Add Thailand National Root CA - G1
Categories
(CA Program :: CA Certificate Root Program, task, P2)
Tracking
(Not tracked)
People
(Reporter: nrca, Assigned: bwilson)
Details
(Whiteboard: [ca-verifying])
Attachments
(41 files, 1 obsolete file)
494.84 KB,
application/pdf
|
Details | |
184.10 KB,
application/pdf
|
Details | |
185.15 KB,
application/pdf
|
Details | |
496.43 KB,
application/pdf
|
Details | |
312.53 KB,
application/pdf
|
Details | |
226.49 KB,
application/pdf
|
Details | |
1.71 MB,
application/pdf
|
Details | |
2.53 MB,
application/pdf
|
Details | |
681.64 KB,
application/pdf
|
Details | |
353.04 KB,
application/pdf
|
Details | |
1.76 MB,
application/pdf
|
Details | |
965.47 KB,
application/pdf
|
Details | |
868.56 KB,
application/pdf
|
Details | |
895.36 KB,
application/pdf
|
Details | |
307.08 KB,
application/pdf
|
Details | |
648.10 KB,
application/pdf
|
Details | |
1.89 MB,
application/pdf
|
Details | |
1.71 MB,
application/pdf
|
Details | |
605.57 KB,
application/pdf
|
Details | |
1.13 MB,
application/pdf
|
Details | |
721.63 KB,
application/pdf
|
Details | |
1.33 MB,
application/pdf
|
Details | |
1.32 MB,
application/pdf
|
Details | |
1.32 MB,
application/pdf
|
Details | |
721.74 KB,
application/pdf
|
Details | |
541.06 KB,
application/pdf
|
Details | |
641.94 KB,
application/pdf
|
Details | |
1.11 MB,
application/pdf
|
Details | |
429.74 KB,
application/pdf
|
Details | |
401.13 KB,
application/pdf
|
Details | |
53.61 KB,
application/octet-stream
|
Details | |
1.09 MB,
application/pdf
|
Details | |
1.08 MB,
application/pdf
|
Details | |
174.82 KB,
application/pdf
|
Details | |
1.09 MB,
application/pdf
|
Details | |
485.81 KB,
application/pdf
|
Details | |
108 bytes,
text/plain
|
Details | |
108 bytes,
text/plain
|
Details | |
191.08 KB,
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
|
Details | |
269.09 KB,
application/pdf
|
Details | |
8.66 KB,
application/pdf
|
Details |
CA Details ---------- CA Name: Thailand National Root CA - G1 ("Thailand NRCA") Website: http://nrca.go.th Electronic Transactions Development Agency (“ETDA”) is established on 25 November, 2010 under the Ministry of Information and Communication Technology (MICT) and according to the proposal of the Office of the Public Sector Development Commission (OPDC) to function as the main agency responsible for developing, promoting and supporting electronic transactions in order to create trust, opportunity and equity for all. ETDA’s main mission is to conduct studies and research while providing support for the Electronic Transactions Commission and related agencies. ETDA has implemented Thailand National Root CA (Certificate Authority) Project (“Thailand NRCA”) on fiscal year 2014. The Thailand NRCA allows interoperability of authenticating digital certificates issued by different service providers and serves as a central trust mechanism connecting digital signature systems used domestically and internationally. Thus it is an important infrastructure that reinforces secure and safe electronic transactions. With the effort of a group of PKI technology service providers or operators, the Thailand PKI Association was established in 2009 with an aim to increase Thai society’s knowledge and understanding of PKI technology and to strengthen technical assistance among members. Past activities of the Association included a campaign for a higher level of PKI technology application; the action taken to have technical trials on issuance of digital certificates to domestic service; and implementation of system trials on interoperability with foreign CAs (CA-CA Interoperability). Audit Type: WebTrust Auditor: BDO Malaysia Auditor Website: http://www.bdo.my Audit Document URL(s): WebTrust 2.0 : https://cert.webtrust.org/ViewSeal?id=2154 , WebTrust SSL Baseline 2.0 https://cert.webtrust.org/ViewSeal?id=2155 Certificate Details ------------------- Certificate Name: Thailand National Root Certification Authority – G1 Key Usage : for Certificate signing, Offline CRL Signing, CRL Signing Thailand NRCA has generated the root key pairs (G1) on 27th March 2013 during the key generation ceremony. Upon the root key pairs were generated, Thailand NRCA as the root CA, had signed on subordinate CA certificate i.e. Thai Digital ID Company Limited (“TDID”) using the private key. Currently the CA system is offline and only will be activated under certain circumstances such as certificate revocation or certificate activation. - End entity certificate issuance policy - Number and type of subordinate CAs : 1 Subordinate CA (TDID -Thai Digital ID Company Limited) - Diagram and/or description of certificate hierarchy: ETDA’s key functions is to develop, promote and support Thailand’s digital signature environment. To that end, ETDA has adopted the Root CA trust model to address issues arising from incompatibility of proprietary data or incompatibility of software originating from different CAs. The Root CA trust model is administered by Thailand’s National Root CA (“NRCA”) which recognizes certificates issued by each of Thailand’s CAs and allows for interoperability of cross-verification. ETDA is seeking a WebTrust accredited third party assurance provider to assess the adequacy and effectiveness of controls employed for certification authority operations. BDO would be assessing the conformity of • Root CA : the Thailand National Root Certificate Authority - G1 (“NRCA”) • Subordinate CA : Thai Digital ID Company Limited – G2 (“TDID – G2”) ,Thai Digital ID Company Limited – G3 (“TDID – G3”). Certificate download URL (on CA website): http://www.nrca.go.th/cert/nrca/THNRCA.der Version: V3 SHA1 Fingerprint: 66 f2 dc fb 3f 81 4d de e9 b3 20 6f 11 de fe 1b fb df e1 32 Public key length (for RSA, modulus length) in bits: 4096 Bits Valid From (YYYY-MM-DD): 27 March 2013 Valid To (YYYY-MM-DD): 27 March 2036 CRL HTTP URL: http://www.nrca.go.th/crl/THNRCA_arlfile.crl CRL issuing frequency for subordinate end-entity certificates: 6 Months CRL issuing frequency for subordinate CA certificates: 6 Months OCSP URL: http://ocsp.nrca.go.th Class (domain-validated, identity/organizationally-validated or EV): Certificate Policy URL: http://www.nrca.go.th/cps/cpsv3.pdf CPS URL: http://www.nrca.go.th/cp/cpv3.pdf Requested Trust Indicators (email and/or SSL and/or code signing): URL of example website using certificate subordinate to this root (if applying for SSL): https://www.thaidigitalid.com/tdid.web.register/
Updated•8 years ago
|
