Open Bug 1348774 Opened 7 years ago Updated 3 months ago

Add Thailand National Root CA - G1

Tracking

(Not tracked)

Status:

ASSIGNED

People

(Reporter: nrca, Assigned: bwilson)

Details

(Whiteboard: [ca-verifying])

Attachments

(41 files, 1 obsolete file)

CA Information for NRCA.pdf 7 years ago Mr.Thitikorn Trakoonsirisak 494.84 KB, application/pdf		Details
CAInformation_Thailand_InfoNeeded_20170416.pdf 7 years ago Aaron Wu 184.10 KB, application/pdf		Details
CAInformation_Thailand_InfoNeeded_20170421.pdf 7 years ago Aaron Wu 185.15 KB, application/pdf		Details
Information Checklist for CAs Applying for Inclusion in Mozilla_20170517.pdf 7 years ago waiphot 496.43 KB, application/pdf		Details
CA's BR Self Assessment.pdf 7 years ago waiphot 125.62 KB, application/pdf		Details
CA's BR Self Assessment for Thailand NRCA Update 31-08-2018.pdf 6 years ago waiphot 312.53 KB, application/pdf		Details
Quantifying Value for Mozilla by NRCA v0.3 2 years ago Tanat Tonguthaisri 226.49 KB, application/pdf		Details
WebTrust for Certification Authorities (NRCA, period: 1 September 2020 to 31 August 2021) 2 years ago Tanat Tonguthaisri 1.71 MB, application/pdf		Details
WebTrust for Certification Authorities (NRCA, period: 1 September 2019 to 31 August 2020) 2 years ago Tanat Tonguthaisri 2.53 MB, application/pdf		Details
WebTrust for Certification Authorities (NRCA, period: 1 September 2018 to 31 August 2019) 2 years ago Tanat Tonguthaisri 681.64 KB, application/pdf		Details
WebTrust for Certification Authorities (NRCA, period: 1 September 2017 to 31 August 2018) 2 years ago Tanat Tonguthaisri 353.04 KB, application/pdf		Details
WebTrust for Certification Authorities (NRCA, period: 1 September 2016 to 31 August 2017) 2 years ago Tanat Tonguthaisri 1.76 MB, application/pdf		Details
WebTrust for Certification Authorities (NRCA, period: 1 September 2015 to 31 August 2016) 2 years ago Tanat Tonguthaisri 965.47 KB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (NRCA, period: 1 September 2015 to 31 August 2016) 2 years ago Tanat Tonguthaisri 868.56 KB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (NRCA, period: 1 September 2016 to 31 August 2017) 2 years ago Tanat Tonguthaisri 895.36 KB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (NRCA, period: 1 September 2017 to 31 August 2018) 2 years ago Tanat Tonguthaisri 307.08 KB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (NRCA, period: 1 September 2018 to 31 August 2019) 2 years ago Tanat Tonguthaisri 648.10 KB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (NRCA, period: 1 September 2019 to 31 August 2020) 2 years ago Tanat Tonguthaisri 1.89 MB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (NRCA, period: 1 September 2020 to 31 August 2021) 2 years ago Tanat Tonguthaisri 1.71 MB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (Thai Digital ID CA G3, period: 1 September 2017 to 31 August 2018) 2 years ago Tanat Tonguthaisri 605.57 KB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (Thai Digital ID CA G3, period: 1 September 2018 to 31 August 2019) 2 years ago Tanat Tonguthaisri 1.13 MB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (Thai Digital ID CA G3, period: 1 September 2019 to 31 August 2020) 2 years ago Tanat Tonguthaisri 721.63 KB, application/pdf		Details
WebTrust for Certification Authorities (Thai Digital ID CA G3, period: 1 September 2019 to 31 August 2020) 2 years ago Tanat Tonguthaisri 1.33 MB, application/pdf		Details
WebTrust for Certification Authorities (Thai Digital ID CA G3, period: 1 September 2018 to 31 August 2019) 2 years ago Tanat Tonguthaisri 1.32 MB, application/pdf		Details
WebTrust for Certification Authorities (Thai Digital ID CA G3, period: 1 September 2017 to 31 August 2018) 2 years ago Tanat Tonguthaisri 1.32 MB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (INET CA - G1, period: 18 December 2018 to 17 December 2019) 2 years ago Tanat Tonguthaisri 721.74 KB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (INET CA - G1, period: 18 December 2019 to 17 December 2020) 2 years ago Tanat Tonguthaisri 541.06 KB, application/pdf		Details
WebTrust for Certification Authorities (INET CA - G1, period: 18 December 2019 to 17 December 2020) 2 years ago Tanat Tonguthaisri 641.94 KB, application/pdf		Details
WebTrust for Certification Authorities (INET CA - G1, period: 18 December 2018 to 17 December 2019) 2 years ago Tanat Tonguthaisri 1.11 MB, application/pdf		Details
WebTrust for Certification Authorities (INET CA - G1, period: 18 December 2020 to 17 December 2021) 2 years ago Tanat Tonguthaisri 429.74 KB, application/pdf		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (INET CA - G1, period: 18 December 2020 to 17 December 2021) 2 years ago Tanat Tonguthaisri 401.13 KB, application/pdf		Details
CA Compliance Self Assessment of NRCA in Excel format 1 year ago Tanat Tonguthaisri 53.61 KB, application/octet-stream		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (Thai Digital ID CA G3, period: 1 September 2020 to 31 August 2021) 1 year ago Tanat Tonguthaisri 1.09 MB, application/pdf		Details
WebTrust for Certification Authorities (Thai Digital ID CA G3, period: 1 September 2020 to 31 August 2021) 1 year ago Tanat Tonguthaisri 1.08 MB, application/pdf		Details
NRCA G1 Root Key Generation Ceremony - Letter of Attestation 1 year ago Martijn van der Heide 174.82 KB, application/pdf		Details
WebTrust for CAv2.2.2 - IA & Management Assertion - ETDA2022 1 year ago Martijn van der Heide 1.09 MB, application/pdf		Details
SSL Baselinev2.5 - IA & Management Assertion - ETDA2022 1 year ago Martijn van der Heide 485.81 KB, application/pdf		Details
WebTrust for Certification Authorities (INET CA - G1, period: 18 December 2021 to 17 December 2022) 10 months ago Martijn van der Heide 108 bytes, text/plain		Details
WebTrust for Certification Authorities - SSL Baseline with Network Security (INET CA - G1, period: 18 December 2021 to 17 December 2022) 10 months ago Martijn van der Heide 108 bytes, text/plain		Details
NRCA Self Assessment 2023 4 months ago Martijn van der Heide 191.08 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet		Details
KeyGeneration Ceremony - ETDA Assurance Report - KGC G2_G3_signed.pdf 3 months ago Martijn van der Heide 269.09 KB, application/pdf		Details
NRCA WebTrust Audit 2023 - Audit Team Qualification 3 months ago Martijn van der Heide 8.66 KB, application/pdf		Details

