Add Certicamara S.A root certificate(s)

ASSIGNED
Assigned to

Status

NSS
CA Certificate Root Program
--
enhancement
ASSIGNED
2 years ago
a month ago

People

(Reporter: Direccion TICS, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-verifying] - KW Comment #14 2018-04-10 - Email trust bit only)

Attachments

(2 attachments)

(Reporter)

Description

2 years ago
Created attachment 8763635 [details]
CA_HIERARCHY_CERTICAMARA_SA.png

CA Details
----------

CA Name: CERTICAMARA S.A.
Website: www.certicamara.com
One Paragraph Summary of CA, including the following:
 - General nature: Commercial
 - Primary geographical area(s) served: Colombia and Andean Region

Audit Type (WebTrust, ETSI etc.): WebTrust
Auditor: Deloitte
Auditor Website: http://www2.deloitte.com/co/es.html
Audit Document URL(s): https://cert.webtrust.org/ViewSeal?id=1920

Certificate Details
-------------------
(To be completed once for each certificate; note that we only include root
certificates in the store, not intermediates.)

Certificate Name: AC Raíz Certicámara S.A.
Summary Paragraph, including the following:
 - End entity certificate issuance policy
   (i.e. what you plan to do with the root)
This is the unique root certificate authorized by Industry & Commerce Department of Colombia, also is approved by WebTrust Seal.
 - Number and type of subordinate CAs: 2 Subordinates CA.
 - Diagram and/or description of certificate hierarchy: attached diagram (CA_HIERARCHY_CERTICAMARA_SA.png).

Certificate download URL (on CA website): http://www.certicamara.com/ac_offline_raiz_certicamara_2016.crt
Version: v3
SHA1 Fingerprint: ‎54 63 28 3b 67 93 ff 55 27 7c ed e3 90 98 e8 04 22 f9 12 f7
Public key length (for RSA, modulus length) in bits: 4096
Valid From (YYYY-MM-DD): ‎2016-05-24
Valid To (YYYY-MM-DD): 2031-05-24 

CRL HTTP URL: http://www.certicamara.com/repositoriorevocaciones/ac_raiz_certicamara.crl
CRL issuing frequency for subordinate end-entity certificates: 3 days
CRL issuing frequency for subordinate CA certificates: 7 years
OCSP URL: ocsp.certicamara.com

Class (domain-validated, identity/organizationally-validated or EV):
Certificate Policy URL: https://web.certicamara.com/marco-legal/declaracion-de-practicas-de-certificacion/
CPS URL: https://web.certicamara.com/marco-legal/declaracion-de-practicas-de-certificacion/
Requested Trust Indicators (email and/or SSL and/or code signing):
URL of example website using certificate subordinate to this root
(if applying for SSL):
(Assignee)

Comment 1

2 years ago
Please provide the following information so we may begin the Information Verification phase of this request, as described here: https://wiki.mozilla.org/CA:How_to_apply#Information_Verification

NEED:

1) Direct links to:
CA Document Repository
CP/CPS documents for this root certificate and its subordinate CA certificates
If not in English, then provide English translations of the sections of the documents showing commitment to comply to the CA/Browser Forum's Baseline Requirements, and the descriptions of how certificate subscribers are verified (organization and identity verification, domain name verification, email address verification, etc  -- must meet the minimum requirements as outlined by the CA/Browser Forum's Baseline Requirements)

2) Requested Trust Bits
    State which of the two trust bits you are requesting to be enabled for this root. One or more of:
        Websites (SSL/TLS)
        Email (S/MIME)
    Mozilla’s standpoint is that we should operate the root program in terms of minimizing risk. One way that we can minimize risk is by not enabling more trust bits than CAs absolutely require.

3) Test website URL -- if you are requesting to enable the Websites (SSL/TLS) trust bit ...
(Assignee)

Comment 2

2 years ago
We have begin the Information Verification phase, though still need the information listed above.
https://wiki.mozilla.org/index.html#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 3

2 years ago
Created attachment 8782570 [details]
Initial CA Information Document
(Reporter)

Comment 4

2 years ago
Hello,

1. Our DPC/PC is in spanish, but we should be able to provide translations for specified parts, please give us a few days so we can translate them.