Hi Mr.Thitikorn Trakoonsirisak, Based on the CPS and the information you provided, I've verified and enter into Salesforce. Please see attachment in Comment#1 and we need your more information input which marked as "Need Response from CA" For Test Website please provide (i) valid, (ii) revoked, (iii) expired. CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..” Please also perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug. Note: Current version of the BRs: https://cabforum.org/baseline-requirements-documents/ Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf = Background = We are adding a BR-self-assessment step to Mozilla's root inclusion/change process. Description of this new step is here: https://wiki.mozilla.org/CA:BRs-Self-Assessment It includes a link to a template for CA's BR Self Assessment, which is a Google Doc: https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing Kind regards, Aaron
Hi Mr.Thitikorn Trakoonsirisak, As root certificate, I've updated more information in Salesforce and attached file in Comment#3. What we need your information input currently: 1. CAInformation pdf file in Comment#3, which marked as "Need Response from CA" or "Need Clarification from CA" 2. BR Self Assessment in Comment#1, it includes a link to a template for CA's BR Self Assessment which is a Google Doc[1], please fill in and attached in this bug. [1] https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing Thank you so much! Kind regards, Aaron
Updated•8 years ago
|
(In reply to Aaron Wu from comment #4) > Hi Mr.Thitikorn Trakoonsirisak, > > As root certificate, I've updated more information in Salesforce and > attached file in Comment#3. > > What we need your information input currently: > 1. CAInformation pdf file in Comment#3, which marked as "Need Response from > CA" or "Need Clarification from CA" > 2. BR Self Assessment in Comment#1, it includes a link to a template for > CA's BR Self Assessment which is a Google Doc[1], please fill in and > attached in this bug. > > [1] > https://docs.google.com/spreadsheets/d/ > 1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing > > > Thank you so much! > > Kind regards, > Aaron Hi Aaron We fill in on google Doc for BR Self Assessment by link below Regards, Waiphot P. https://docs.google.com/spreadsheets/d/1IiwAJ8subF76FPvPDGshThsXW-Y9mO1NljHonhFq5Ew/edit#gid=0
Dear Aaron As attach file for Clarification from CA. Best Regards, Waiphot P.
(In reply to waiphot from comment #5) > (In reply to Aaron Wu from comment #4) > > Hi Mr.Thitikorn Trakoonsirisak, > > > > As root certificate, I've updated more information in Salesforce and > > attached file in Comment#3. > > > > What we need your information input currently: > > 1. CAInformation pdf file in Comment#3, which marked as "Need Response from > > CA" or "Need Clarification from CA" > > 2. BR Self Assessment in Comment#1, it includes a link to a template for > > CA's BR Self Assessment which is a Google Doc[1], please fill in and > > attached in this bug. > > > > [1] > > https://docs.google.com/spreadsheets/d/ > > 1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing > > > > > > Thank you so much! > > > > Kind regards, > > Aaron > > Hi Aaron > > We fill in on google Doc for BR Self Assessment by link below > > Regards, > Waiphot P. > > https://docs.google.com/spreadsheets/d/1IiwAJ8subF76FPvPDGshThsXW- > Y9mO1NljHonhFq5Ew/edit#gid=0 Hi Waiphot P. Thanks for your update! But it seems we don't have permission to access your BR Self Assessment Doc. above, the better way is to attach this file in this bug and we will also refer to this attachment in Salesforce. Thanks, Aaron
(In reply to waiphot from comment #6) > Created attachment 8868458 [details] > Information Checklist for CAs Applying for Inclusion in Mozilla_20170517.pdf > > Dear Aaron > > As attach file for Clarification from CA. > > Best Regards, > Waiphot P. Thanks for your information update as attached file, there are some information you might missing to update which I summarize below: 1. Test Websites, please provide (i) valid, (ii) revoked, (iii) expired. CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..” 2. Revocation Tested, please fix the errors below Errors: - OCSP signing certificate has expired 2881h8m23.16633834s ago - OCSP signing certificate expires before NextUpdate 3. Please provide your audit statement and BR audit document and attach in this bug. Thanks, Aaron
Dear Aaron As attach file for CA's BR Self Assessment. Thanks, Waiphot
Comment 10•7 years ago
|
||
Hi Waiphot, Thanks to provide BR Self Assessment and attached in this bug. Please also provide the feedback on comment#8 and please let me know if any further question. Thanks, Aaron
Comment 11•7 years ago
|
||
Hi Waiphot, Could we know when the next version of your CP/CPS will be available? And please also provide update BR Self Assessment corresponding to updated CP/CPS. We also need your feedback on Comment#8, thanks for your response. Kind regards, Aaron
Comment 12•7 years ago
|
||
(In reply to Aaron Wu from comment #8) > (In reply to waiphot from comment #6) > > Created attachment 8868458 [details] > > Information Checklist for CAs Applying for Inclusion in Mozilla_20170517.pdf > > > > Dear Aaron > > > > As attach file for Clarification from CA. > > > > Best Regards, > > Waiphot P. > > Thanks for your information update as attached file, there are some > information you might missing to update which I summarize below: > > 1. Test Websites, please provide (i) valid, (ii) revoked, (iii) expired. > CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow > Application Software Suppliers to test their software with Subscriber > Certificates that chain up to each publicly trusted Root Certificate. At a > minimum, the CA SHALL host separate Web pages using Subscriber Certificates > ..” > > 2. Revocation Tested, please fix the errors below > Errors: > - OCSP signing certificate has expired 2881h8m23.16633834s ago > - OCSP signing certificate expires before NextUpdate > > 3. Please provide your audit statement and BR audit document and attach in > this bug. > > Thanks, > Aaron Dear Aaron 1. Test Websites, please provide (i) valid, (ii) revoked, (iii) expired. CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..” Refer Link as http://webtest.nrca.go.th/issue_cert.html http://webtest.nrca.go.th/crl_cert.html 2. Revocation Tested, please fix the errors below Errors: - OCSP signing certificate has expired 2881h8m23.16633834s ago - OCSP signing certificate expires before NextUpdate Refer Link as http://ocsp.nrca.go.th Best Regards, Waiphot P.
