Open Bug 1404221 Opened 2 years ago Updated 2 months ago

Add Root certificate of NAVER Business Platform

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: hanyong.park, Assigned: ryan.sleevi)

Details

(Whiteboard: [ca-cps-review] - KW 2019-05-16)

Attachments

(7 files, 1 obsolete file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36

Steps to reproduce:

NAVER Business Platform, a private enterprise in South Korea, established its Root Certification Authority (Root CA) for issuing SSL certificates to our customers.
NAVER Business Platform officially apply our Root CA certificate inclusion to Mozilla products according to Mozilla Root Store Policy since 2017.


Actual results:

N/A. We will follow the Mozilla Root Store Policy.


Expected results:

N/A. We will follow the Mozilla Root Store Policy.
Group: crypto-core-security
Mozilla's root inclusion process is intentionally very long and arduous, as described here:
https://wiki.mozilla.org/CA/Application_Process#Process_Overview

Please see
https://wiki.mozilla.org/CA/Application_Process#Who_May_Apply
and explain why you think NAVER should have their root certificate directly included in Mozilla's root store, rather than have it be cross-signed by an already-included root certificate.

If you truly believe that NAVER should have their root certificate directly included in Mozilla's root store then please provide the information listed here:
https://wiki.mozilla.org/CA/Information_Checklist
Assignee: kwilson → awu
Whiteboard: [ca-initial] -- Insufficient information
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
Kathleen, 

We attached our CA Information Checklist according to your guidance.
CPS english version
(In reply to Kathleen Wilson from comment #1)
> Mozilla's root inclusion process is intentionally very long and arduous, as
> described here:
> https://wiki.mozilla.org/CA/Application_Process#Process_Overview
> 
> Please see
> https://wiki.mozilla.org/CA/Application_Process#Who_May_Apply
> and explain why you think NAVER should have their root certificate directly
> included in Mozilla's root store, rather than have it be cross-signed by an
> already-included root certificate.
> 
> If you truly believe that NAVER should have their root certificate directly
> included in Mozilla's root store then please provide the information listed
> here:
> https://wiki.mozilla.org/CA/Information_Checklist

Hi Kathleen, 

As you mentioned, NAVER BUSINESS PLATFORM has uploaded the CA_Information Checklist according to https://wiki.mozilla.org/CA/Information_Checklist. Also the English CPS has been attached to this thread. It would be appreciated if you check our CA Information and CPS and then let me know the next steps to proceed.
Acknowledging receipt of the information. I have a huge backlog of CA updates/requests to review, so this has been added to my list. I will update this bug when I begin information verification of this request as per step #2 of our process:
https://wiki.mozilla.org/CA/Application_Process#Process_Overview
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-initial] -- Insufficient information → [ca-verifying]
Attached file naverrca1.crt
The attached document shows the information that has been verified for this request. Search the document for the word "NEED" to find where clarification or further information or testing is needed.

Items of note:

- No revision table found in CPS

- Allowed CAA domains not listed in CPS

- Reasons to revoke a certificate do not align with section 4.9.1.1 of the BRs.

- Not clear in CPS that DNS name must be in SAN.

- CPS needs to document cert validity periods, and be aligned with the current BRs.

- CPS unclear about CA providing key pairs for SSL certs.

- Unclear why NAVER needs to be directly included in a root store, rather than cross-signed by an already-included CA. The justification appears to be for their portal... If a CA controls all the domains that use their root certificate, then they probably do not meet the criteria for inclusion in Mozilla's root store. 

- Test websites did not work as expected.

- Revocation check errors, including "Certificate status is 'Good' expecting 'Unknown'"

- This root is not in found in crt.sh, so need to run the lint tests manually.

- The documentation in the CPS about the domain validation procedures is not informative enough to determine which of the allowed Domain Validation methods (per BR section 3.2.2.4) are used.
Whiteboard: [ca-verifying] → [ca-verifying] - KW Comment #8 2018-05-23
We updated screenshots on test website results.
Lint testing results on Root, Issuing CA, and subscriber certificates from the valid test website.
(In reply to Kathleen Wilson from comment #8)
> Created attachment 8980127 [details]
> 1404221-CA-Information-May23-2018.pdf
> 

Thanks for your comments, Kathleen.

