Closed
Bug 1281002
Opened 9 years ago
Closed 6 years ago
Add Certicamara S.A root certificate(s)
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: tics, Assigned: kathleen.a.wilson)
Details
(Whiteboard: [ca-verifying] - KW Comment #14 2018-04-10 - Email trust bit only)
Attachments
(2 files)
CA_HIERARCHY_CERTICAMARA_SA.png
CA Details
----------
CA Name: CERTICAMARA S.A.
Website: www.certicamara.com
One Paragraph Summary of CA, including the following:
- General nature: Commercial
- Primary geographical area(s) served: Colombia and Andean Region
Audit Type (WebTrust, ETSI etc.): WebTrust
Auditor: Deloitte
Auditor Website: http://www2.deloitte.com/co/es.html
Audit Document URL(s): https://cert.webtrust.org/ViewSeal?id=1920
Certificate Details
-------------------
(To be completed once for each certificate; note that we only include root
certificates in the store, not intermediates.)
Certificate Name: AC Raíz Certicámara S.A.
Summary Paragraph, including the following:
- End entity certificate issuance policy
(i.e. what you plan to do with the root)
This is the unique root certificate authorized by Industry & Commerce Department of Colombia, also is approved by WebTrust Seal.
- Number and type of subordinate CAs: 2 Subordinates CA.
- Diagram and/or description of certificate hierarchy: attached diagram (CA_HIERARCHY_CERTICAMARA_SA.png).
Certificate download URL (on CA website): http://www.certicamara.com/ac_offline_raiz_certicamara_2016.crt
Version: v3
SHA1 Fingerprint: 54 63 28 3b 67 93 ff 55 27 7c ed e3 90 98 e8 04 22 f9 12 f7
Public key length (for RSA, modulus length) in bits: 4096
Valid From (YYYY-MM-DD): 2016-05-24
Valid To (YYYY-MM-DD): 2031-05-24
CRL HTTP URL: http://www.certicamara.com/repositoriorevocaciones/ac_raiz_certicamara.crl
CRL issuing frequency for subordinate end-entity certificates: 3 days
CRL issuing frequency for subordinate CA certificates: 7 years
OCSP URL: ocsp.certicamara.com
Class (domain-validated, identity/organizationally-validated or EV):
Certificate Policy URL: https://web.certicamara.com/marco-legal/declaracion-de-practicas-de-certificacion/
CPS URL: https://web.certicamara.com/marco-legal/declaracion-de-practicas-de-certificacion/
Requested Trust Indicators (email and/or SSL and/or code signing):
URL of example website using certificate subordinate to this root
(if applying for SSL):
|
Assignee | |
Comment 1•9 years ago
|
||
Please provide the following information so we may begin the Information Verification phase of this request, as described here: https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
NEED:
1) Direct links to:
CA Document Repository
CP/CPS documents for this root certificate and its subordinate CA certificates
If not in English, then provide English translations of the sections of the documents showing commitment to comply to the CA/Browser Forum's Baseline Requirements, and the descriptions of how certificate subscribers are verified (organization and identity verification, domain name verification, email address verification, etc -- must meet the minimum requirements as outlined by the CA/Browser Forum's Baseline Requirements)
2) Requested Trust Bits
State which of the two trust bits you are requesting to be enabled for this root. One or more of:
Websites (SSL/TLS)
Email (S/MIME)
Mozilla’s standpoint is that we should operate the root program in terms of minimizing risk. One way that we can minimize risk is by not enabling more trust bits than CAs absolutely require.
3) Test website URL -- if you are requesting to enable the Websites (SSL/TLS) trust bit ...
|
|
Assignee | |
Comment 2•9 years ago
|
||
We have begin the Information Verification phase, though still need the information listed above.
https://wiki.mozilla.org/index.html#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
Assignee | |
Comment 3•9 years ago
|
||
|
Reporter | |
Comment 4•9 years ago
|
||
Hello,
1. Our DPC/PC is in spanish, but we should be able to provide translations for specified parts, please give us a few days so we can translate them.