Comment 13•7 years ago
|
||
Dear Waiphot Thanks for your information update, I've verified Revocation Test with the data you provided and it looks good now. Furthermore, I still need your help to update more information, please allow me to list down below 1. Please provide the up-to-date CP/CPS documents, the current ones are in 2015 2. Please upload your CA/BR Audit Statement in this bug 3. Please update your BR Self Assessment corresponding to your latest version of CP/CPS 4. Please provide THREE (3) Test websites respectively for - valid - revoked - expired As CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates..” Please let me know if you have further question, thank you so much! Kind regards, Aaron
Comment 14•7 years ago
|
||
Dear Aaron More information update below 1. Please provide the up-to-date CP/CPS documents, the current ones are in 2015 Ans: CP/CPS Version 3.0 - http://nrca.go.th/cp/cpv3.pdf - http://nrca.go.th/cps/cpsv3.pdf CP/CPS Version 2.1 - http://nrca.go.th/cp/cp.pdf - http://nrca.go.th/cps/cps.pdf 2. Please upload your CA/BR Audit Statement in this bug Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8868458 3. Please update your BR Self Assessment corresponding to your latest version of CP/CPS Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8883206 4. Please provide THREE (3) Test websites respectively for Ans : I will sent information in soonest. Regards, Waiphot P.
Comment 15•7 years ago
|
||
(In reply to waiphot from comment #14) > Dear Aaron > > More information update below > > 1. Please provide the up-to-date CP/CPS documents, the current ones are in > 2015 > > Ans: CP/CPS Version 3.0 > - http://nrca.go.th/cp/cpv3.pdf > - http://nrca.go.th/cps/cpsv3.pdf > CP/CPS Version 2.1 > - http://nrca.go.th/cp/cp.pdf > - http://nrca.go.th/cps/cps.pdf I found CP/CPS 3.0 updated in August 2015, do you have newer version? since your BR Self Assessment mentioned some information will be added in your next version of CP/CPS > > 2. Please upload your CA/BR Audit Statement in this bug > Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8868458 In this attachment, I can not find the PDF file of Audit Statement, it should be uploaded on www.webtrust.org OR your website/domain which we will do auditor check. > > 3. Please update your BR Self Assessment corresponding to your latest > version of CP/CPS > Ans : https://bugzilla.mozilla.org/attachment.cgi?id=8883206 As mentioned in (1), please update your BR Self Assessment corresponding your updated CP/CPS > > 4. Please provide THREE (3) Test websites respectively for > Ans : I will sent information in soonest. Thanks! > Thank you so much! Kind Regards, Aaron
Comment 16•7 years ago
|
||
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Comment 17•6 years ago
|
||
CA's BR Self Assessment for Thailand NRCA Update 31-08-2018
Comment 18•6 years ago
|
||
Dear Aaron I would link update information as below 1. Please provide the up-to-date CP/CPS documents, the current ones are in 2018 CP : https://www.nrca.go.th/publishing-detail/cpv4th.html CPS : https://www.nrca.go.th/publishing-detail/cpsv4th.html 2. Please upload your CA/BR Audit Statement in this bug WebTrust 2.0 : https://www.cpacanada.ca/webtrustseal?sealid=2351 SSL Baseline 2.3 : https://www.cpacanada.ca/webtrustseal?sealid=2359 3. Please update your BR Self Assessment corresponding to your latest version of CP/CPS https://bug1348774.bmoattachments.org/attachment.cgi?id=9005573 4. Please provide THREE (3) Test websites respectively for http://webtest.nrca.go.th/issue_cert.html http://webtest.nrca.go.th/crl_cert.html http://ocsp.nrca.go.th Thanks! Waiphot P.
Comment 19•6 years ago
|
||
Dear Aaron I would link update latest information as below 4. Please provide THREE (3) Test websites respectively for https://ssldemo1.thaidigitalid.com/ Status : Valid https://ssldemo2.thaidigitalid.com/ Status : Revoke https://ssldemo3.thaidigitalid.com/ Status : Expired Thanks! Waiphot P.
