Closed Bug 1302431 Opened 8 years ago Closed 6 years ago

Add Autoridad de Certificacion Raiz del Estado Venezolano root certificate

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: dscec, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: [ca-hold] - SUSCERTE -- Super-CA of PSC-FII)

CA Details ---------- CA Name: Autoridad de Certificacion Raiz del Estado Venezolano Website: http://acraiz.suscerte.gob.ve/ Summary of CA: Root CA of the whole Venezuelan nation. By law, under this Certificate are issued all the SubCAs who serve the End Entities of the country. The SubCAs are institutions both public or private which are authorized (accredited) by Goverment's superintendence to perform this activity (issue Digital Certificates) - General nature: government - Primary geographical area(s) served: National (Venezuela) Audit Type: accredited independient Auditor Auditor: Choosed each year by a pool of accredited Auditor by The Venezuelan State Auditor Website: Audit Document URL(s): Certificate Details ------------------- (To be completed once for each certificate; note that we only include root certificates in the store, not intermediates.) Certificate Name: ACRaiz (RootCA in English) Summary Paragraph: -Root Certificate, top of certificate hierarchy of the whole country. The legality of a certificate will be based upon the issuing by a Certification Authority whose Certificate is signed by this root CA (any Certification Authority must fulfillment severe formalities before be signed by RootCA). - Number and type of subordinate CAs: by now, two (2). More could be coming. Type: Public Institution (goverment) named PSC-FII, Private Company named PROCERT. Some others institutions or companies are working in become an Certification Authority. The Root CA also provides advice on technology and documentation to help them to achieve the appropriate status. - Diagram and/or description of certificate hierarchy ROOT CA <-(root of whole certificate hierarchy of Venezuela) ------- |-----------... (others CA, future) | | PROCERT PSC-FII <--(SubCAs) both issues to End Entity (private (Public (Citizen, Company, SSL, mail signing, etc) company) Institution) Certificate download URL (on CA website): http://acraiz.suscerte.gob.ve/sites/default/files/certificados/CERTIFICADO-RAIZ-SHA384.crt Version: 3 (0x2) SHA1 Fingerprint: 39:8E:BE:9C:0F:46:C0:79:C3:C7:AF:E0:7A:2F:DD:9F:AE:5F:8A:5C Public key length (for RSA, modulus length) in bits: 4096 bit Valid From (YYYY-MM-DD): Dec 28 16:41:36 2010 GMT Valid To (YYYY-MM-DD): Dec 23 23:59:59 2030 GMT CRL HTTP URL: URI:http://www.suscerte.gob.ve/lcr (Format DER) CRL issuing frequency for subordinate end-entity certificates: Root CA doesn't issue End-Entity Certificates. SubCAs must issue CRL at least once a day CRL issuing frequency for subordinate CA certificates: 6 months OCSP URL: URI:http://ocsp.suscerte.gob.ve Class (domain-validated, identity/organizationally-validated or EV): Root CA just issue SubCA signed Certificates Certificate Policy URL: http://www.suscerte.gob.ve/dpc CPS URL: http://www.suscerte.gob.ve/dpc Requested Trust Indicators (email and/or SSL and/or code signing): just SubCAs (PSC-FII and PROCERT) can have a class of certificate for each use URL of example website using certificate subordinate to this root (if applying for SSL): Root CA doesn't issue SSL or SSL-EV Certificates
As per Bug #489240 and https://wiki.mozilla.org/CA:SubordinateCA_checklist#Super-CAs before we may proceed with inclusion of the SUSCERTE root certificate, it needs to be proven that the existing subCAs pass Mozilla's process, and that the National CA is committed to ensuring that their existing and future subCAs will follow Mozilla's policy and process, as well as the CA/Browser Forum's Baseline Requirements, and provide annual public-facing audit statements for their root and subCAs. As per Bug #593805, the PROCERT subCA has passed Mozilla's approval process, and the PSCProcert certificate has been included in NSS. As per Bug #667466, the PSC-FII subCA has not yet passed Mozilla's approval process. Therefore, please complete the inclusion process for Bug #667466 (PSC-FII subCA). We may move forward with this request in parallel, but Bug #667466 will have to be approved first.
Status: UNCONFIRMED → ASSIGNED
Depends on: 667466
Ever confirmed: true
Whiteboard: Super-CA, need PSC-FII to be approved first
Thanks for answer so fast! we will try to help (within the normatives and laws) to PSC-FII subCA to get the optimal status to be approved meanwhile we are working in some few issues that we know we have about Mozilla Policies, Recommended Practices, and Problematic Practices. we will appreciate if the Mozilla community may help us to find if there is another issues that maybe we didn't realize Also we would like to ask, for an appropiate way (here, by email, by forum), which warnings o differences (that we found reviewing our PKI) with Mozilla Policies, Recommended Practices, etc; are mandatory to fix and which ones could be admissible by the moment, in the case of the Super-CA
Aaron and Francis, please begin the Information Verification for this request. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
hi SUSCERTE, i'm working on the information verification now, in order to accelerate the process, please provide CP/CPS in English. it seems there's no English version on your website (http://acraiz.suscerte.gob.ve/). once i complete the 1st round of information verification, i will be able to let you know what's missing if any. thank you very much Francis
Thanks for write. We are in process of translation the CPS document into English. we will submit the document when be ready, and we will modify the web page provided within the certificate link (X509v3 Certificate Policies field) to contain both versions of CPS (Spanish and English) and a selection language web form.
Assignee: kwilson → frlee
Whiteboard: Super-CA, need PSC-FII to be approved first → Super-CA, need PSC-FII to be approved first, information incomplete
Whiteboard: Super-CA, need PSC-FII to be approved first, information incomplete → Information Incomplete - SUSCERTE - Super-CA of PSC-FII
Assignee: frlee → awu
Whiteboard: Information Incomplete - SUSCERTE - Super-CA of PSC-FII → [ca-verification] - SUSCERTE -- Super-CA of PSC-FII
Whiteboard: [ca-verification] - SUSCERTE -- Super-CA of PSC-FII → [ca-hold] - SUSCERTE -- Super-CA of PSC-FII
Product: mozilla.org → NSS
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
I am closing old requests that are for inclusion of super-CA root certificates. This CA may re-apply for inclusion of their root certificate when they meet all of the requirements listed here: https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Super-CAs Until then, this CA's (first-level) subordinate CAs may apply for inclusion of their certificate as a trust anchor, as described here: https://wiki.mozilla.org/CA/Application_Process
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
QA Contact: kwilson
Resolution: --- → WONTFIX
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.