Mr.Thitikorn Trakoonsirisak

Reporter

Description

•

7 years ago

Attached file CA Information for NRCA.pdf — Details

CA Details
----------

CA Name: Thailand National Root CA - G1 ("Thailand NRCA")
Website: http://nrca.go.th
Electronic Transactions Development Agency (“ETDA”) is established on 25 November, 2010 under the Ministry of Information and Communication Technology (MICT) and according to the proposal of the Office of the Public Sector Development Commission (OPDC) to function as the main agency responsible for developing, promoting and supporting electronic transactions in order to create trust, opportunity and equity for all. ETDA’s main mission is to conduct studies and research while providing support for the Electronic Transactions Commission and related agencies.
ETDA has implemented Thailand National Root CA (Certificate Authority) Project (“Thailand NRCA”) on fiscal year 2014. The Thailand NRCA allows interoperability of authenticating digital certificates issued by different service providers and serves as a central trust mechanism connecting digital signature systems used domestically and internationally. Thus it is an important infrastructure that reinforces secure and safe electronic transactions. With the effort of a group of PKI technology service providers or operators, the Thailand PKI Association was established in 2009 with an aim to increase Thai society’s knowledge and understanding of PKI technology and to strengthen technical assistance among members. Past activities of the Association included a campaign for a higher level of PKI technology application; the action taken to have technical trials on issuance of digital certificates to domestic service; and implementation of system trials on interoperability with foreign CAs (CA-CA Interoperability).

Audit Type: WebTrust 
Auditor: BDO Malaysia
Auditor Website: http://www.bdo.my
Audit Document URL(s): WebTrust 2.0 : https://cert.webtrust.org/ViewSeal?id=2154 
, WebTrust SSL Baseline 2.0 https://cert.webtrust.org/ViewSeal?id=2155 

Certificate Details
-------------------
Certificate Name: Thailand National Root Certification Authority – G1
Key Usage : for Certificate signing, Offline CRL Signing, CRL Signing
Thailand NRCA has generated the root key pairs (G1) on 27th March 2013 during the key generation ceremony. Upon the root key pairs were generated, Thailand NRCA as the root CA, had signed on subordinate CA certificate i.e. Thai Digital ID Company Limited (“TDID”) using the private key. Currently the CA system is offline and only will be activated under certain circumstances such as certificate revocation or certificate activation.
 - End entity certificate issuance policy
- Number and type of subordinate CAs : 1 Subordinate CA (TDID -Thai Digital ID Company Limited)
 - Diagram and/or description of certificate hierarchy: 
 
ETDA’s key functions is to develop, promote and support Thailand’s digital signature environment. To that end, ETDA has adopted the Root CA trust model to address issues arising from incompatibility of proprietary data or incompatibility of software originating from different CAs. The Root CA trust model is administered by Thailand’s National Root CA (“NRCA”) which recognizes certificates issued by each of Thailand’s CAs and allows for interoperability of cross-verification.
	ETDA is seeking a WebTrust accredited third party assurance provider to assess the adequacy and effectiveness of controls employed for certification authority operations. BDO would be assessing the conformity of 
•	Root CA : the Thailand National Root Certificate Authority - G1 (“NRCA”)
•	Subordinate CA  : Thai Digital ID Company Limited – G2 (“TDID – G2”) ,Thai Digital ID Company Limited – G3 (“TDID – G3”).