Comment 20•6 years ago
|
||
The link below shows the CA information that has been verified. Search in the page for the word "NEED" to see where further clarification is requested. https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000110 In particular: - How do customers report suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, or any other matter related to certificates? Is there an email address that the CA closely monitors. - When you provide your current audit statements, please make sure that they meet Mozilla's requirements including listing the SHA-256 Fingerprints of the root and intermediate certificates that were in scope of the audit. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#314-public-audit-information The audits listed in Comment #18 are: https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=221138 https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=221139 - Where in the CP/CPS does it say that the "Thailand National Root Certification Authority - G1" root and its subordinate CAs must follow the policies and practices in these documents? - Section 2.2 of the BRs states: "CA's Certificate Policy and/or Certification Practice Statement ... shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA "issue" or "issuewild" records as permitting it to issue. https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS - In the CPS, change "Not Applicable" to text that indicates that the rules as stated in the CP are followed. For example "Refer to CP". https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647 - Provide complete history of audit statements for this root in this Bugzilla bug, or provide on CA's website and list all of the URLs in a comment in this bug. https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Complete_Audit_History - Update CP/CPS to provide clarification about the domain validation that the CA does. See https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Baseline_Requirements - If requesting the Email (S/MIME) trust bit for this root, then need CP/CPS sections that describe how the CA verifies that the certificate subscriber owns the email address to be included in the certificate. https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control - CP/CPS section 3.2.2.4 say "FQDNs may be listed in Subscriber Certificates using dNSNames in the subjectAltName extension". The word "may" does not meet the requirement of BR section 7.1.4.2.1. Somewhere in the CP or CPS it needs to be made clear for SSL certs. https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#DNS_names_go_in_SAN - I don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs in regards to OCSP. https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP - Which CP/CPS sections describe he CA Hierarchy for this root cert? - CP/CPS indicate that the CA can generate key pairs for customers. This is not allowed for SSL certs, see https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files - Clarify in the CP/CPS what can be delegated to third parties. https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Delegation_of_Domain_.2F_Email_Validation_to_Third_Parties - I am unable to connect to any of these test websites -- times out. https://ssldemo1.thaidigitalid.com/ https://ssldemo2.thaidigitalid.com/ https://ssldemo3.thaidigitalid.com/ - Please test with http://certificate.revocationcheck.com/ and make sure there aren't any errors. - Resolve cert lint errors, and add pre-issuance lint-testing to prevent such errors in future. https://crt.sh/?caid=13888&opt=cablint,zlint,x509lint&minNotBefore=2013-03-27 https://crt.sh/?caid=23349&opt=cablint,zlint,x509lint&minNotBefore=2014-09-24
Comment 21•6 years ago
|
||
(In reply to waiphot from comment #18)
Dear Aaron
I would link update information as below
- Please provide the up-to-date CP/CPS documents, the current ones are in
2018CP : https://www.nrca.go.th/publishing-detail/cpv4th.html
CPS : https://www.nrca.go.th/publishing-detail/cpsv4th.html
- Please upload your CA/BR Audit Statement in this bug
WebTrust 2.0 : https://www.cpacanada.ca/webtrustseal?sealid=2351
SSL Baseline 2.3 : https://www.cpacanada.ca/webtrustseal?sealid=2359
- Please update your BR Self Assessment corresponding to your latest
version of CP/CPShttps://bug1348774.bmoattachments.org/attachment.cgi?id=9005573
- Please provide THREE (3) Test websites respectively for
http://webtest.nrca.go.th/issue_cert.html
http://webtest.nrca.go.th/crl_cert.html
http://ocsp.nrca.go.thThanks!
Waiphot P.
Dear Wilson
I would like to update
(In reply to Kathleen Wilson from comment #20)
The link below shows the CA information that has been verified. Search in
the page for the word "NEED" to see where further clarification is requested.https://ccadb-public.secure.force.com/mozilla/
PrintViewForCase?CaseNumber=00000110In particular:
How do customers report suspected Private Key Compromise, Certificate
misuse, or other types of fraud, compromise, or any other matter related to
certificates? Is there an email address that the CA closely monitors.When you provide your current audit statements, please make sure that they
meet Mozilla's requirements including listing the SHA-256 Fingerprints of
the root and intermediate certificates that were in scope of the audit.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
policy#314-public-audit-informationThe audits listed in Comment #18 are:
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221138
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221139
Update the audits lists in comment #18
https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087
- Where in the CP/CPS does it say that the "Thailand National Root
Certification Authority - G1" root and its subordinate CAs must follow the
policies and practices in these documents?
In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)
- Introduction
1.1 Overview
A Certificate Policy (CP) is the principal statement of policy governing the Thailand NRCA. The CP applies to all subordinate certification authorities under Thailand NRCA and thereby provides assurances of uniform trust throughout the Thailand NRCA.
The governance structure that represents the relying party is known as a Policy Authority (PA). As such, the PA is responsible for identifying the appropriate set of requirements for a given community, and oversees the CAs that issue certificates for that community. CAs which are operated under Thailand NRCA Trust Model must conform with this Certificate Policy.
Section 2.2 of the BRs states: "CA's Certificate Policy and/or
Certification Practice Statement ... shall clearly specify the set of Issuer
Domain Names that the CA recognises in CAA "issue" or "issuewild" records as
permitting it to issue.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPSIn the CPS, change "Not Applicable" to text that indicates that the rules
as stated in the CP are followed. For example "Refer to CP".
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.
2FCPS_Structured_According_to_RFC_3647Provide complete history of audit statements for this root in this
Bugzilla bug, or provide on CA's website and list all of the URLs in a
comment in this bug.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Complete_Audit_History
https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087
- Update CP/CPS to provide clarification about the domain validation that
the CA does. See
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Baseline_Requirements
In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)
3.2.2.4. Validation of Domain Authorization or Control
This section defines the permitted processes and procedures for validating the Applicant's ownership or control of the domain. The CA SHALL confirm that prior to issuance, the CA has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.
Completed validations of Applicant authority may be valid for the issuance of multiple Certificates over time. In all cases, the validation must have been initiated within the time period specified in the relevant requirement (such as Section 4.2.1 of this document) prior to Certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate. CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain.
If requesting the Email (S/MIME) trust bit for this root, then need CP/CPS
sections that describe how the CA verifies that the certificate subscriber
owns the email address to be included in the certificate.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Verifying_Email_Address_ControlCP/CPS section 3.2.2.4 say "FQDNs may be listed in Subscriber Certificates
using dNSNames in the subjectAltName extension".
The word "may" does not meet the requirement of BR section 7.1.4.2.1.
