Closed
Bug 1302431
Opened 8 years ago
Closed 6 years ago
Add Autoridad de Certificacion Raiz del Estado Venezolano root certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: dscec, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: [ca-hold] - SUSCERTE -- Super-CA of PSC-FII)
CA Details
----------
CA Name: Autoridad de Certificacion Raiz del Estado Venezolano
Website: http://acraiz.suscerte.gob.ve/
Summary of CA:
Root CA of the whole Venezuelan nation. By law, under this Certificate are issued all the SubCAs who serve the End Entities of the country. The SubCAs are institutions both public or private which are authorized (accredited) by Goverment's superintendence to perform this activity (issue Digital Certificates)
- General nature: government
- Primary geographical area(s) served: National (Venezuela)
Audit Type: accredited independient Auditor
Auditor: Choosed each year by a pool of accredited Auditor by The Venezuelan State
Auditor Website:
Audit Document URL(s):
Certificate Details
-------------------
(To be completed once for each certificate; note that we only include root
certificates in the store, not intermediates.)
Certificate Name: ACRaiz (RootCA in English)
Summary Paragraph:
-Root Certificate, top of certificate hierarchy of the whole country. The legality of a certificate will be based upon the issuing by a Certification Authority whose Certificate is signed by this root CA (any Certification Authority must fulfillment severe formalities before be signed by RootCA).
- Number and type of subordinate CAs: by now, two (2). More could be coming. Type: Public Institution (goverment) named PSC-FII, Private Company named PROCERT. Some others institutions or companies are working in become an Certification Authority. The Root CA also provides advice on technology and documentation to help them to achieve the appropriate status.
- Diagram and/or description of certificate hierarchy
ROOT CA <-(root of whole certificate hierarchy of Venezuela)
------- |-----------... (others CA, future)
| |
PROCERT PSC-FII <--(SubCAs) both issues to End Entity
(private (Public (Citizen, Company, SSL, mail signing, etc)
company) Institution)
Certificate download URL (on CA website):
http://acraiz.suscerte.gob.ve/sites/default/files/certificados/CERTIFICADO-RAIZ-SHA384.crt
Version: 3 (0x2)
SHA1 Fingerprint: 39:8E:BE:9C:0F:46:C0:79:C3:C7:AF:E0:7A:2F:DD:9F:AE:5F:8A:5C
Public key length (for RSA, modulus length) in bits: 4096 bit
Valid From (YYYY-MM-DD): Dec 28 16:41:36 2010 GMT
Valid To (YYYY-MM-DD): Dec 23 23:59:59 2030 GMT
CRL HTTP URL: URI:http://www.suscerte.gob.ve/lcr (Format DER)
CRL issuing frequency for subordinate end-entity certificates: Root CA doesn't issue End-Entity Certificates. SubCAs must issue CRL at least once a day
CRL issuing frequency for subordinate CA certificates: 6 months
OCSP URL: URI:http://ocsp.suscerte.gob.ve
Class (domain-validated, identity/organizationally-validated or EV): Root CA just issue SubCA signed Certificates
Certificate Policy URL: http://www.suscerte.gob.ve/dpc
CPS URL: http://www.suscerte.gob.ve/dpc
Requested Trust Indicators (email and/or SSL and/or code signing): just SubCAs (PSC-FII and PROCERT) can have a class of certificate for each use
URL of example website using certificate subordinate to this root
(if applying for SSL): Root CA doesn't issue SSL or SSL-EV Certificates
Assignee | ||
Comment 1•8 years ago
|
||
As per Bug #489240 and https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs
before we may proceed with inclusion of the SUSCERTE root certificate, it needs to be proven that the existing subCAs pass Mozilla's process, and that the National CA is committed to ensuring that their existing and future subCAs will follow Mozilla's policy and process, as well as the CA/Browser Forum's Baseline Requirements, and provide annual public-facing audit statements for their root and subCAs.
As per Bug #593805, the PROCERT subCA has passed Mozilla's approval process, and the PSCProcert certificate has been included in NSS.
As per Bug #667466, the PSC-FII subCA has not yet passed Mozilla's approval process.
Therefore, please complete the inclusion process for Bug #667466 (PSC-FII subCA).
We may move forward with this request in parallel, but Bug #667466 will have to be approved first.
Status: UNCONFIRMED → ASSIGNED
Depends on: 667466
Ever confirmed: true
Whiteboard: Super-CA, need PSC-FII to be approved first
Thanks for answer so fast!
we will try to help (within the normatives and laws) to PSC-FII subCA to get the optimal status to be approved
meanwhile we are working in some few issues that we know we have about Mozilla Policies, Recommended Practices, and Problematic Practices.
we will appreciate if the Mozilla community may help us to find if there is another issues that maybe we didn't realize
Also we would like to ask, for an appropiate way (here, by email, by forum), which warnings o differences (that we found reviewing our PKI) with Mozilla Policies, Recommended Practices, etc; are mandatory to fix and which ones could be admissible by the moment, in the case of the Super-CA
Assignee | ||
Comment 3•8 years ago
|
||
Aaron and Francis, please begin the Information Verification for this request.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Comment 4•8 years ago
|
||
hi SUSCERTE,
i'm working on the information verification now, in order to accelerate the process, please provide CP/CPS in English. it seems there's no English version on your website (http://acraiz.suscerte.gob.ve/).
once i complete the 1st round of information verification, i will be able to let you know what's missing if any.
thank you very much
Francis
Thanks for write. We are in process of translation the CPS document into English. we will submit the document when be ready, and we will modify the web page provided within the certificate link (X509v3 Certificate Policies field) to contain both versions of CPS (Spanish and English) and a selection language web form.
Updated•8 years ago
|
Assignee: kwilson → frlee
Updated•8 years ago
|
Whiteboard: Super-CA, need PSC-FII to be approved first → Super-CA, need PSC-FII to be approved first, information incomplete
Assignee | ||
Updated•8 years ago
|
Whiteboard: Super-CA, need PSC-FII to be approved first, information incomplete → Information Incomplete - SUSCERTE - Super-CA of PSC-FII
Updated•8 years ago
|
Assignee: frlee → awu
Whiteboard: Information Incomplete - SUSCERTE - Super-CA of PSC-FII → [ca-verification] - SUSCERTE -- Super-CA of PSC-FII
Whiteboard: [ca-verification] - SUSCERTE -- Super-CA of PSC-FII → [ca-hold] - SUSCERTE -- Super-CA of PSC-FII
Updated•8 years ago
|
Product: mozilla.org → NSS
Comment 6•7 years ago
|
||
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
Assignee | ||
Comment 7•6 years ago
|
||
I am closing old requests that are for inclusion of super-CA root certificates.
This CA may re-apply for inclusion of their root certificate when they meet all of the requirements listed here:
https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Super-CAs
Until then, this CA's (first-level) subordinate CAs may apply for inclusion of their certificate as a trust anchor, as described here:
https://wiki.mozilla.org/CA/Application_Process
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
QA Contact: kwilson
Resolution: --- → WONTFIX
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•