Certificate download URL (on CA website): http://www.nrca.go.th/cert/nrca/THNRCA.der
Version: V3
SHA1 Fingerprint: 66 f2 dc fb 3f 81 4d de e9 b3 20 6f 11 de fe 1b fb df e1 32
Public key length (for RSA, modulus length) in bits: 4096 Bits
Valid From (YYYY-MM-DD):  27 March 2013
Valid To (YYYY-MM-DD): 27 March 2036

CRL HTTP URL: http://www.nrca.go.th/crl/THNRCA_arlfile.crl 
CRL issuing frequency for subordinate end-entity certificates: 6 Months
CRL issuing frequency for subordinate CA certificates: 6 Months
OCSP URL: http://ocsp.nrca.go.th 

Class (domain-validated, identity/organizationally-validated or EV):
Certificate Policy URL: http://www.nrca.go.th/cps/cpsv3.pdf 
CPS URL: http://www.nrca.go.th/cp/cpv3.pdf 
Requested Trust Indicators (email and/or SSL and/or code signing):
URL of example website using certificate subordinate to this root
(if applying for SSL): https://www.thaidigitalid.com/tdid.web.register/

Kathleen Wilson

Updated

•

7 years ago

Group: mozilla-employee-confidential

Whiteboard: [ca-initial] -- OK to begin Information Verification

Aaron Wu

Updated

•

7 years ago

Assignee: kwilson → awu

Status: UNCONFIRMED → ASSIGNED

Ever confirmed: true

Aaron Wu

Updated

•

7 years ago

Whiteboard: [ca-initial] -- OK to begin Information Verification → [ca-verifying]

Aaron Wu

Comment 1

•

7 years ago

Attached file CAInformation_Thailand_InfoNeeded_20170416.pdf — Details

Aaron Wu

Comment 2

•

7 years ago

Hi Mr.Thitikorn Trakoonsirisak,

Based on the CPS and the information you provided, I've verified and enter into Salesforce. Please see attachment in Comment#1 and we need your more information input which marked as "Need Response from CA"

For Test Website please provide (i) valid, (ii) revoked, (iii) expired.
CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..”

Please also perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing


Kind regards,
Aaron

Aaron Wu

Updated

•

7 years ago

Whiteboard: [ca-verifying] → [ca-verifying] - Need BR Self Assessment

Aaron Wu

Comment 3

•

7 years ago

Attached file CAInformation_Thailand_InfoNeeded_20170421.pdf — Details

Aaron Wu

Comment 4

•

7 years ago

Hi Mr.Thitikorn Trakoonsirisak,

As root certificate, I've updated more information in Salesforce and attached file in Comment#3.

What we need your information input currently:
1. CAInformation pdf file in Comment#3, which marked as "Need Response from CA" or "Need Clarification from CA"
2. BR Self Assessment in Comment#1, it includes a link to a template for CA's BR Self Assessment which is a Google Doc[1], please fill in and attached in this bug.

[1]
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing


Thank you so much!

Kind regards,
Aaron

BMO Automation

Updated

•

7 years ago

Product: mozilla.org → NSS

waiphot

Comment 5

•

7 years ago

(In reply to Aaron Wu from comment #4)
> Hi Mr.Thitikorn Trakoonsirisak,
> 
> As root certificate, I've updated more information in Salesforce and
> attached file in Comment#3.
> 
> What we need your information input currently:
> 1. CAInformation pdf file in Comment#3, which marked as "Need Response from
> CA" or "Need Clarification from CA"
> 2. BR Self Assessment in Comment#1, it includes a link to a template for
> CA's BR Self Assessment which is a Google Doc[1], please fill in and
> attached in this bug.
> 
> [1]
> https://docs.google.com/spreadsheets/d/
> 1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing
> 
> 
> Thank you so much!
> 
> Kind regards,
> Aaron

Hi Aaron

We fill in on google Doc for BR Self Assessment by link below 

Regards,
Waiphot P.

https://docs.google.com/spreadsheets/d/1IiwAJ8subF76FPvPDGshThsXW-Y9mO1NljHonhFq5Ew/edit#gid=0

waiphot

Comment 6

•

7 years ago

Attached file Information Checklist for CAs Applying for Inclusion in Mozilla_20170517.pdf — Details

Dear Aaron

As attach file for Clarification from CA.

Best Regards,
Waiphot P.

Aaron Wu

Updated

•

7 years ago

Whiteboard: [ca-verifying] - Need BR Self Assessment → [ca-verifying] - BR Self Assessment Received

Aaron Wu

Comment 7

•

7 years ago

(In reply to waiphot from comment #5)
> (In reply to Aaron Wu from comment #4)
> > Hi Mr.Thitikorn Trakoonsirisak,
> > 
> > As root certificate, I've updated more information in Salesforce and
> > attached file in Comment#3.
> > 
> > What we need your information input currently:
> > 1. CAInformation pdf file in Comment#3, which marked as "Need Response from
> > CA" or "Need Clarification from CA"
> > 2. BR Self Assessment in Comment#1, it includes a link to a template for
> > CA's BR Self Assessment which is a Google Doc[1], please fill in and
> > attached in this bug.
> > 
> > [1]
> > https://docs.google.com/spreadsheets/d/
> > 1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing
> > 
> > 
> > Thank you so much!
> > 
> > Kind regards,
> > Aaron
> 
> Hi Aaron
> 
> We fill in on google Doc for BR Self Assessment by link below 
> 
> Regards,
> Waiphot P.
> 
> https://docs.google.com/spreadsheets/d/1IiwAJ8subF76FPvPDGshThsXW-
> Y9mO1NljHonhFq5Ew/edit#gid=0

Hi Waiphot P.

Thanks for your update! But it seems we don't have permission to access your BR Self Assessment Doc. above, the better way is to attach this file in this bug and we will also refer to this attachment in Salesforce.

Thanks,
Aaron

Aaron Wu

Comment 8

•

7 years ago

(In reply to waiphot from comment #6)
> Created attachment 8868458 [details]
> Information Checklist for CAs Applying for Inclusion in Mozilla_20170517.pdf
> 
> Dear Aaron
> 
> As attach file for Clarification from CA.
> 
> Best Regards,
> Waiphot P.