Somewhere in the CP or CPS it needs to be made clear for SSL certs.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#DNS_names_go_in_SANI don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs in regards
to OCSP.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSPWhich CP/CPS sections describe he CA Hierarchy for this root cert?
CP/CPS indicate that the CA can generate key pairs for customers. This is
not allowed for SSL certs, see
https://wiki.mozilla.org/CA/
Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKC
S.2312_FilesClarify in the CP/CPS what can be delegated to third parties.
https://wiki.mozilla.org/CA/
Forbidden_or_Problematic_Practices#Delegation_of_Domain_.
2F_Email_Validation_to_Third_PartiesI am unable to connect to any of these test websites -- times out.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/
Please provide us ip address to allow the access of these test websites. The system typically does not allow the access of ip address outside Thailand.
Once received your IP address, we will change internal settings according.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/
Please test with http://certificate.revocationcheck.com/ and make sure
there aren't any errors.Resolve cert lint errors, and add pre-issuance lint-testing to prevent
such errors in future.
https://crt.sh/?caid=13888&opt=cablint,zlint,x509lint&minNotBefore=2013-03-
27
https://crt.sh/?caid=23349&opt=cablint,zlint,x509lint&minNotBefore=2014-09-24
Comment 22•6 years ago
|
||
Dear Wilson
I would like to update information as below
(In reply to waiphot from comment #21)
(In reply to waiphot from comment #18)
Dear Aaron
I would link update information as below
- Please provide the up-to-date CP/CPS documents, the current ones are in
2018CP : https://www.nrca.go.th/publishing-detail/cpv4th.html
CPS : https://www.nrca.go.th/publishing-detail/cpsv4th.html
- Please upload your CA/BR Audit Statement in this bug
WebTrust 2.0 : https://www.cpacanada.ca/webtrustseal?sealid=2351
SSL Baseline 2.3 : https://www.cpacanada.ca/webtrustseal?sealid=2359
- Please update your BR Self Assessment corresponding to your latest
version of CP/CPShttps://bug1348774.bmoattachments.org/attachment.cgi?id=9005573
- Please provide THREE (3) Test websites respectively for
http://webtest.nrca.go.th/issue_cert.html
http://webtest.nrca.go.th/crl_cert.html
http://ocsp.nrca.go.thThanks!
Waiphot P.Dear Wilson
I would like to update(In reply to Kathleen Wilson from comment #20)
The link below shows the CA information that has been verified. Search in
the page for the word "NEED" to see where further clarification is requested.https://ccadb-public.secure.force.com/mozilla/
PrintViewForCase?CaseNumber=00000110In particular:
- How do customers report suspected Private Key Compromise, Certificate
misuse, or other types of fraud, compromise, or any other matter related to
certificates? Is there an email address that the CA closely monitors.
In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)
5.7.1 Incident and Compromise Handling Procedures
The CA that issues certificates under this CP shall have an incident response plan and a disaster recovery plan. If compromise of a CA is suspected, an independent third-party investigation shall be performed in order to determine the nature and the degree of damage. Issuance of certificates from that CA shall be stopped immediately upon detection of a compromise. If a CA private signing key is suspected of compromise, the procedure outlined in section 5.7.3 shall be followed. Otherwise, the scope of potential damage shall be assessed in order to determine if the CA needs to be rebuilt, only some certificates need to be revoked, and/or the CA private key needs to be declared compromised.
Provide Phone Number and Email for customer reports the CA closely monitors.
Phone Number : (66)-2-123-1234
Email for customer reports the CA closely monitors. Email : nrca@etda.or.th
- When you provide your current audit statements, please make sure that they
meet Mozilla's requirements including listing the SHA-256 Fingerprints of
the root and intermediate certificates that were in scope of the audit.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/
policy#314-public-audit-informationThe audits listed in Comment #18 are:
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221138
https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.
ashx?AttachmentID=221139Update the audits lists in comment #18
https://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087
- Where in the CP/CPS does it say that the "Thailand National Root
Certification Authority - G1" root and its subordinate CAs must follow the
policies and practices in these documents?In CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)
- Introduction
1.1 OverviewA Certificate Policy (CP) is the principal statement of policy governing the Thailand NRCA. The CP applies to all subordinate certification authorities under Thailand NRCA and thereby provides assurances of uniform trust throughout the Thailand NRCA.
The governance structure that represents the relying party is known as a Policy Authority (PA). As such, the PA is responsible for identifying the appropriate set of requirements for a given community, and oversees the CAs that issue certificates for that community. CAs which are operated under Thailand NRCA Trust Model must conform with this Certificate Policy.
Section 2.2 of the BRs states: "CA's Certificate Policy and/or
Certification Practice Statement ... shall clearly specify the set of Issuer
Domain Names that the CA recognises in CAA "issue" or "issuewild" records as
permitting it to issue.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPSIn the CPS, change "Not Applicable" to text that indicates that the rules
as stated in the CP are followed. For example "Refer to CP".
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.
2FCPS_Structured_According_to_RFC_3647Provide complete history of audit statements for this root in this
Bugzilla bug, or provide on CA's website and list all of the URLs in a
comment in this bug.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Complete_Audit_Historyhttps://www.cpacanada.ca/webtrustseal?sealid=10086
https://www.cpacanada.ca/webtrustseal?sealid=10087
- Update CP/CPS to provide clarification about the domain validation that
the CA does. See
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Baseline_RequirementsIn CP 4.0 (https://www.nrca.go.th/publishing-detail/cpv4th.html)
3.2.2.4. Validation of Domain Authorization or Control
This section defines the permitted processes and procedures for validating the Applicant's ownership or control of the domain. The CA SHALL confirm that prior to issuance, the CA has validated each Fully-Qualified Domain Name (FQDN) listed in the Certificate using at least one of the methods listed below.
