those certificates the CA/TSP has to be certified in EN 319 411-2.

We´re planning to start issuing these new "sede electrónica" certificates in June and are thinking in a posible solution for those already issued.

Regards
Can you clarify what those requirements are and how they conflict with the BRs?  Is this just about the subjectAltnernativeNames?
Yes, the issue is just with the SANs due to some specific OIDs of the spanish ministry which are going to be removed in the new version to follow what the BRs and EVs say.

Regards
Assignee: i-barreira → kwilson
We already have updated the EV certificate profile to:

- Include localityName
- Not include DirName in the Subject Alternative Name. Email is optional
- Use UTF8String in the policy extension's user notice

Unfortunately we must wait until the Spanish Ministry verify the new profile, so we can't issue certificates in production environment until we receive the acknowledge from the Ministry. We'll try to get it as soon as posibble. 
Regards
Whiteboard: BR Compliance
Summary: izenpe: EV certificate with various issues → Izenpe: EV certificate with various issues
Component: CA Certificates → CA Certificate Mis-Issuance
Whiteboard: BR Compliance → [ca-compliance]
We have already updated our officeEV certificate profile. You can review it if you want looking at the last issued certificate https://crt.sh/?id=107055394

Best regards
Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.