Thanks for your information update as attached file, there are some information you might missing to update which I summarize below:

1. Test Websites, please provide (i) valid, (ii) revoked, (iii) expired.
CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..”

2. Revocation Tested, please fix the errors below
Errors:
- OCSP signing certificate has expired 2881h8m23.16633834s ago
- OCSP signing certificate expires before NextUpdate

3. Please provide your audit statement and BR audit document and attach in this bug.

Thanks,
Aaron

waiphot

Comment 9

•

7 years ago

Attached file CA's BR Self Assessment.pdf (obsolete) — Details

Dear Aaron

As attach file for CA's BR Self Assessment.

Thanks,
Waiphot

Aaron Wu

Comment 10

•

7 years ago

Hi Waiphot,

Thanks to provide BR Self Assessment and attached in this bug.

Please also provide the feedback on comment#8 and please let me know if any further question.

Thanks,
Aaron

Aaron Wu

Comment 11

•

7 years ago

Hi Waiphot,

Could we know when the next version of your CP/CPS will be available? And please also provide update BR Self Assessment corresponding to updated CP/CPS.

We also need your feedback on Comment#8, thanks for your response.

Kind regards,
Aaron

waiphot

Comment 12

•

7 years ago

(In reply to Aaron Wu from comment #8)
> (In reply to waiphot from comment #6)
> > Created attachment 8868458 [details]
> > Information Checklist for CAs Applying for Inclusion in Mozilla_20170517.pdf
> > 
> > Dear Aaron
> > 
> > As attach file for Clarification from CA.
> > 
> > Best Regards,
> > Waiphot P.
> 
> Thanks for your information update as attached file, there are some
> information you might missing to update which I summarize below:
> 
> 1. Test Websites, please provide (i) valid, (ii) revoked, (iii) expired.
> CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow
> Application Software Suppliers to test their software with Subscriber
> Certificates that chain up to each publicly trusted Root Certificate. At a
> minimum, the CA SHALL host separate Web pages using Subscriber Certificates
> ..”
> 
> 2. Revocation Tested, please fix the errors below
> Errors:
> - OCSP signing certificate has expired 2881h8m23.16633834s ago
> - OCSP signing certificate expires before NextUpdate
> 
> 3. Please provide your audit statement and BR audit document and attach in
> this bug.
> 
> Thanks,
> Aaron

Dear Aaron

1. Test Websites, please provide (i) valid, (ii) revoked, (iii) expired.
CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow
Application Software Suppliers to test their software with Subscriber
Certificates that chain up to each publicly trusted Root Certificate. At a
minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..”

Refer Link as
  
http://webtest.nrca.go.th/issue_cert.html 
http://webtest.nrca.go.th/crl_cert.html

2. Revocation Tested, please fix the errors below
Errors:
- OCSP signing certificate has expired 2881h8m23.16633834s ago
- OCSP signing certificate expires before NextUpdate

Refer Link as
http://ocsp.nrca.go.th

Best Regards,
Waiphot P.

Aaron Wu

Comment 13

•

7 years ago

Dear Waiphot 

Thanks for your information update, I've verified Revocation Test with the data you provided and it looks good now.

Furthermore, I still need your help to update more information, please allow me to list down below 

1. Please provide the up-to-date CP/CPS documents, the current ones are in 2015
2. Please upload your CA/BR Audit Statement in this bug
3. Please update your BR Self Assessment corresponding to your latest version of CP/CPS
4. Please provide THREE (3) Test websites respectively for 
   - valid
   - revoked
   - expired
As CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates..”

Please let me know if you have further question, thank you so much!

Kind regards,
Aaron

waiphot

Comment 14

•

7 years ago

Dear Aaron

More information update below 

1. Please provide the up-to-date CP/CPS documents, the current ones are in 2015
  
Ans: CP/CPS Version 3.0
   - http://nrca.go.th/cp/cpv3.pdf
   - http://nrca.go.th/cps/cpsv3.pdf
   CP/CPS Version 2.1
   - http://nrca.go.th/cp/cp.pdf
   - http://nrca.go.th/cps/cps.pdf

2. Please upload your CA/BR Audit Statement in this bug
Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8868458

3. Please update your BR Self Assessment corresponding to your latest version of CP/CPS
Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8883206

4. Please provide THREE (3) Test websites respectively for
Ans : I will sent information in soonest.

Regards,
Waiphot P.

Aaron Wu

Comment 15

•

7 years ago

(In reply to waiphot from comment #14)
> Dear Aaron
> 
> More information update below 
> 
> 1. Please provide the up-to-date CP/CPS documents, the current ones are in
> 2015
>   
> Ans: CP/CPS Version 3.0
>    - http://nrca.go.th/cp/cpv3.pdf
>    - http://nrca.go.th/cps/cpsv3.pdf
>    CP/CPS Version 2.1
>    - http://nrca.go.th/cp/cp.pdf
>    - http://nrca.go.th/cps/cps.pdf

I found CP/CPS 3.0 updated in August 2015, do you have newer version? since your BR Self Assessment mentioned some information will be added in your next version of CP/CPS
> 
> 2. Please upload your CA/BR Audit Statement in this bug
> Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8868458

In this attachment, I can not find the PDF file of Audit Statement, it should be uploaded on www.webtrust.org OR your website/domain which we will do auditor check.
> 
> 3. Please update your BR Self Assessment corresponding to your latest
> version of CP/CPS
> Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8883206

As mentioned in (1), please update your BR Self Assessment corresponding your updated CP/CPS

> 
> 4. Please provide THREE (3) Test websites respectively for
> Ans : I will sent information in soonest.