Completed validations of Applicant authority may be valid for the issuance of multiple Certificates over time. In all cases, the validation must have been initiated within the time period specified in the relevant requirement (such as Section 4.2.1 of this document) prior to Certificate issuance. For purposes of domain validation, the term Applicant includes the Applicant's Parent Company, Subsidiary Company, or Affiliate. CAs SHALL maintain a record of which domain validation method, including relevant BR version number, they used to validate every domain.
If requesting the Email (S/MIME) trust bit for this root, then need CP/CPS
sections that describe how the CA verifies that the certificate subscriber
owns the email address to be included in the certificate.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#Verifying_Email_Address_ControlCP/CPS section 3.2.2.4 say "FQDNs may be listed in Subscriber Certificates
using dNSNames in the subjectAltName extension".
The word "may" does not meet the requirement of BR section 7.1.4.2.1.
Somewhere in the CP or CPS it needs to be made clear for SSL certs.
https://wiki.mozilla.org/CA/
Required_or_Recommended_Practices#DNS_names_go_in_SANI don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs in regards
to OCSP.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSPWhich CP/CPS sections describe he CA Hierarchy for this root cert?
CP/CPS indicate that the CA can generate key pairs for customers. This is
not allowed for SSL certs, see
https://wiki.mozilla.org/CA/
Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKC
S.2312_FilesClarify in the CP/CPS what can be delegated to third parties.
https://wiki.mozilla.org/CA/
Forbidden_or_Problematic_Practices#Delegation_of_Domain_.
2F_Email_Validation_to_Third_PartiesI am unable to connect to any of these test websites -- times out.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/Please provide us ip address to allow the access of these test websites. The system typically does not allow the access of ip address outside Thailand.
Once received your IP address, we will change internal settings according.
https://ssldemo1.thaidigitalid.com/
https://ssldemo2.thaidigitalid.com/
https://ssldemo3.thaidigitalid.com/
Please test with http://certificate.revocationcheck.com/ and make sure
there aren't any errors.Resolve cert lint errors, and add pre-issuance lint-testing to prevent
such errors in future.
https://crt.sh/?caid=13888&opt=cablint,zlint,x509lint&minNotBefore=2013-03-
27
https://crt.sh/?caid=23349&opt=cablint,zlint,x509lint&minNotBefore=2014-09-24
Thanks!
Waiphot P.
Comment 23•6 years ago
|
||
Hello Waiphot, The CP/CPS still do not meet the requirements for this request to complete the Information Verification phase (step 2) of Mozilla's root inclusion process (https://wiki.mozilla.org/CA/Application_Process). The CP/CPS documents and test websites will need to be updated as described below.
Please also note that CAs must provide publicly all information considered during the root inclusion process and for continuing to be included in Mozilla's root store. For example, CP, CPS and test websites must be publicly available, even to people who are not in Thailand.
The link below shows the information that has been verified for this root inclusion request. Search in the page for the word "NEED" to see where further clarification is requested.
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000110
In particular:
-
The audit statements do not list the SHA-256 Fingerprints of the root and intermediate certificates that were in scope of the audit, per Mozilla's requirements: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#314-public-audit-information
I see that the root certificate's serial number is listed as in scope of the audit, but there is no reference to which intermediate certificates were in scope of the audit, so it appears that the intermediate certificates have not been audited. When Mozilla includes a root certificate, its intermediate certificates become trusted, so the intermediate certificates are expected to be audited as well. Therefore, please provide the complete audit history for the root and its intermediate certificates. -
Please update the CP/CPS to list the Domain Names that the CA recognizes in CAA "issue" or "issuewild" records as permitting it to issue, per
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS -
Also, CPSv4 says that section 3.2.2.8, CAA Records, is not applicable, which does not meet the BRs. In the CPS, please change "Not Applicable" to text that indicates that the rules as stated in the CP are followed. For example "Refer to CP".
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647 -
Provide complete history of audit statements for this root in this Bugzilla bug, or provide on CA's website and list all of the URLs in a comment in this bug.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Complete_Audit_History -
Please update the CP/CPS per https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Baseline_Requirements
-
Are you requesting that the Email (S/MIME) trust bit also be enabled for this root?
If yes, the the CP/CPS must be updated to describe how the CA verifies that the certificate subscriber owns the email address to be included in the S/MIME certificate.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control -
Update the CP/CPS tos say that "FQDNs must be listed in Subscriber Certificates using dNSNames in the subjectAltName extension.
The word "may" does not meet the requirement of BR section 7.1.4.2.1. Somewhere in the CP or CPS it needs to be made clear for SSL certs.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#DNS_names_go_in_SAN -
The BRs require that the CA provides OCSP, so I don't think CP/CPS sections 4.9.9 and 4.9.10 satisfy the BRs.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP -
Which CP/CPS sections describe he CA Hierarchy for this root cert?
-
CP/CPS indicate that the CA can generate key pairs for customers. This is not allowed for SSL certs, see
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Distributing_Generated_Private_Keys_in_PKCS.2312_Files -
Clarify in the CP/CPS what can be delegated to third parties.
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Delegation_of_Domain_.2F_Email_Validation_to_Third_Parties -
Please make the test websites public, and accessible to everyone -- including people not in Thailand. Mozilla's process and root store are public-facing, so all information considered must be publicly available.
-
Please test with http://certificate.revocationcheck.com/ and make sure there aren't any errors.
-
Resolve cert lint errors, and add pre-issuance lint-testing to prevent such errors in future.
https://crt.sh/?caid=13888&opt=cablint,zlint,x509lint&minNotBefore=2013-03-27
https://crt.sh/?caid=23349&opt=cablint,zlint,x509lint&minNotBefore=2014-09-24
Assignee | ||
Comment 24•4 years ago
|
||
Could the owner/operator of the Root CA, Electronics Transactions Development Agency, please provide us with a status update on its progress to meet the requests in Comment#23 and in updating its root inclusion case, no. 110 in the CCADB? Thank you.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 25•4 years ago
|
||
I am inclined to close this inclusion request because we have not heard from the applicant in several months.
