Open Bug 1348774 Opened 3 years ago Updated 1 year ago

Thailand National Root CA - G1

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: nrca, Assigned: kwilson)

Details

(Whiteboard: [ca-verifying] - KW 2019-03-18 - Comment #23)

Attachments

(5 files, 1 obsolete file)

CA Details
----------

CA Name: Thailand National Root CA - G1 ("Thailand NRCA")
Website: http://nrca.go.th
Electronic Transactions Development Agency (“ETDA”) is established on 25 November, 2010 under the Ministry of Information and Communication Technology (MICT) and according to the proposal of the Office of the Public Sector Development Commission (OPDC) to function as the main agency responsible for developing, promoting and supporting electronic transactions in order to create trust, opportunity and equity for all. ETDA’s main mission is to conduct studies and research while providing support for the Electronic Transactions Commission and related agencies.
ETDA has implemented Thailand National Root CA (Certificate Authority) Project (“Thailand NRCA”) on fiscal year 2014. The Thailand NRCA allows interoperability of authenticating digital certificates issued by different service providers and serves as a central trust mechanism connecting digital signature systems used domestically and internationally. Thus it is an important infrastructure that reinforces secure and safe electronic transactions. With the effort of a group of PKI technology service providers or operators, the Thailand PKI Association was established in 2009 with an aim to increase Thai society’s knowledge and understanding of PKI technology and to strengthen technical assistance among members. Past activities of the Association included a campaign for a higher level of PKI technology application; the action taken to have technical trials on issuance of digital certificates to domestic service; and implementation of system trials on interoperability with foreign CAs (CA-CA Interoperability).

Audit Type: WebTrust 
Auditor: BDO Malaysia
Auditor Website: http://www.bdo.my
Audit Document URL(s): WebTrust 2.0 : https://cert.webtrust.org/ViewSeal?id=2154 
, WebTrust SSL Baseline 2.0 https://cert.webtrust.org/ViewSeal?id=2155 

Certificate Details
-------------------
Certificate Name: Thailand National Root Certification Authority – G1
Key Usage : for Certificate signing, Offline CRL Signing, CRL Signing
Thailand NRCA has generated the root key pairs (G1) on 27th March 2013 during the key generation ceremony. Upon the root key pairs were generated, Thailand NRCA as the root CA, had signed on subordinate CA certificate i.e. Thai Digital ID Company Limited (“TDID”) using the private key. Currently the CA system is offline and only will be activated under certain circumstances such as certificate revocation or certificate activation.
 - End entity certificate issuance policy
- Number and type of subordinate CAs : 1 Subordinate CA (TDID -Thai Digital ID Company Limited)
 - Diagram and/or description of certificate hierarchy: 
 
ETDA’s key functions is to develop, promote and support Thailand’s digital signature environment. To that end, ETDA has adopted the Root CA trust model to address issues arising from incompatibility of proprietary data or incompatibility of software originating from different CAs. The Root CA trust model is administered by Thailand’s National Root CA (“NRCA”) which recognizes certificates issued by each of Thailand’s CAs and allows for interoperability of cross-verification.
	ETDA is seeking a WebTrust accredited third party assurance provider to assess the adequacy and effectiveness of controls employed for certification authority operations. BDO would be assessing the conformity of 
•	Root CA : the Thailand National Root Certificate Authority - G1 (“NRCA”)
•	Subordinate CA  : Thai Digital ID Company Limited – G2 (“TDID – G2”) ,Thai Digital ID Company Limited – G3 (“TDID – G3”).

Certificate download URL (on CA website): http://www.nrca.go.th/cert/nrca/THNRCA.der
Version: V3
SHA1 Fingerprint: 66 f2 dc fb 3f 81 4d de e9 b3 20 6f 11 de fe 1b fb df e1 32
Public key length (for RSA, modulus length) in bits: 4096 Bits
Valid From (YYYY-MM-DD):  27 March 2013
Valid To (YYYY-MM-DD): 27 March 2036

CRL HTTP URL: http://www.nrca.go.th/crl/THNRCA_arlfile.crl 
CRL issuing frequency for subordinate end-entity certificates: 6 Months
CRL issuing frequency for subordinate CA certificates: 6 Months
OCSP URL: http://ocsp.nrca.go.th 

