Closed Bug 1321044 Opened 5 years ago Closed 5 years ago

Audit info for Consorci AOC, CATCert


(NSS :: CA Certificate Root Program, task)

Not set


(Not tracked)



(Reporter: v-kestre, Assigned: kwilson)



(Whiteboard: [ca-audits])


(2 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Edge/14.14393
From the CA, regarding these qualified audit reports;
Vast majority of non-conformities are associated with the certificate profile. ... all of them have been solved since June 2016 approximately.

other issues:

SAN with data not intended to be there.
As you know, there was a law in Spain that regulates the profile for some specific certificates, i.e.:
1. Civil Servant or Public Employee (natural person certificate)
2. Electronic Seal for Automated Administrative Action
3. Electronic Office Certificate (SSL or EV for Public Administrations)
The problem is that these profiles required private extensions in the SAN, and this conflicts BR and EV Guidelines.
This law has been repealed recently and the new one does not require this extensions but, how do we, Spanish TSP, handle the SSL and EV certificates issued following the previous law? In my opinion, an exception needs to be added.

Coding of some fields.
On the other hand, jurisdictionOfIncorporation should be PrintableString coded, but we code it in UTF8: we fail to understand this requirement given that UTF8 is more recent and to encode that particular field with UTF8 will not cause any interoperability problems: coding that ISO country information in the jurisdictionOfIncorporation field with UTF8 or PrintableString wil result in the same data, so we do not see the  of using an old codification like PrintableString instead of the more recent and mainly recommended UTF8.
So much comes the international trend to use UTF8 that some manufacturers, such as PrimeKey with EJBCA, is the one and only that is allowed for "custom extensions" and do not allow PrintableString in its Community Edition.

OCSP whitelist.
We are right now migrating from EJBCA Community Edition to EJBCA Enterprise Edition that enables the use of OCSP whitelist (which is scheduled for January 2017) and Certificate Transparency (scheduled for February 2017).
Whiteboard: Qualified audits for Consorci AOC, CATCert
Closing this bug, but we may continue to use it for audit statements for this CA. Thanks!
Closed: 5 years ago
Resolution: --- → WORKSFORME
Duplicate of this bug: 1385119
Assignee: nobody → kwilson
Component: CA Certificates Code → CA Certificate Root Program
Whiteboard: Qualified audits for Consorci AOC, CATCert → [ca-audits]
You need to log in before you can comment on or make changes to this bug.