Thanks!

> 


Thank you so much!

Kind Regards,
Aaron

Firefox Bug Husbandry Bot

Comment 16

•

6 years ago

Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324

Assignee: awu → kwilson

waiphot

Comment 17

•

6 years ago

Attached file CA's BR Self Assessment for Thailand NRCA Update 31-08-2018.pdf — Details

CA's BR Self Assessment for Thailand NRCA Update  31-08-2018

Attachment #8883206 - Attachment is obsolete: true

waiphot

Comment 18

•

6 years ago

Dear Aaron

I would link update information as below

1. Please provide the up-to-date CP/CPS documents, the current ones are in 2018

CP  :  https://www.nrca.go.th/publishing-detail/cpv4th.html  
CPS :  https://www.nrca.go.th/publishing-detail/cpsv4th.html 

2. Please upload your CA/BR Audit Statement in this bug

WebTrust 2.0     : https://www.cpacanada.ca/webtrustseal?sealid=2351
SSL Baseline 2.3 : https://www.cpacanada.ca/webtrustseal?sealid=2359

3. Please update your BR Self Assessment corresponding to your latest version of CP/CPS

https://bug1348774.bmoattachments.org/attachment.cgi?id=9005573

4. Please provide THREE (3) Test websites respectively for

http://webtest.nrca.go.th/issue_cert.html
http://webtest.nrca.go.th/crl_cert.html
http://ocsp.nrca.go.th

Thanks!
Waiphot P.

waiphot

Comment 19

•

6 years ago

Dear Aaron

I would link update latest information as below

4. Please provide THREE (3) Test websites respectively for

https://ssldemo1.thaidigitalid.com/              Status : Valid
https://ssldemo2.thaidigitalid.com/              Status : Revoke
https://ssldemo3.thaidigitalid.com/              Status : Expired

Thanks!
Waiphot P.

Kathleen Wilson

Comment 20

•

6 years ago

The link below shows the CA information that has been verified. Search in the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000110

In particular:

- How do customers report suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, or any other matter related to certificates? Is there an email address that the CA closely monitors.

- When you provide your current audit statements, please make sure that they meet Mozilla's requirements including listing the SHA-256 Fingerprints of the root and intermediate certificates that were in scope of the audit.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#314-public-audit-information

The audits listed in Comment #18 are:
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=221138
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=221139

- Where in the CP/CPS does it say that the "Thailand National Root Certification Authority - G1" root and its subordinate CAs must follow the policies and practices in these documents?

- Section 2.2 of the BRs states: "CA's Certificate Policy and/or Certification Practice Statement ... shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA "issue" or "issuewild" records as permitting it to issue.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS

- In the CPS, change "Not Applicable" to text that indicates that the rules as stated in the CP are followed. For example "Refer to CP".
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647

- Provide complete history of audit statements for this root in this Bugzilla bug, or provide on CA's website and list all of the URLs in a comment in this bug.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Complete_Audit_History

- Update CP/CPS to provide clarification about the domain validation that the CA does. See
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Baseline_Requirements

- If requesting the Email (S/MIME) trust bit for this root, then need CP/CPS sections that describe how the CA verifies that the certificate subscriber owns the email address to be included in the certificate.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control

- CP/CPS section 3.2.2.4 say "FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension".
The word "may" does not meet the requirement of BR section 7.1.4.2.1. Somewhere in the CP or CPS it needs to be made clear for SSL certs.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#DNS_names_go_in_SAN

- I don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs in regards to OCSP.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP

- Which CP/CPS sections describe he CA Hierarchy for this root cert?

- CP/CPS indicate that the CA can generate key pairs for customers. This is not allowed for SSL certs, see
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files

- Clarify in the CP/CPS what can be delegated to third parties.
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Delegation_of_Domain_.2F_Email_Validation_to_Third_Parties

- I am unable to connect to any of these test websites -- times out.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/

- Please test with http://certificate.revocationcheck.com/ and make sure there aren't any errors.

- Resolve cert lint errors, and add pre-issuance lint-testing to prevent such errors in future.
https://crt.sh/?caid=13888&opt=cablint,zlint,x509lint&minNotBefore=2013-03-27
https://crt.sh/?caid=23349&opt=cablint,zlint,x509lint&minNotBefore=2014-09-24

QA Contact: kwilson

Whiteboard: [ca-verifying] - BR Self Assessment Received → [ca-verifying] - KW Comment #20 2018-10-30

waiphot

Comment 21

•

5 years ago

(In reply to waiphot from comment #18)

Dear Aaron

I would link update information as below

Please provide the up-to-date CP/CPS documents, the current ones are in
2018

CP : https://www.nrca.go.th/publishing-detail/cpv4th.html
CPS : https://www.nrca.go.th/publishing-detail/cpsv4th.html

Please upload your CA/BR Audit Statement in this bug

WebTrust 2.0 : https://www.cpacanada.ca/webtrustseal?sealid=2351
SSL Baseline 2.3 : https://www.cpacanada.ca/webtrustseal?sealid=2359

Please update your BR Self Assessment corresponding to your latest
version of CP/CPS

https://bug1348774.bmoattachments.org/attachment.cgi?id=9005573

Please provide THREE (3) Test websites respectively for

http://webtest.nrca.go.th/issue_cert.html
http://webtest.nrca.go.th/crl_cert.html
http://ocsp.nrca.go.th

Thanks!
Waiphot P.