Class (domain-validated, identity/organizationally-validated or EV):
Certificate Policy URL: http://www.nrca.go.th/cps/cpsv3.pdf 
CPS URL: http://www.nrca.go.th/cp/cpv3.pdf 
Requested Trust Indicators (email and/or SSL and/or code signing):
URL of example website using certificate subordinate to this root
(if applying for SSL): https://www.thaidigitalid.com/tdid.web.register/
Group: mozilla-employee-confidential
Whiteboard: [ca-initial] -- OK to begin Information Verification
Assignee: kwilson → awu
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-initial] -- OK to begin Information Verification → [ca-verifying]
Hi Mr.Thitikorn Trakoonsirisak,

Based on the CPS and the information you provided, I've verified and enter into Salesforce. Please see attachment in Comment#1 and we need your more information input which marked as "Need Response from CA"

For Test Website please provide (i) valid, (ii) revoked, (iii) expired.
CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..”

Please also perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing


Kind regards,
Aaron
Whiteboard: [ca-verifying] → [ca-verifying] - Need BR Self Assessment
Hi Mr.Thitikorn Trakoonsirisak,

As root certificate, I've updated more information in Salesforce and attached file in Comment#3.

What we need your information input currently:
1. CAInformation pdf file in Comment#3, which marked as "Need Response from CA" or "Need Clarification from CA"
2. BR Self Assessment in Comment#1, it includes a link to a template for CA's BR Self Assessment which is a Google Doc[1], please fill in and attached in this bug.

[1]
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing


Thank you so much!

Kind regards,
Aaron
Product: mozilla.org → NSS
(In reply to Aaron Wu from comment #4)
> Hi Mr.Thitikorn Trakoonsirisak,
> 
> As root certificate, I've updated more information in Salesforce and
> attached file in Comment#3.
> 
> What we need your information input currently:
> 1. CAInformation pdf file in Comment#3, which marked as "Need Response from
> CA" or "Need Clarification from CA"
> 2. BR Self Assessment in Comment#1, it includes a link to a template for
> CA's BR Self Assessment which is a Google Doc[1], please fill in and
> attached in this bug.
> 
> [1]
> https://docs.google.com/spreadsheets/d/
> 1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing
> 
> 
> Thank you so much!
> 
> Kind regards,
> Aaron

Hi Aaron

We fill in on google Doc for BR Self Assessment by link below 

Regards,
Waiphot P.

https://docs.google.com/spreadsheets/d/1IiwAJ8subF76FPvPDGshThsXW-Y9mO1NljHonhFq5Ew/edit#gid=0
Dear Aaron

As attach file for Clarification from CA.

Best Regards,
Waiphot P.
Whiteboard: [ca-verifying] - Need BR Self Assessment → [ca-verifying] - BR Self Assessment Received
(In reply to waiphot from comment #5)
> (In reply to Aaron Wu from comment #4)
> > Hi Mr.Thitikorn Trakoonsirisak,
> > 
> > As root certificate, I've updated more information in Salesforce and
> > attached file in Comment#3.
> > 
> > What we need your information input currently:
> > 1. CAInformation pdf file in Comment#3, which marked as "Need Response from
> > CA" or "Need Clarification from CA"
> > 2. BR Self Assessment in Comment#1, it includes a link to a template for
> > CA's BR Self Assessment which is a Google Doc[1], please fill in and
> > attached in this bug.
> > 
> > [1]
> > https://docs.google.com/spreadsheets/d/
> > 1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing
> > 
> > 
> > Thank you so much!
> > 
> > Kind regards,
> > Aaron
> 
> Hi Aaron
> 
> We fill in on google Doc for BR Self Assessment by link below 
> 
> Regards,
> Waiphot P.
> 
> https://docs.google.com/spreadsheets/d/1IiwAJ8subF76FPvPDGshThsXW-
> Y9mO1NljHonhFq5Ew/edit#gid=0

Hi Waiphot P.

Thanks for your update! But it seems we don't have permission to access your BR Self Assessment Doc. above, the better way is to attach this file in this bug and we will also refer to this attachment in Salesforce.