We, NAVER BUSINESS PLATFROM, are currently updating our CPS and the revised one will be published within a few weeks. We would like to express our compliance with CA/Browser Forum BRs and Mozilla Policy. Please review our response to your comments.

- No revision table found in CPS
There is no revision table on ‘NAVER BUSINESS PLATFORM Certification Practice Statement_EN.PDF’ since the document was initial. The CPS we’re updating would have a revision table.

- Allowed CAA domains not listed in CPS
We established procedures to check whether a requesting domain has its CAA domain(s). NAVER BUSINESS PLATFORM planned on registering the NBP’s CAA if we have an access authority to CCADB after our Root certificate inclusion into Mozilla and/or Microsoft. 

- Reasons to revoke a certificate do not align with section 4.9.1.1 of the BRs.
We are able to revoke a certificate within 24 hours if any of reasons listed on section 4.9.1.1 of CA/Browser Forum BRs as follow. 
1. The Subscriber requests in writing that the CA revoke the Certificate;
2. The Subscriber notifies the CA that the original certificate request was not authorized and does not retroactively grant authorization;
3. The CA obtains evidence that the Subscriber’s Private Key corresponding to the Public Key in the Certificate suffered a Key Compromise or no longer complies with the requirements of Sections 6.1.5 and 6.1.6;
4. The CA obtains evidence that the Certificate was misused;
5. The CA is made aware that a Subscriber has violated one or more of its material obligations under the Subscriber Agreement or Terms of Use;
6. The CA is made aware of any circumstance indicating that use of a Fully-Qualified Domain Name or IP address in the Certificate is no longer legally permitted (e.g. a court or arbitrator has revoked a Domain Name
Registrant’s right to use the Domain Name, a relevant licensing or services agreement between the Domain Name Registrant and the Applicant has terminated, or the Domain Name Registrant has failed to renew the Domain Name);
7. The CA is made aware that a Wildcard Certificate has been used to authenticate a fraudulently misleading subordinate Fully-Qualified Domain Name;
8. The CA is made aware of a material change in the information contained in the Certificate;
9. The CA is made aware that the Certificate was not issued in accordance with these Requirements or the CA’s Certificate Policy or Certification Practice Statement;
10. The CA determines that any of the information appearing in the Certificate is inaccurate or misleading;
11. The CA ceases operations for any reason and has not made arrangements for another CA to provide revocation support for the Certificate;
12. The CA’s right to issue Certificates under these Requirements expires or is revoked or terminated, unless the CA has made arrangements to continue maintaining the CRL/OCSP Repository;
13. The CA is made aware of a possible compromise of the Private Key of the Subordinate CA used for issuing the Certificate;
14. Revocation is required by the CA’s Certificate Policy and/or Certification Practice Statement; or
15. The technical content or format of the Certificate presents an unacceptable risk to Application Software Suppliers or Relying Parties (e.g. the CA/Browser Forum might determine that a deprecated cryptographic/signature algorithm or key size presents an unacceptable risk and that such Certificates should be revoked and replaced by CAs within a given period of time).


- Not clear in CPS that DNS name must be in SAN.
Test pages prove that NBP CA issues certificates whose DNS name is in SAN. A DNS name in SAN is described in the CPS we’re updating.

- CPS needs to document cert validity periods, and be aligned with the current BRs.
On section 6.3.2, subscriber certificate’s validity is 1 year or 2 year. It means any certificate validity does not exceed 825 days. 

- CPS unclear about CA providing key pairs for SSL certs.
NBP CA does not generate any key pairs of subscribers for SSL certificates.   

- Unclear why NAVER needs to be directly included in a root store, rather than cross-signed by an already-included CA. The justification appears to be for their portal... If a CA controls all the domains that use their root certificate, then they probably do not meet the criteria for inclusion in Mozilla's root store. 
The NAVER Global Root CA is run by NAVER BUSINESS PLATFORM. NAVER secure CA is a commercial CA will issue SSL certificates to customers from around the world. Customers of NAVER secure CA are the general public. The certification services will be provided for users of NAVER portal services first but would be expanded externally after the Root certification inclusion into Mozilla products.