Assignee | ||
Comment 26•4 years ago
|
||
Applicant responded to inquiry that Mr. Waiphot and Ms. Pitinan are no longer with the organization and that they are working on a revised CPS
Assignee | ||
Comment 27•4 years ago
|
||
Requested status update from applicant
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 28•3 years ago
|
||
I am contemplating closing this Root CA inclusion case for failure to actively pursue it. Please note that CAs will need to present the following information - https://wiki.mozilla.org/CA/Quantifying_Value - in addition to what has already been requested.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 29•3 years ago
|
||
Test websites (e.g. https://ssldemo1.thaidigitalid.com/ ) "time out" - they don't respond fast enough to run tests.
Assignee | ||
Updated•3 years ago
|
Comment 30•3 years ago
|
||
Dear Ben
We have updated CP/CPS version 4.2 . Publish at 21 Nov 21 .
CP v4.2 : https://www.nrca.go.th/download-publishing/30/
CPS v4.2 : https://www.nrca.go.th/download-publishing/31/
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 31•2 years ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:kwilson, since the bug has recent activity, could you have a look please?
For more information, please visit auto_nag documentation.
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Assignee | ||
Updated•2 years ago
|
Comment 32•2 years ago
|
||
Thailand NRCA would like to address pending issues as follows:
-
The recent audit statements now list SHA-256 Fingerprints of the root certificates.
Intermediate certificates were audited separately and their audit statements will be submitted for consideration in October 2022. -
Recognized CAA Domain is “nrca.go.th” and has been added to CP and CPS accordingly.
-
Sections 3.2.2.8 and 4.2.2 in CP/CPS have been updated to show how issuing CAs shall check CAA records and process them accordingly.
-
History of audit statements can be found at https://bit.ly/AuditStatements .
-
CP/CPS version 4.3 are being updated per https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Baseline_Requirements and pending approval by our Policy Authority.
They can be viewed at https://bit.ly/CPnCPS . -
The challenge/response method has been added in section 3.2.3.1 in CP/CPS to describe how the CA verifies that the certificate subscriber owns the email address to be included in the S/MIME certificate per https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control
-
Section 7.1.4.2.1 in CP/CPS have been updated to say that "FQDNs must be listed in Subscriber Certificates using dNSNames in the subjectAltName extension.” per https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#DNS_names_go_in_SAN
-
CP/CPS sections 4.9.9 and 4.9.10 in CP/CPS have been updated to say “OCSP SHALL NOT respond "Good" for unissued certs.” per https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP
-
The CA Hierarchy for this root cert is shown in Section 1.3.1 of CP.
-
CP/CPS Section 6.1.1 now indicates that the CA shall not generate key pairs for customers.
-
CP Sections 3.2.2.4 and 3.2.2.5 now indicates that "The CA SHALL NOT delegate validation of the domain portion of an email address." per https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Delegation_of_Domain_.2F_Email_Validation_to_Third_Parties
-
Test websites can now be accessible from the general public anywhere in the world.
See: http://ssldemo1.thaidigitalid.com/ for Valid test
http://ssldemo2.thaidigitalid.com/ for Revoked test
http://ssldemo3.thaidigitalid.com/ for Expired test -
All three test websites have passed the tests at http://certificate.revocationcheck.com/ and contain no errors.
-
Pre-issuance lint-testing is now mandated for SubCAs.
-
Per https://crt.sh/?caid=13888&opt=cablint,zlint,x509lint&minNotBefore=2013-03-27 ,
the 2 certificates have been replaced. Since they have the "OCSP No Check" flag raised, the old (bad) certificates cannot be revoked and we have to wait for their automatic expiry in December 2022. -
Per https://crt.sh/?caid=23349&opt=cablint,zlint,x509lint&minNotBefore=2014-09-24 , this chain no longer issues new certificates, and all issued certificates have expired.
Updated•2 years ago
|
Comment 33•2 years ago
|
||
- Test websites can now be accessible from the general public anywhere in the world.
See: https://ssldemo1.thaidigitalid.com/ for Valid test
https://ssldemo2.thaidigitalid.com/ for Revoked test
https://ssldemo3.thaidigitalid.com/ for Expired test
(Updated to https protocol identifier, instead of http)
- Past public-facing audit statements of intermediate CAs have been uploaded to https://bit.ly/AuditStatements .
They will be individually uploaded to this Bugzilla thread shortly.