Thanks,
Aaron
(In reply to waiphot from comment #6)
> Created attachment 8868458 [details]
> Information Checklist for CAs Applying for Inclusion in Mozilla_20170517.pdf
> 
> Dear Aaron
> 
> As attach file for Clarification from CA.
> 
> Best Regards,
> Waiphot P.

Thanks for your information update as attached file, there are some information you might missing to update which I summarize below:

1. Test Websites, please provide (i) valid, (ii) revoked, (iii) expired.
CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..”

2. Revocation Tested, please fix the errors below
Errors:
- OCSP signing certificate has expired 2881h8m23.16633834s ago
- OCSP signing certificate expires before NextUpdate

3. Please provide your audit statement and BR audit document and attach in this bug.

Thanks,
Aaron
Attached file CA's BR Self Assessment.pdf (obsolete) —
Dear Aaron

As attach file for CA's BR Self Assessment.

Thanks,
Waiphot
Hi Waiphot,

Thanks to provide BR Self Assessment and attached in this bug.

Please also provide the feedback on comment#8 and please let me know if any further question.

Thanks,
Aaron
Hi Waiphot,

Could we know when the next version of your CP/CPS will be available? And please also provide update BR Self Assessment corresponding to updated CP/CPS.

We also need your feedback on Comment#8, thanks for your response.

Kind regards,
Aaron
(In reply to Aaron Wu from comment #8)
> (In reply to waiphot from comment #6)
> > Created attachment 8868458 [details]
> > Information Checklist for CAs Applying for Inclusion in Mozilla_20170517.pdf
> > 
> > Dear Aaron
> > 
> > As attach file for Clarification from CA.
> > 
> > Best Regards,
> > Waiphot P.
> 
> Thanks for your information update as attached file, there are some
> information you might missing to update which I summarize below:
> 
> 1. Test Websites, please provide (i) valid, (ii) revoked, (iii) expired.
> CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow
> Application Software Suppliers to test their software with Subscriber
> Certificates that chain up to each publicly trusted Root Certificate. At a
> minimum, the CA SHALL host separate Web pages using Subscriber Certificates
> ..”
> 
> 2. Revocation Tested, please fix the errors below
> Errors:
> - OCSP signing certificate has expired 2881h8m23.16633834s ago
> - OCSP signing certificate expires before NextUpdate
> 
> 3. Please provide your audit statement and BR audit document and attach in
> this bug.
> 
> Thanks,
> Aaron

Dear Aaron

1. Test Websites, please provide (i) valid, (ii) revoked, (iii) expired.
CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow
Application Software Suppliers to test their software with Subscriber
Certificates that chain up to each publicly trusted Root Certificate. At a
minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..”

Refer Link as
  
http://webtest.nrca.go.th/issue_cert.html 
http://webtest.nrca.go.th/crl_cert.html

2. Revocation Tested, please fix the errors below
Errors:
- OCSP signing certificate has expired 2881h8m23.16633834s ago
- OCSP signing certificate expires before NextUpdate

Refer Link as
http://ocsp.nrca.go.th

Best Regards,
Waiphot P.
Dear Waiphot 

Thanks for your information update, I've verified Revocation Test with the data you provided and it looks good now.

Furthermore, I still need your help to update more information, please allow me to list down below 

1. Please provide the up-to-date CP/CPS documents, the current ones are in 2015
2. Please upload your CA/BR Audit Statement in this bug
3. Please update your BR Self Assessment corresponding to your latest version of CP/CPS
4. Please provide THREE (3) Test websites respectively for 
   - valid
   - revoked
   - expired
As CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates..”

Please let me know if you have further question, thank you so much!

Kind regards,
Aaron
Dear Aaron

More information update below 

1. Please provide the up-to-date CP/CPS documents, the current ones are in 2015
  
Ans: CP/CPS Version 3.0
   - http://nrca.go.th/cp/cpv3.pdf
   - http://nrca.go.th/cps/cpsv3.pdf
   CP/CPS Version 2.1
   - http://nrca.go.th/cp/cp.pdf
   - http://nrca.go.th/cps/cps.pdf

2. Please upload your CA/BR Audit Statement in this bug
Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8868458

3. Please update your BR Self Assessment corresponding to your latest version of CP/CPS
Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8883206