Dear Wilson
I would like to update

(In reply to Kathleen Wilson from comment #20)

The link below shows the CA information that has been verified. Search in
the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/
PrintViewForCase?CaseNumber=00000110

In particular:

How do customers report suspected Private Key Compromise, Certificate
misuse, or other types of fraud, compromise, or any other matter related to
certificates? Is there an email address that the CA closely monitors.

When you provide your current audit statements, please make sure that they
meet Mozilla's requirements including listing the SHA-256 Fingerprints of
the root and intermediate certificates that were in scope of the audit.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
policy#314-public-audit-information

The audits listed in Comment #18 are:
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221138
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221139

Update the audits lists in comment #18
https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087

Where in the CP/CPS does it say that the "Thailand National Root
Certification Authority - G1" root and its subordinate CAs must follow the
policies and practices in these documents?

In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)

Introduction
1.1 Overview

A Certificate Policy (CP) is the principal statement of policy governing the Thailand NRCA. The CP applies to all subordinate certification authorities under Thailand NRCA and thereby provides assurances of uniform trust throughout the Thailand NRCA.
The governance structure that represents the relying party is known as a Policy Authority (PA). As such, the PA is responsible for identifying the appropriate set of requirements for a given community, and oversees the CAs that issue certificates for that community. CAs which are operated under Thailand NRCA Trust Model must conform with this Certificate Policy.

Section 2.2 of the BRs states: "CA's Certificate Policy and/or
Certification Practice Statement ... shall clearly specify the set of Issuer
Domain Names that the CA recognises in CAA "issue" or "issuewild" records as
permitting it to issue.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS

In the CPS, change "Not Applicable" to text that indicates that the rules
as stated in the CP are followed. For example "Refer to CP".
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.
2FCPS_Structured_According_to_RFC_3647

Provide complete history of audit statements for this root in this
Bugzilla bug, or provide on CA's website and list all of the URLs in a
comment in this bug.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Complete_Audit_History

https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087

Update CP/CPS to provide clarification about the domain validation that
the CA does. See
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Baseline_Requirements

In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)

3.2.2.4. Validation of Domain Authorization or Control

This section defines the permitted processes and procedures for validating the Applicant's ownership or control of the domain. The CA SHALL confirm that prior to issuance, the CA has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.
Completed validations of Applicant authority may be valid for the issuance of multiple Certificates over time. In all cases, the validation must have been initiated within the time period specified in the relevant requirement (such as Section 4.2.1 of this document) prior to Certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate. CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain.

If requesting the Email (S/MIME) trust bit for this root, then need CP/CPS
sections that describe how the CA verifies that the certificate subscriber
owns the email address to be included in the certificate.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Verifying_Email_Address_Control

CP/CPS section 3.2.2.4 say "FQDNs may be listed in Subscriber Certificates
using dNSNames in the subjectAltName extension".
The word "may" does not meet the requirement of BR section 7.1.4.2.1.
Somewhere in the CP or CPS it needs to be made clear for SSL certs.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#DNS_names_go_in_SAN

I don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs in regards
to OCSP.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP

Which CP/CPS sections describe he CA Hierarchy for this root cert?

CP/CPS indicate that the CA can generate key pairs for customers. This is
not allowed for SSL certs, see
https://wiki.mozilla.org/CA/
Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKC
S.2312_Files

Clarify in the CP/CPS what can be delegated to third parties.
https://wiki.mozilla.org/CA/
Forbidden_or_Problematic_Practices#Delegation_of_Domain_.
2F_Email_Validation_to_Third_Parties

I am unable to connect to any of these test websites -- times out.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/

Please provide us ip address to allow the access of these test websites. The system typically does not allow the access of ip address outside Thailand.

Once received your IP address, we will change internal settings according.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/

Please test with http://certificate.revocationcheck.com/ and make sure
there aren't any errors.

Resolve cert lint errors, and add pre-issuance lint-testing to prevent
such errors in future.
https://crt.sh/?caid=13888&opt=cablint,zlint,x509lint&minNotBefore=2013-03-
27
https://crt.sh/?caid=23349&opt=cablint,zlint,x509lint&minNotBefore=2014-09-24

waiphot

Comment 22

•

5 years ago

Dear Wilson
I would like to update information as below

(In reply to waiphot from comment #21)

(In reply to waiphot from comment #18)

Dear Aaron

I would link update information as below

Please provide the up-to-date CP/CPS documents, the current ones are in
2018

CP : https://www.nrca.go.th/publishing-detail/cpv4th.html
CPS : https://www.nrca.go.th/publishing-detail/cpsv4th.html

Please upload your CA/BR Audit Statement in this bug

WebTrust 2.0 : https://www.cpacanada.ca/webtrustseal?sealid=2351
SSL Baseline 2.3 : https://www.cpacanada.ca/webtrustseal?sealid=2359

Please update your BR Self Assessment corresponding to your latest
version of CP/CPS

https://bug1348774.bmoattachments.org/attachment.cgi?id=9005573

Please provide THREE (3) Test websites respectively for

http://webtest.nrca.go.th/issue_cert.html
http://webtest.nrca.go.th/crl_cert.html
http://ocsp.nrca.go.th

Thanks!
Waiphot P.

Dear Wilson
I would like to update

(In reply to Kathleen Wilson from comment #20)

The link below shows the CA information that has been verified. Search in
the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/
PrintViewForCase?CaseNumber=00000110

In particular:

How do customers report suspected Private Key Compromise, Certificate
misuse, or other types of fraud, compromise, or any other matter related to
certificates? Is there an email address that the CA closely monitors.