Comment 34•2 years ago
|
||
Quantifying Value by NRCA per https://wiki.mozilla.org/CA/Quantifying_Value
Comment 35•2 years ago
|
||
WebTrust for Certification Authorities (NRCA, period: 1 September 2020 to 31 August 2021)
Comment 36•2 years ago
|
||
Comment on attachment 9301028 [details]
WebTrust for Certification Authorities (NRCA, period: 1 September 2020 to 31 August 2021)
WebTrust for Certification Authorities (NRCA, period: 1 September 2020 to 31 August 2021)
Comment 37•2 years ago
|
||
Comment on attachment 9301028 [details]
WebTrust for Certification Authorities (NRCA, period: 1 September 2020 to 31 August 2021)
WebTrust for Certification Authorities, NRCA, period 1 September 2020 to 31 August 2021
Updated•2 years ago
|
Comment 38•2 years ago
|
||
WebTrust for Certification Authorities (NRCA, period: 1 September 2019 to 31 August 2020)
Updated•2 years ago
|
Comment 39•2 years ago
|
||
WebTrust for Certification Authorities (NRCA, period: 1 September 2018 to 31 August 2019)
Updated•2 years ago
|
Comment 40•2 years ago
|
||
WebTrust for Certification Authorities (NRCA, period: 1 September 2017 to 31 August 2018)
Updated•2 years ago
|
Comment 41•2 years ago
|
||
WebTrust for Certification Authorities (NRCA, period: 1 September 2016 to 31 August 2017)
Updated•2 years ago
|
Comment 42•2 years ago
|
||
WebTrust for Certification Authorities (NRCA, period: 1 September 2015 to 31 August 2016)
Updated•2 years ago
|
Comment 43•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (NRCA, period: 1 September 2015 to 31 August 2016)
Updated•2 years ago
|
Comment 44•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (NRCA, period: 1 September 2016 to 31 August 2017)
Updated•2 years ago
|
Comment 45•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (NRCA, period: 1 September 2017 to 31 August 2018)
Updated•2 years ago
|
Comment 46•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (NRCA, period: 1 September 2018 to 31 August 2019)
Updated•2 years ago
|
Comment 47•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (NRCA, period: 1 September 2019 to 31 August 2020)
Updated•2 years ago
|
Comment 48•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (NRCA, period: 1 September 2020 to 31 August 2021)
Updated•2 years ago
|
Comment 49•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (Thai Digital ID CA G3, period: 1 September 2017 to 31 August 2018)
Updated•2 years ago
|
Comment 50•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (Thai Digital ID CA G3, period: 1 September 2018 to 31 August 2019)
Updated•2 years ago
|
Comment 51•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (Thai Digital ID CA G3, period: 1 September 2019 to 31 August 2020)
Updated•2 years ago
|
Comment 52•2 years ago
|
||
WebTrust for Certification Authorities (Thai Digital ID CA G3, period: 1 September 2019 to 31 August 2020)
Updated•2 years ago
|
Comment 53•2 years ago
|
||
WebTrust for Certification Authorities (Thai Digital ID CA G3, period: 1 September 2018 to 31 August 2019)
Updated•2 years ago
|
Comment 54•2 years ago
|
||
WebTrust for Certification Authorities (Thai Digital ID CA G3, period: 1 September 2017 to 31 August 2018)
Updated•2 years ago
|
Comment 55•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (INET CA - G1, period: 18 December 2018 to 17 December 2019)
Updated•2 years ago
|
Comment 56•2 years ago
|
||
WebTrust for Certification Authorities - SL Baseline with Network Security (INET CA - G1, period: 18 December 2019 to 17 December 2020)
Updated•2 years ago
|
Comment 57•2 years ago
|
||
WebTrust for Certification Authorities (INET CA - G1, period: 18 December 2019 to 17 December 2020)
Updated•2 years ago
|
Comment 58•2 years ago
|
||
WebTrust for Certification Authorities (INET CA - G1, period: 18 December 2018 to 17 December 2019)
Updated•2 years ago
|
Comment 59•2 years ago
|
||
WebTrust for Certification Authorities (INET CA - G1, period: 18 December 2020 to 17 December 2021)
Updated•2 years ago
|
Comment 60•2 years ago
|
||
WebTrust for Certification Authorities - SSL Baseline with Network Security (INET CA - G1, period: 18 December 2020 to 17 December 2021)
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Updated•2 years ago
|
Comment 61•2 years ago
|
||
Comment 62•2 years ago
|
||
Dear Ben & Kathleen,
We have updated NRCA's CP/CPS to version 4.3 and published them on NRCA's Public Repository (https://nrca.go.th/publish.html) on December 21st, 2022.
CP v4.3 : https://www.nrca.go.th/download-publishing/36/
CPS v4.3 : https://www.nrca.go.th/download-publishing/33/
Comment 63•2 years ago
|
||
Comment 64•2 years ago
|
||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 65•2 years ago
|
||
This is the original report of the NRCA G1 Root Key Generation Ceremony with 3rd party witnesses.
Comment 66•2 years ago
|
||
Comment 67•2 years ago
|
||
Comment on attachment 9325349 [details]
WebTrust for CAv2.2.2 - IA & Management Assertion - ETDA2022
This NRCA "WebTrust for CA" audit report is also available from https://www.cpacanada.ca/GenericHandlers/CPACHandler.ashx?AttachmentID=40992bc6-b8d4-4bc1-b926-1ab9a10ad711
Comment 68•2 years ago
|
||
Comment 69•2 years ago
|
||
Comment on attachment 9325350 [details]
SSL Baselinev2.5 - IA & Management Assertion - ETDA2022
This NRCA "WebTrust SSL Baseline" audit report is also available from https://www.cpacanada.ca/GenericHandlers/CPACHandler.ashx?AttachmentID=d87a8145-83e6-49bf-ad5b-ca42ba2b9037
Comment 70•1 year ago
|
||
Comment 71•1 year ago
|
||
Comment 72•9 months ago
|
||
Dear Ben & Kathleen,
We have updated NRCA's CP/CPS to version 4.4 and published them on NRCA's Public Repository (https://www.nrca.go.th/publish.html) on December 14th, 2023.
CP v4.4: https://www.nrca.go.th/download-publishing/41/
CPS v4.4: https://www.nrca.go.th/download-publishing/40/
We also performed the annual CCADB Self-assessment (v1.2), which is attached.
Comment 73•9 months ago
|
||
Comment 74•8 months ago
|
||
Dear Ben & Kathleen,
We completed the WebTrust Audit 2023 for the NRCA G1/G2/G3 Roots:
WebTrust for CA: https://cpa.cpacanada.ca//GenericHandlers/CPACHandler.ashx?AttachmentID=4542d2b3-8578-4ced-b03c-602c40d0a2ff
WebTrust for CA - SSL Baseline: https://cpa.cpacanada.ca//GenericHandlers/CPACHandler.ashx?AttachmentID=45912e01-df76-4d2e-9dd6-059a11313e43
Comment 75•8 months ago
|
||
Dear Ben & Kathleen,
We hereby attach the Key Generation Independent Assurance Report for the new NRCA G2 and G3 Roots.
Comment 76•8 months ago
|
||
Comment 77•8 months ago
|
||
Dear Ben & Kathleen,
We hereby attach the Audit Team Qualification document for the NRCA WebTrust audit 2023.
Comment 78•8 months ago
|
||
Description
•