4. Please provide THREE (3) Test websites respectively for
Ans : I will sent information in soonest.

Regards,
Waiphot P.
(In reply to waiphot from comment #14)
> Dear Aaron
> 
> More information update below 
> 
> 1. Please provide the up-to-date CP/CPS documents, the current ones are in
> 2015
>   
> Ans: CP/CPS Version 3.0
>    - http://nrca.go.th/cp/cpv3.pdf
>    - http://nrca.go.th/cps/cpsv3.pdf
>    CP/CPS Version 2.1
>    - http://nrca.go.th/cp/cp.pdf
>    - http://nrca.go.th/cps/cps.pdf

I found CP/CPS 3.0 updated in August 2015, do you have newer version? since your BR Self Assessment mentioned some information will be added in your next version of CP/CPS
> 
> 2. Please upload your CA/BR Audit Statement in this bug
> Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8868458

In this attachment, I can not find the PDF file of Audit Statement, it should be uploaded on www.webtrust.org OR your website/domain which we will do auditor check.
> 
> 3. Please update your BR Self Assessment corresponding to your latest
> version of CP/CPS
> Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8883206

As mentioned in (1), please update your BR Self Assessment corresponding your updated CP/CPS

> 
> 4. Please provide THREE (3) Test websites respectively for
> Ans : I will sent information in soonest.

Thanks!

> 


Thank you so much!

Kind Regards,
Aaron
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
CA's BR Self Assessment for Thailand NRCA Update  31-08-2018
Attachment #8883206 - Attachment is obsolete: true
Dear Aaron

I would link update information as below

1. Please provide the up-to-date CP/CPS documents, the current ones are in 2018

CP  :  https://www.nrca.go.th/publishing-detail/cpv4th.html  
CPS :  https://www.nrca.go.th/publishing-detail/cpsv4th.html 

2. Please upload your CA/BR Audit Statement in this bug

WebTrust 2.0     : https://www.cpacanada.ca/webtrustseal?sealid=2351
SSL Baseline 2.3 : https://www.cpacanada.ca/webtrustseal?sealid=2359

3. Please update your BR Self Assessment corresponding to your latest version of CP/CPS

https://bug1348774.bmoattachments.org/attachment.cgi?id=9005573

4. Please provide THREE (3) Test websites respectively for

http://webtest.nrca.go.th/issue_cert.html
http://webtest.nrca.go.th/crl_cert.html
http://ocsp.nrca.go.th

Thanks!
Waiphot P.
Dear Aaron

I would link update latest information as below

4. Please provide THREE (3) Test websites respectively for

https://ssldemo1.thaidigitalid.com/              Status : Valid
https://ssldemo2.thaidigitalid.com/              Status : Revoke
https://ssldemo3.thaidigitalid.com/              Status : Expired

Thanks!
Waiphot P.
The link below shows the CA information that has been verified. Search in the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000110

In particular:

- How do customers report suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, or any other matter related to certificates? Is there an email address that the CA closely monitors.

- When you provide your current audit statements, please make sure that they meet Mozilla's requirements including listing the SHA-256 Fingerprints of the root and intermediate certificates that were in scope of the audit.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#314-public-audit-information

The audits listed in Comment #18 are:
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=221138
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=221139

- Where in the CP/CPS does it say that the "Thailand National Root Certification Authority - G1" root and its subordinate CAs must follow the policies and practices in these documents?

- Section 2.2 of the BRs states: "CA's Certificate Policy and/or Certification Practice Statement ... shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA "issue" or "issuewild" records as permitting it to issue. 
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS 

- In the CPS, change "Not Applicable" to text that indicates that the rules as stated in the CP are followed. For example "Refer to CP". 
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647

- Provide complete history of audit statements for this root in this Bugzilla bug, or provide on CA's website and list all of the URLs in a comment in this bug. 
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Complete_Audit_History 

- Update CP/CPS to provide clarification about the domain validation that the CA does. See 
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Baseline_Requirements 

- If requesting the Email (S/MIME) trust bit for this root, then need CP/CPS sections that describe how the CA verifies that the certificate subscriber owns the email address to be included in the certificate. 
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control 

- CP/CPS section 3.2.2.4 say "FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension". 
The word "may" does not meet the requirement of BR section 7.1.4.2.1. Somewhere in the CP or CPS it needs to be made clear for SSL certs. 
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#DNS_names_go_in_SAN 

- I don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs in regards to OCSP.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP 

- Which CP/CPS sections describe he CA Hierarchy for this root cert? 