- Test websites did not work as expected.
We patched the bug. Attached please find the screenshots showing it works correctly. 

- Revocation check errors, including "Certificate status is 'Good' expecting 'Unknown'"
We patched the bug. 
https://certificate.revocationcheck.com/test1-certificate.naver.com


- This root is not in found in crt.sh, so need to run the lint tests manually.
We attached a manual lint-test results document on the root, issuing CA and subscriber certificates. Please see NBP Lint Test Results Report.


- The documentation in the CPS about the domain validation procedures is not informative enough to determine which of the allowed Domain Validation methods (per BR section 3.2.2.4) are used.
Our domain validation procedures are comply with section 3.2.2.4.2 Email, Fax, SMS, or Postal Mail to Domain Contact of CA/Browser Forum BRs. We receive a confirming response utilizing the Random Value. The Random Value MUST be sent to an email address identified as a Domain Contact. The Random Value SHALL be unique in each email. The Random Value SHALL remain valid for use in a confirming response for no more than 30 days from its creation.
(In reply to Han Yong, Park from comment #11)
> (In reply to Kathleen Wilson from comment #8)
> > Created attachment 8980127 [details]
> > 1404221-CA-Information-May23-2018.pdf
> > 
> 
> Thanks for your comments, Kathleen.
> 
> We, NAVER BUSINESS PLATFROM, are currently updating our CPS and the revised
> one will be published within a few weeks. We would like to express our
> compliance with CA/Browser Forum BRs and Mozilla Policy. Please review our
> response to your comments.
> 

Please add a comment to this bug when your updated CPS is available in English and on your website.
https://certificate.naver.com/bbs/initCrtfcJob.do
I'm still seeing errors here:
https://certificate.revocationcheck.com/test-certificate.naver.com

And the CA's BR Self Assessment (https://wiki.mozilla.org/CA/BR_Self-Assessment#Template) needs to be attached to this Bugzilla Bug.
(In reply to Kathleen Wilson from comment #12)
> (In reply to Han Yong, Park from comment #11)
> > (In reply to Kathleen Wilson from comment #8)
> > > Created attachment 8980127 [details]
> > > 1404221-CA-Information-May23-2018.pdf
> > > 
> > 
> > Thanks for your comments, Kathleen.
> > 
> > We, NAVER BUSINESS PLATFROM, are currently updating our CPS and the revised
> > one will be published within a few weeks. We would like to express our
> > compliance with CA/Browser Forum BRs and Mozilla Policy. Please review our
> > response to your comments.
> > 
> 
> Please add a comment to this bug when your updated CPS is available in
> English and on your website.
> https://certificate.naver.com/bbs/initCrtfcJob.do

 

We, NAVER BUSINESS PLATFORM, have revised our CPS in English and the document is downloadable through the below link.

https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=b1f69d146f7f42109b3768099d821653.pdf&atch_real_file_nm=NBP_CPS_v1.1_EN.pdf
(In reply to Kathleen Wilson from comment #13)
> I'm still seeing errors here:
> https://certificate.revocationcheck.com/test-certificate.naver.com
> 
> And the CA's BR Self Assessment
> (https://wiki.mozilla.org/CA/BR_Self-Assessment#Template) needs to be
> attached to this Bugzilla Bug.

We have issued the relevant CRLs so the bug has been fixed. NBP CA updates CRLs automatically every day according to section 2.3 of the CPS. I am writing the BR self-assessment document based on NBP CPS v1.1 (revised) then will upload the document soon.
The link below shows the CA information that has been verified. Search in the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000261

In particular:

1) Attach BR Self Assessment (https://wiki.mozilla.org/CA/BR_Self-Assessment) to this bug.

2) See https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#DNS_names_go_in_SAN
NEED: CPS updated to make it clear that domain name goes in SAN. If CN is used, the domain in the CN must also be in the SAN.
CPS section 3.1.2 says: "The domain name to be included in the CN *or* SAN. 
and Appendix A, certificate profiles, does not mention SAN. 