In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)

5.7.1 Incident and Compromise Handling Procedures
The CA that issues certificates under this CP shall have an incident response plan and a disaster recovery plan. If compromise of a CA is suspected, an independent third-party investigation shall be performed in order to determine the nature and the degree of damage. Issuance of certificates from that CA shall be stopped immediately upon detection of a compromise. If a CA private signing key is suspected of compromise, the procedure outlined in section 5.7.3 shall be followed. Otherwise, the scope of potential damage shall be assessed in order to determine if the CA needs to be rebuilt, only some certificates need to be revoked, and/or the CA private key needs to be declared compromised.
Provide Phone Number and Email for customer reports the CA closely monitors.
Phone Number : (66)-2-123-1234
Email for customer reports the CA closely monitors. Email : nrca@etda.or.th

When you provide your current audit statements, please make sure that they
meet Mozilla's requirements including listing the SHA-256 Fingerprints of
the root and intermediate certificates that were in scope of the audit.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
policy#314-public-audit-information

The audits listed in Comment #18 are:
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221138
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221139

Update the audits lists in comment #18
https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087

Where in the CP/CPS does it say that the "Thailand National Root
Certification Authority - G1" root and its subordinate CAs must follow the
policies and practices in these documents?

In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)

Introduction
1.1 Overview

A Certificate Policy (CP) is the principal statement of policy governing the Thailand NRCA. The CP applies to all subordinate certification authorities under Thailand NRCA and thereby provides assurances of uniform trust throughout the Thailand NRCA.
The governance structure that represents the relying party is known as a Policy Authority (PA). As such, the PA is responsible for identifying the appropriate set of requirements for a given community, and oversees the CAs that issue certificates for that community. CAs which are operated under Thailand NRCA Trust Model must conform with this Certificate Policy.

Section 2.2 of the BRs states: "CA's Certificate Policy and/or
Certification Practice Statement ... shall clearly specify the set of Issuer
Domain Names that the CA recognises in CAA "issue" or "issuewild" records as
permitting it to issue.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS

In the CPS, change "Not Applicable" to text that indicates that the rules
as stated in the CP are followed. For example "Refer to CP".
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.
2FCPS_Structured_According_to_RFC_3647

Provide complete history of audit statements for this root in this
Bugzilla bug, or provide on CA's website and list all of the URLs in a
comment in this bug.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Complete_Audit_History

https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087

Update CP/CPS to provide clarification about the domain validation that
the CA does. See
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Baseline_Requirements

In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)

3.2.2.4. Validation of Domain Authorization or Control

This section defines the permitted processes and procedures for validating the Applicant's ownership or control of the domain. The CA SHALL confirm that prior to issuance, the CA has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.
Completed validations of Applicant authority may be valid for the issuance of multiple Certificates over time. In all cases, the validation must have been initiated within the time period specified in the relevant requirement (such as Section 4.2.1 of this document) prior to Certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate. CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain.

If requesting the Email (S/MIME) trust bit for this root, then need CP/CPS
sections that describe how the CA verifies that the certificate subscriber
owns the email address to be included in the certificate.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Verifying_Email_Address_Control

CP/CPS section 3.2.2.4 say "FQDNs may be listed in Subscriber Certificates
using dNSNames in the subjectAltName extension".
The word "may" does not meet the requirement of BR section 7.1.4.2.1.
Somewhere in the CP or CPS it needs to be made clear for SSL certs.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#DNS_names_go_in_SAN

I don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs in regards
to OCSP.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP

Which CP/CPS sections describe he CA Hierarchy for this root cert?

CP/CPS indicate that the CA can generate key pairs for customers. This is
not allowed for SSL certs, see
https://wiki.mozilla.org/CA/
Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKC
S.2312_Files

Clarify in the CP/CPS what can be delegated to third parties.
https://wiki.mozilla.org/CA/
Forbidden_or_Problematic_Practices#Delegation_of_Domain_.
2F_Email_Validation_to_Third_Parties

I am unable to connect to any of these test websites -- times out.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/

Please provide us ip address to allow the access of these test websites. The system typically does not allow the access of ip address outside Thailand.

Once received your IP address, we will change internal settings according.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/

Please test with http://certificate.revocationcheck.com/ and make sure
there aren't any errors.

Resolve cert lint errors, and add pre-issuance lint-testing to prevent
such errors in future.
https://crt.sh/?caid=13888&opt=cablint,zlint,x509lint&minNotBefore=2013-03-
27
https://crt.sh/?caid=23349&opt=cablint,zlint,x509lint&minNotBefore=2014-09-24

Thanks!
Waiphot P.

Kathleen Wilson

Comment 23

•

5 years ago

Hello Waiphot, The CP/CPS still do not meet the requirements for this request to complete the Information Verification phase (step 2) of Mozilla's root inclusion process (https://wiki.mozilla.org/CA/Application_Process). The CP/CPS documents and test websites will need to be updated as described below.
Please also note that CAs must provide publicly all information considered during the root inclusion process and for continuing to be included in Mozilla's root store. For example, CP, CPS and test websites must be publicly available, even to people who are not in Thailand.