- CP/CPS indicate that the CA can generate key pairs for customers. This is not allowed for SSL certs, see 
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files 

- Clarify in the CP/CPS what can be delegated to third parties. 
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Delegation_of_Domain_.2F_Email_Validation_to_Third_Parties	

- I am unable to connect to any of these test websites -- times out.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/

- Please test with http://certificate.revocationcheck.com/ and make sure there aren't any errors.

- Resolve cert lint errors, and add pre-issuance lint-testing to prevent such errors in future.
https://crt.sh/?caid=13888&opt=cablint,zlint,x509lint&minNotBefore=2013-03-27 
https://crt.sh/?caid=23349&opt=cablint,zlint,x509lint&minNotBefore=2014-09-24
QA Contact: kwilson
Whiteboard: [ca-verifying] - BR Self Assessment Received → [ca-verifying] - KW Comment #20 2018-10-30

(In reply to waiphot from comment #18)

Dear Aaron

I would link update information as below

  1. Please provide the up-to-date CP/CPS documents, the current ones are in
    2018

CP : https://www.nrca.go.th/publishing-detail/cpv4th.html
CPS : https://www.nrca.go.th/publishing-detail/cpsv4th.html

  1. Please upload your CA/BR Audit Statement in this bug

WebTrust 2.0 : https://www.cpacanada.ca/webtrustseal?sealid=2351
SSL Baseline 2.3 : https://www.cpacanada.ca/webtrustseal?sealid=2359

  1. Please update your BR Self Assessment corresponding to your latest
    version of CP/CPS

https://bug1348774.bmoattachments.org/attachment.cgi?id=9005573

  1. Please provide THREE (3) Test websites respectively for

http://webtest.nrca.go.th/issue_cert.html
http://webtest.nrca.go.th/crl_cert.html
http://ocsp.nrca.go.th

Thanks!
Waiphot P.

Dear Wilson
I would like to update

(In reply to Kathleen Wilson from comment #20)

The link below shows the CA information that has been verified. Search in
the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/
PrintViewForCase?CaseNumber=00000110

In particular:

  • How do customers report suspected Private Key Compromise, Certificate
    misuse, or other types of fraud, compromise, or any other matter related to
    certificates? Is there an email address that the CA closely monitors.

  • When you provide your current audit statements, please make sure that they
    meet Mozilla's requirements including listing the SHA-256 Fingerprints of
    the root and intermediate certificates that were in scope of the audit.
    https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
    policy#314-public-audit-information

The audits listed in Comment #18 are:
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221138
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221139

Update the audits lists in comment #18
https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087

  • Where in the CP/CPS does it say that the "Thailand National Root
    Certification Authority - G1" root and its subordinate CAs must follow the
    policies and practices in these documents?

In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)

  1. Introduction
    1.1 Overview

A Certificate Policy (CP) is the principal statement of policy governing the Thailand NRCA. The CP applies to all subordinate certification authorities under Thailand NRCA and thereby provides assurances of uniform trust throughout the Thailand NRCA.
The governance structure that represents the relying party is known as a Policy Authority (PA). As such, the PA is responsible for identifying the appropriate set of requirements for a given community, and oversees the CAs that issue certificates for that community. CAs which are operated under Thailand NRCA Trust Model must conform with this Certificate Policy.

  • Section 2.2 of the BRs states: "CA's Certificate Policy and/or
    Certification Practice Statement ... shall clearly specify the set of Issuer
    Domain Names that the CA recognises in CAA "issue" or "issuewild" records as
    permitting it to issue.
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS

  • In the CPS, change "Not Applicable" to text that indicates that the rules
    as stated in the CP are followed. For example "Refer to CP".
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.
    2FCPS_Structured_According_to_RFC_3647

  • Provide complete history of audit statements for this root in this
    Bugzilla bug, or provide on CA's website and list all of the URLs in a
    comment in this bug.
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#Complete_Audit_History

https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087

  • Update CP/CPS to provide clarification about the domain validation that
    the CA does. See
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#Baseline_Requirements

In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)

3.2.2.4. Validation of Domain Authorization or Control

This section defines the permitted processes and procedures for validating the Applicant's ownership or control of the domain. The CA SHALL confirm that prior to issuance, the CA has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.
Completed validations of Applicant authority may be valid for the issuance of multiple Certificates over time. In all cases, the validation must have been initiated within the time period specified in the relevant requirement (such as Section 4.2.1 of this document) prior to Certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate. CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain.