3) NEED to resolve all errors: 
https://certificate.revocationcheck.com/test-certificate.naver.com 
- ERROR: Response expired 1206h9m32s ago 
http://rca.navercorp.com/arl/Arl1Dp1.crl 
This update: Aug 19, 2018 9:00:00 AM 
Next update: Sep 18, 2018 9:00:00 AM
QA Contact: kwilson
Whiteboard: [ca-verifying] - KW Comment #8 2018-05-23 → [ca-verifying] - KW Comment #16 2018-11-07

Thanks for your comments.

  1. NEED: CPS updated to make it clear that domain name goes in SAN.

We have updated our CPS to make it clear. Please see section 3.1.2 of our revised CPS.
3.1.2 Need for Names to be Meaningful
The NAVER BUSINESS PLATFORM puts meaningful names in both the subjectDN and the issuerDN extensions of Certificates.

You can find SAN extension APPENDIX A : CERTIFICATE PROFILES of the CPS.

CPS url: https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=26d336c969414668a4dd177914b396d8.pdf&atch_real_file_nm=NBP_CPS_V1.3_ENGLISH.pdf

(In reply to Kathleen Wilson from comment #16)

The link below shows the CA information that has been verified. Search in
the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/
PrintViewForCase?CaseNumber=00000261

In particular:

  1. Attach BR Self Assessment
    (https://wiki.mozilla.org/CA/BR_Self-Assessment) to this bug.

  2. See
    https://wiki.mozilla.org/CA/
    Required_or_Recommended_Practices#DNS_names_go_in_SAN
    NEED: CPS updated to make it clear that domain name goes in SAN. If CN is
    used, the domain in the CN must also be in the SAN.
    CPS section 3.1.2 says: "The domain name to be included in the CN or SAN.
    and Appendix A, certificate profiles, does not mention SAN.

  3. NEED to resolve all errors:
    https://certificate.revocationcheck.com/test-certificate.naver.com

  1. NEED to resolve all errors

We have resolved all errors you mentioned before.
https://certificate.revocationcheck.com/test-certificate.naver.com

(In reply to Kathleen Wilson from comment #16)

  1. NEED to resolve all errors:
    https://certificate.revocationcheck.com/test-certificate.naver.com

I attached the BR Self Assessment on our current CPS. Please review the document to proceed.

(In reply to Kathleen Wilson from comment #16)

The link below shows the CA information that has been verified. Search in
the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/
PrintViewForCase?CaseNumber=00000261

In particular:

  1. Attach BR Self Assessment
    (https://wiki.mozilla.org/CA/BR_Self-Assessment) to this bug.

The information for this root inclusion request is available at the following URL.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000261

This root inclusion request is ready for the Detailed CP/CPS Review phase, step 3 of
https://wiki.mozilla.org/CA/Application_Process#Process_Overview
so assigning this bug to Wayne.

There is a queue waiting for detailed CP/CPS reviews:

https://wiki.mozilla.org/CA/Dashboard#Detailed_CP.2FCPS_Review

It takes significant time and concentration to do a detailed CP/CPS review, so please be patient. In the meantime, I recommend looking at the results of the detailed CP/CPS reviews that have been previously completed.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21

Assignee: kwilson → wthayer
Whiteboard: [ca-verifying] - KW Comment #16 2018-11-07 → [ca-cps-review] - KW 2019-05-16

(In reply to Kathleen Wilson from comment #20)

The information for this root inclusion request is available at the following URL.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000261

This root inclusion request is ready for the Detailed CP/CPS Review phase, step 3 of
https://wiki.mozilla.org/CA/Application_Process#Process_Overview
so assigning this bug to Wayne.

Hello Kathleen and Wayne,
We have been waiting for the detailed CPS review for 2 months. Could you let me know when we know the review results?

I am the only person performing these reviews, and I currently have a large backlog: https://wiki.mozilla.org/CA/Dashboard#Detailed_CP.2FCPS_Review

Sorting by the date that the request entered my queue, yours is behind 6 others. I would estimate that it will be another 3-6 months before I am able to review it.

Assignee: wthayer → ryan.sleevi

We, NBP, attached the new CPS v1.4 updated in November 2019. Please use the document for CPS review. You can download the CPS on the official repository.

https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=447cd9dda18f4cc684196618bda68245.pdf&atch_real_file_nm=NBP_CPS_V1.4_ENGLISH.pdf

Attachment #8950830 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.