2. We don't issue SSL certs anymore with this root, please include Email and code signing.

Please remember this is a replacement of previous certificate (currently in the store) rather than a new inclusion.
(Assignee)

Comment 5

2 years ago
(In reply to Direccion TICS from comment #4)
> Please remember this is a replacement of previous certificate (currently in
> the store) rather than a new inclusion.

We have to go through the full process, even when the new root is a replacement for a root cert that is currently included.
https://wiki.mozilla.org/CA:How_to_apply#Include_a_Renewed_root
(Assignee)

Comment 6

2 years ago
(In reply to Direccion TICS from comment #4)
> 2. We don't issue SSL certs anymore with this root, please include Email and
> code signing.

Mozilla is no longer accepting requests to enable the Code Signing trust bit, because we plan to remove the Code Signing trust bit in the next version of Mozilla's CA Certificate Policy.
(Reporter)

Comment 7

2 years ago
Hello Kathleen,

We understand, please continue with the process with allowed trust bits, we'll be sending DPC translations soon.
(Assignee)

Comment 8

2 years ago
Update request: Only requesting the Email trust bit for this root.

Aaron and Francis, please update the information for this request in Salesforce to indicate that it is only for the Email trust bit, and clarify which information is still needed.

Comment 9

2 years ago
Sure! I am updating the information into Salesforce and will clarify if any other information needed.

Thanks,
Aaron
(Assignee)

Updated

2 years ago
Whiteboard: Information incomplete

Updated

2 years ago
Assignee: kwilson → awu

Comment 10

2 years ago
Hi  Direccion,

We start to work on information verification phase, as described here: https://wiki.mozilla.org/CA:How_to_apply#Information_Verification

NEED:

1) CP/CPS documents in English for this root certificate and its subordinate CA certificates
If not in English, then provide English translations of the sections of the documents showing commitment to comply to the CA/Browser Forum's Baseline Requirements, and the descriptions of how certificate subscribers are verified (organization and identity verification, domain name verification, email address verification, etc  -- must meet the minimum requirements as outlined by the CA/Browser Forum's Baseline Requirements)

2) Requested Trust Bits
    State which of the two trust bits you are requesting to be enabled for this root. One or more of:
        Email (S/MIME)
   

3) Test website URL -- if you are requesting to enable the Websites

Please refer to attachement as COmment#3 for more infomation we need your input accordingly. Thank you!

Regards,
Aaron

Updated

a year ago
Whiteboard: Information incomplete → [ca-verification]

Updated

a year ago
Whiteboard: [ca-verification] → [ca-verifying]

Comment 11

a year ago
Hi Direccion,

Please also perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing

Phase-in plan is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ

Please let me know if you have any question, thank you!


Kind regards,
Aaron

Updated

a year ago
Whiteboard: [ca-verifying] → [ca-verifying] - Need BR Self Assessment

Updated

a year ago
Product: mozilla.org → NSS
(Assignee)

Comment 13

4 months ago
Since this request is to only enable the Email trust bit, there is no need for the BR Self Assessment.

I will make a note for myself to loop back to this bug soon. It will take me a few weeks to catch up...
Whiteboard: [ca-verifying] - Need BR Self Assessment → [ca-verifying] - Email Trust Bit only
(Assignee)

Comment 14

a month ago
Leonardo, If you would like to proceed with this root inclusion request, then please translate the current version of the DPC into English.

I believe this is the document we need in English:
https://web.certicamara.com/files/uploads/archivosmarcolegal/DPC_-_Certificados_de_firma_digital._Versi%C3%B3n_febrero_2018_180222003650.pdf
Whiteboard: [ca-verifying] - Email Trust Bit only → [ca-verifying] - KW Comment #14 2018-04-10 - Email trust bit only
You need to log in before you can comment on or make changes to this bug.