  • If requesting the Email (S/MIME) trust bit for this root, then need CP/CPS
    sections that describe how the CA verifies that the certificate subscriber
    owns the email address to be included in the certificate.
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#Verifying_Email_Address_Control

  • CP/CPS section 3.2.2.4 say "FQDNs may be listed in Subscriber Certificates
    using dNSNames in the subjectAltName extension".
    The word "may" does not meet the requirement of BR section 7.1.4.2.1.
    Somewhere in the CP or CPS it needs to be made clear for SSL certs.
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#DNS_names_go_in_SAN

  • I don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs in regards
    to OCSP.
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP

  • Which CP/CPS sections describe he CA Hierarchy for this root cert?

  • CP/CPS indicate that the CA can generate key pairs for customers. This is
    not allowed for SSL certs, see
    https://wiki.mozilla.org/CA/
    Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKC
    S.2312_Files

  • Clarify in the CP/CPS what can be delegated to third parties.
    https://wiki.mozilla.org/CA/
    Forbidden_or_Problematic_Practices#Delegation_of_Domain_.
    2F_Email_Validation_to_Third_Parties

  • I am unable to connect to any of these test websites -- times out.
    https://ssldemo1.thaidigitalid.com/
    https://ssldemo2.thaidigitalid.com/
    https://ssldemo3.thaidigitalid.com/

Please provide us ip address to allow the access of these test websites. The system typically does not allow the access of ip address outside Thailand.

Once received your IP address, we will change internal settings according.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/

Dear Wilson
I would like to update information as below

(In reply to waiphot from comment #21)

(In reply to waiphot from comment #18)

Dear Aaron

I would link update information as below

  1. Please provide the up-to-date CP/CPS documents, the current ones are in
    2018

CP : https://www.nrca.go.th/publishing-detail/cpv4th.html
CPS : https://www.nrca.go.th/publishing-detail/cpsv4th.html

  1. Please upload your CA/BR Audit Statement in this bug

WebTrust 2.0 : https://www.cpacanada.ca/webtrustseal?sealid=2351
SSL Baseline 2.3 : https://www.cpacanada.ca/webtrustseal?sealid=2359

  1. Please update your BR Self Assessment corresponding to your latest
    version of CP/CPS

https://bug1348774.bmoattachments.org/attachment.cgi?id=9005573

  1. Please provide THREE (3) Test websites respectively for

http://webtest.nrca.go.th/issue_cert.html
http://webtest.nrca.go.th/crl_cert.html
http://ocsp.nrca.go.th

Thanks!
Waiphot P.

Dear Wilson
I would like to update

(In reply to Kathleen Wilson from comment #20)

The link below shows the CA information that has been verified. Search in
the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/
PrintViewForCase?CaseNumber=00000110

In particular:

  • How do customers report suspected Private Key Compromise, Certificate
    misuse, or other types of fraud, compromise, or any other matter related to
    certificates? Is there an email address that the CA closely monitors.

In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)

5.7.1 Incident and Compromise Handling Procedures
The CA that issues certificates under this CP shall have an incident response plan and a disaster recovery plan. If compromise of a CA is suspected, an independent third-party investigation shall be performed in order to determine the nature and the degree of damage. Issuance of certificates from that CA shall be stopped immediately upon detection of a compromise. If a CA private signing key is suspected of compromise, the procedure outlined in section 5.7.3 shall be followed. Otherwise, the scope of potential damage shall be assessed in order to determine if the CA needs to be rebuilt, only some certificates need to be revoked, and/or the CA private key needs to be declared compromised.
Provide Phone Number and Email for customer reports the CA closely monitors.
Phone Number : (66)-2-123-1234
Email for customer reports the CA closely monitors. Email : nrca@etda.or.th

The audits listed in Comment #18 are:
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221138
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221139

Update the audits lists in comment #18
https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087

  • Where in the CP/CPS does it say that the "Thailand National Root
    Certification Authority - G1" root and its subordinate CAs must follow the
    policies and practices in these documents?