2. We don't issue SSL certs anymore with this root, please include Email and code signing.
Please remember this is a replacement of previous certificate (currently in the store) rather than a new inclusion.
|
|
Assignee | |
Comment 5•9 years ago
|
||
(In reply to Direccion TICS from comment #4)
> Please remember this is a replacement of previous certificate (currently in
> the store) rather than a new inclusion.
We have to go through the full process, even when the new root is a replacement for a root cert that is currently included.
https://wiki.mozilla.org/CA:How_to_apply#Include_a_Renewed_root
|
|
Assignee | |
Comment 6•9 years ago
|
||
(In reply to Direccion TICS from comment #4)
> 2. We don't issue SSL certs anymore with this root, please include Email and
> code signing.
Mozilla is no longer accepting requests to enable the Code Signing trust bit, because we plan to remove the Code Signing trust bit in the next version of Mozilla's CA Certificate Policy.
|
|
Reporter | |
Comment 7•9 years ago
|
||
Hello Kathleen,
We understand, please continue with the process with allowed trust bits, we'll be sending DPC translations soon.
|
|
Assignee | |
Comment 8•9 years ago
|
||
Update request: Only requesting the Email trust bit for this root.
Aaron and Francis, please update the information for this request in Salesforce to indicate that it is only for the Email trust bit, and clarify which information is still needed.
Sure! I am updating the information into Salesforce and will clarify if any other information needed.
Thanks,
Aaron
|
|
Assignee | |
Updated•9 years ago
|
Whiteboard: Information incomplete
|
||
Comment 10•9 years ago
|
||
Hi Direccion,
We start to work on information verification phase, as described here: https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
NEED:
1) CP/CPS documents in English for this root certificate and its subordinate CA certificates
If not in English, then provide English translations of the sections of the documents showing commitment to comply to the CA/Browser Forum's Baseline Requirements, and the descriptions of how certificate subscribers are verified (organization and identity verification, domain name verification, email address verification, etc -- must meet the minimum requirements as outlined by the CA/Browser Forum's Baseline Requirements)
2) Requested Trust Bits
State which of the two trust bits you are requesting to be enabled for this root. One or more of:
Email (S/MIME)
3) Test website URL -- if you are requesting to enable the Websites
Please refer to attachement as COmment#3 for more infomation we need your input accordingly. Thank you!
Regards,
Aaron
|
|
||
Comment 11•8 years ago
|
||
Hi Direccion,
Please also perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.
Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf
= Background =
We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.
Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment
It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing
Phase-in plan is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ
Please let me know if you have any question, thank you!
Kind regards,
Aaron
Whiteboard: [ca-verifying] → [ca-verifying] - Need BR Self Assessment
|
||
Updated•8 years ago
|
Product: mozilla.org → NSS
|
||
Comment 12•8 years ago
|
||
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
|
|
Assignee | |
Comment 13•8 years ago
|
||
Since this request is to only enable the Email trust bit, there is no need for the BR Self Assessment.
I will make a note for myself to loop back to this bug soon. It will take me a few weeks to catch up...
Whiteboard: [ca-verifying] - Need BR Self Assessment → [ca-verifying] - Email Trust Bit only
|
|
Assignee | |
Comment 14•7 years ago
|
||
Leonardo, If you would like to proceed with this root inclusion request, then please translate the current version of the DPC into English.
I believe this is the document we need in English:
https://web.certicamara.com/files/uploads/archivosmarcolegal/DPC_-_Certificados_de_firma_digital._Versi%C3%B3n_febrero_2018_180222003650.pdf
Whiteboard: [ca-verifying] - Email Trust Bit only → [ca-verifying] - KW Comment #14 2018-04-10 - Email trust bit only
|
|
Assignee | |
Comment 15•6 years ago
|
||
Closing this request per delayed response to Comment #14.
If the CA chooses to re-apply, they may start a new root inclusion request as described here:
https://wiki.mozilla.org/CA/Application_Instructions#Create_Root_Inclusion.2FUpdate_Request
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
QA Contact: kwilson
Resolution: --- → WONTFIX
|
||
Updated•3 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•