The link below shows the information that has been verified for this root inclusion request. Search in the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000110

In particular:

The audit statements do not list the SHA-256 Fingerprints of the root and intermediate certificates that were in scope of the audit, per Mozilla's requirements: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#314-public-audit-information
I see that the root certificate's serial number is listed as in scope of the audit, but there is no reference to which intermediate certificates were in scope of the audit, so it appears that the intermediate certificates have not been audited. When Mozilla includes a root certificate, its intermediate certificates become trusted, so the intermediate certificates are expected to be audited as well. Therefore, please provide the complete audit history for the root and its intermediate certificates.
Please update the CP/CPS to list the Domain Names that the CA recognizes in CAA "issue" or "issuewild" records as permitting it to issue, per
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS
Also, CPSv4 says that section 3.2.2.8, CAA Records, is not applicable, which does not meet the BRs. In the CPS, please change "Not Applicable" to text that indicates that the rules as stated in the CP are followed. For example "Refer to CP".
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647
Provide complete history of audit statements for this root in this Bugzilla bug, or provide on CA's website and list all of the URLs in a comment in this bug.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Complete_Audit_History
Please update the CP/CPS per https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Baseline_Requirements
Are you requesting that the Email (S/MIME) trust bit also be enabled for this root?
If yes, the the CP/CPS must be updated to describe how the CA verifies that the certificate subscriber owns the email address to be included in the S/MIME certificate.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control
Update the CP/CPS tos say that "FQDNs must be listed in Subscriber Certificates using dNSNames in the subjectAltName extension.
The word "may" does not meet the requirement of BR section 7.1.4.2.1. Somewhere in the CP or CPS it needs to be made clear for SSL certs.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#DNS_names_go_in_SAN
The BRs require that the CA provides OCSP, so I don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP
Which CP/CPS sections describe he CA Hierarchy for this root cert?
CP/CPS indicate that the CA can generate key pairs for customers. This is not allowed for SSL certs, see
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files
Clarify in the CP/CPS what can be delegated to third parties.
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Delegation_of_Domain_.2F_Email_Validation_to_Third_Parties
Please make the test websites public, and accessible to everyone -- including people not in Thailand. Mozilla's process and root store are public-facing, so all information considered must be publicly available.
Please test with http://certificate.revocationcheck.com/ and make sure there aren't any errors.
Resolve cert lint errors, and add pre-issuance lint-testing to prevent such errors in future.
https://crt.sh/?caid=13888&opt=cablint,zlint,x509lint&minNotBefore=2013-03-27
https://crt.sh/?caid=23349&opt=cablint,zlint,x509lint&minNotBefore=2014-09-24

Whiteboard: [ca-verifying] - KW Comment #20 2018-10-30 → [ca-verifying] - KW 2019-03-18 - Comment #23

Ben Wilson

Assignee

Comment 24

•

4 years ago

Could the owner/operator of the Root CA, Electronics Transactions Development Agency, please provide us with a status update on its progress to meet the requests in Comment#23 and in updating its root inclusion case, no. 110 in the CCADB? Thank you.

Flags: needinfo?(waiphot)

Ben Wilson

Assignee

Updated

•

4 years ago

Assignee: kwilson → bwilson

Ben Wilson

Assignee

Comment 25

•

4 years ago

I am inclined to close this inclusion request because we have not heard from the applicant in several months.

Flags: needinfo?(waiphot) → needinfo?(nrca)

Ben Wilson

Assignee

Comment 26

•

4 years ago

Applicant responded to inquiry that Mr. Waiphot and Ms. Pitinan are no longer with the organization and that they are working on a revised CPS

Ben Wilson

Assignee

Comment 27

•

3 years ago

Requested status update from applicant

Ben Wilson

Assignee

Updated

•

3 years ago

Priority: -- → P5

Ben Wilson

Assignee

Comment 28

•

3 years ago

I am contemplating closing this Root CA inclusion case for failure to actively pursue it. Please note that CAs will need to present the following information - https://wiki.mozilla.org/CA/Quantifying_Value - in addition to what has already been requested.

Ben Wilson

Assignee

Updated

•

3 years ago

Whiteboard: [ca-verifying] - KW 2019-03-18 - Comment #23 → [ca-verifying] - BW - 2021-06-25 - Comment #28

Ben Wilson

Assignee

Comment 29

•

2 years ago

Test websites (e.g. https://ssldemo1.thaidigitalid.com/ ) "time out" - they don't respond fast enough to run tests.

Ben Wilson

Assignee

Updated

•

2 years ago

Flags: needinfo?(bwilson)

Surasak Sata

Comment 30

•

2 years ago

Dear Ben
We have updated CP/CPS version 4.2 . Publish at 21 Nov 21 .
CP v4.2 : https://www.nrca.go.th/download-publishing/30/
CPS v4.2 : https://www.nrca.go.th/download-publishing/31/

Ben Wilson

Assignee

Updated

•

2 years ago

Flags: needinfo?(bwilson)

Priority: P5 → P4

Ben Wilson

Assignee

Updated

•

2 years ago

Whiteboard: [ca-verifying] - BW - 2021-06-25 - Comment #28 → [ca-verifying]

Ben Wilson

Assignee

Updated

•

2 years ago

Priority: P4 → P3

BugBot [:suhaib / :marco/ :calixte]

Comment 31

•

2 years ago

Redirect a needinfo that is pending on an inactive user to the triage owner.
:kwilson, since the bug has recent activity, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(nrca) → needinfo?(kwilson)

Ben Wilson

Assignee

Updated

•

2 years ago

Flags: needinfo?(kwilson)

Ben Wilson

Assignee

Updated

•

2 years ago

Summary: Thailand National Root CA - G1 → Add Thailand National Root CA - G1

Ben Wilson

Assignee

Updated

•

2 years ago

Priority: P3 → P2