In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)

  1. Introduction
    1.1 Overview

A Certificate Policy (CP) is the principal statement of policy governing the Thailand NRCA. The CP applies to all subordinate certification authorities under Thailand NRCA and thereby provides assurances of uniform trust throughout the Thailand NRCA.
The governance structure that represents the relying party is known as a Policy Authority (PA). As such, the PA is responsible for identifying the appropriate set of requirements for a given community, and oversees the CAs that issue certificates for that community. CAs which are operated under Thailand NRCA Trust Model must conform with this Certificate Policy.

  • Section 2.2 of the BRs states: "CA's Certificate Policy and/or
    Certification Practice Statement ... shall clearly specify the set of Issuer
    Domain Names that the CA recognises in CAA "issue" or "issuewild" records as
    permitting it to issue.
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS

  • In the CPS, change "Not Applicable" to text that indicates that the rules
    as stated in the CP are followed. For example "Refer to CP".
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.
    2FCPS_Structured_According_to_RFC_3647

  • Provide complete history of audit statements for this root in this
    Bugzilla bug, or provide on CA's website and list all of the URLs in a
    comment in this bug.
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#Complete_Audit_History

https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087

  • Update CP/CPS to provide clarification about the domain validation that
    the CA does. See
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#Baseline_Requirements

In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)

3.2.2.4. Validation of Domain Authorization or Control

This section defines the permitted processes and procedures for validating the Applicant's ownership or control of the domain. The CA SHALL confirm that prior to issuance, the CA has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.
Completed validations of Applicant authority may be valid for the issuance of multiple Certificates over time. In all cases, the validation must have been initiated within the time period specified in the relevant requirement (such as Section 4.2.1 of this document) prior to Certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate. CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain.

  • If requesting the Email (S/MIME) trust bit for this root, then need CP/CPS
    sections that describe how the CA verifies that the certificate subscriber
    owns the email address to be included in the certificate.
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#Verifying_Email_Address_Control

  • CP/CPS section 3.2.2.4 say "FQDNs may be listed in Subscriber Certificates
    using dNSNames in the subjectAltName extension".
    The word "may" does not meet the requirement of BR section 7.1.4.2.1.
    Somewhere in the CP or CPS it needs to be made clear for SSL certs.
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#DNS_names_go_in_SAN

  • I don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs in regards
    to OCSP.
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP

  • Which CP/CPS sections describe he CA Hierarchy for this root cert?

  • CP/CPS indicate that the CA can generate key pairs for customers. This is
    not allowed for SSL certs, see
    https://wiki.mozilla.org/CA/
    Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKC
    S.2312_Files

  • Clarify in the CP/CPS what can be delegated to third parties.
    https://wiki.mozilla.org/CA/
    Forbidden_or_Problematic_Practices#Delegation_of_Domain_.
    2F_Email_Validation_to_Third_Parties

  • I am unable to connect to any of these test websites -- times out.
    https://ssldemo1.thaidigitalid.com/
    https://ssldemo2.thaidigitalid.com/
    https://ssldemo3.thaidigitalid.com/

Please provide us ip address to allow the access of these test websites. The system typically does not allow the access of ip address outside Thailand.

Once received your IP address, we will change internal settings according.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/

Thanks!
Waiphot P.

Hello Waiphot, The CP/CPS still do not meet the requirements for this request to complete the Information Verification phase (step 2) of Mozilla's root inclusion process (https://wiki.mozilla.org/CA/Application_Process). The CP/CPS documents and test websites will need to be updated as described below.
Please also note that CAs must provide publicly all information considered during the root inclusion process and for continuing to be included in Mozilla's root store. For example, CP, CPS and test websites must be publicly available, even to people who are not in Thailand.

The link below shows the information that has been verified for this root inclusion request. Search in the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000110

In particular:

Whiteboard: [ca-verifying] - KW Comment #20 2018-10-30 → [ca-verifying] - KW 2019-03-18 - Comment #23
You need to log in before you can comment on or make changes to this bug.