Add Fina Root CA certificate
Categories
(CA Program :: CA Certificate Root Program, task, P4)
Tracking
(Not tracked)
People
(Reporter: pma, Assigned: bwilson)
Details
(Whiteboard: [ca-verifying])
Attachments
(3 files)
No description provided.
|
||
Comment 1•6 years ago
|
||
Acknowledging receipt of this root inclusion request. I have a huge backlog of CA updates/requests to review, so this has been added to my list. I will update this bug when I begin information verification of this request as per step #2 of our process: https://wiki.mozilla.org/CA/Application_Process#Process_Overview In the meantime, please attach your completed BR Self Assessment to this bug. https://wiki.mozilla.org/CA/BR_Self-Assessment
|
|
||
Comment 2•6 years ago
|
||
Attached is the information that has been verified for this request. Within the document search for "NEED" to find where further information is needed from the CA. In particular: 1) The Audit Statements do not properly specify the audit period start and end dates, and the SHA-256 fingerprints of each root and intermediate certificate that was in scope. Audit period is NOT the same as the dates that the audit was performed. Reference: Sections 3.1.3 and 3.1.4 of https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ and https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.0.pdf Audit Period: In a period-of-time audit, the period between the first day (start) and the last day of operations (end) covered by the auditors in their engagement. (This is not the same as the period of time when the auditors are on-site at the CA.) The coverage rules and maximum length of audit periods are defined in section 8.1. 2) If requesting the Email (S/MIME) trust bit, then the CP and/or CPS must explain how the CA confirms that the certificate requester owns/controls the email address to be included in the certificate. https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control Furthermore, In the Qualified and Non-Qualified CP/CPS documents, section 3.2.4 says that e-mail address is not verified. 3) Need the URLs to the 3 test websites as per section 2.2 of the CA/Browser Forum's Baseline Requirements: "At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i)valid, (ii) revoked, and (iii) expired." 4) Provide Test Results for -- Revocation testing: http://certificate.revocationcheck.com/ -- BR Lint Test: https://github.com/awslabs/certlint -- X.509 Lint Test: https://github.com/kroeckx/x509lint 5) Attach your CA's BR Self Assessment to this bug https://wiki.mozilla.org/CA/BR_Self-Assessment
|
|
||
Updated•6 years ago
|
|
Assignee | |
Comment 3•4 years ago
|
||
The documentation supporting your application for root inclusion appears to be out of date and needs to be updated. The most current CP/CPS that we have is version 2.4, published June 10, 2019, and the most recent audit is dated June 24, 2019.
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 4•4 years ago
|
||
Also, CA needs to provision three test websites equipped with certificates - one valid, one expired, and one revoked.
If requesting enablement of the email trust bit, then CPS needs to describe how CA will verify the email address with a challenge-response mechanism.
|
|
Assignee | |
Comment 5•4 years ago
|
||
The CA has provided the three test websites (verified) and their current CP/CPS (needs review). The ETSI accreditations on Fina's website have a date of 27/06/2019 (outdated) and do not include the SHA2 hash of the CA certificates and are not hosted on the Bureau Veritas website, as required. The CA will need to remediate this issue before we can proceed with our review.
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 6•3 years ago
|
||
Sent email to CA re: still waiting for updated attestation letter accessible from Bureau Veritas website.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 7•3 years ago
|
||
In correspondence with Bureau Veritas regarding ALV processing, there was an issue with the audit dates in a table format that could not be processed by the ALV, so they are fixing the format of the attestation letter.
|
|
Assignee | |
Comment 8•3 years ago
|
||
Do you have an estimate for when you'll be posting an updated CP and CPS to your repository?
https://www.fina.hr/en/legislation-documents-and-conformance-certificates
Are the last CP and CPS from 25 September 2020 (version 1.6)?
While updating your CP and CPS, please complete and submit the Compliance Self-Assessment - see https://wiki.mozilla.org/CA/Compliance_Self-Assessment and the template, here: https://docs.google.com/spreadsheets/d/1ExZE6PWIBM8rV9c6p6fFxOWmZyvf6X4ucMQRv7usHEk
|
|
Assignee | |
Updated•3 years ago
|
|
||
Comment 9•3 years ago
|
||
(In reply to Ben Wilson from comment #8)
Do you have an estimate for when you'll be posting an updated CP and CPS to your repository?
https://www.fina.hr/en/legislation-documents-and-conformance-certificates
Are the last CP and CPS from 25 September 2020 (version 1.6)?
While updating your CP and CPS, please complete and submit the Compliance Self-Assessment - see https://wiki.mozilla.org/CA/Compliance_Self-Assessment and the template, here: https://docs.google.com/spreadsheets/d/1ExZE6PWIBM8rV9c6p6fFxOWmZyvf6X4ucMQRv7usHEk
On September 24, 2021 in in our repository https://www.fina.hr/en/legislation-documents-and-conformance-certificates we have published new versions of CP and CPS documents for OVCP certificates (Certificates for Website Authentication), version 1.7, effective date 25 September 2021 . Before that the last version of the documents was 1.6 from 25 September 2020.
We plan to conduct the compliance self-assessment during this week and send you the completed form in early October.
|
|
Assignee | |
Comment 10•2 years ago
|
||
Still awaiting the Compliance Self-Assessment document.
|
||
Comment 11•2 years ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:kwilson, since the bug has recent activity, could you have a look please?
For more information, please visit auto_nag documentation.
|
|
||
Comment 12•2 years ago
|
||
We are working on Compliance Self-Assessment document that includes BR v. 1.8.3 and Mozilla Root Store Policy v. 2.8 and we are close to its completion. We plan to send Completed Compliance Self-Assessment form within one day.
In the past, we have been very busy on other projects so that's the reason for this delay.
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 13•2 years ago
|
||
This Excel file contains Fina's compliance self-assessment and my review of the Fina CPS, version 1.7.
|
|
Assignee | |
Comment 14•2 years ago
|
||
Fina will now need to submit a Value vs. Risk Justification - https://wiki.mozilla.org/CA/Quantifying_Value
See https://bugzilla.mozilla.org/attachment.cgi?id=9284547, https://bugzilla.mozilla.org/attachment.cgi?id=9270080, and https://bugzilla.mozilla.org/attachment.cgi?id=9226817 as examples.
|
|
Assignee | |
Comment 15•2 years ago
•
|
||
Additionally, Fina needs test websites with certificates that reference smaller CRLs. The current one is > 6MB and takes too long to download.
|
|
Assignee | |
Comment 16•2 years ago
|
||
To proceed, I need:
1 - CPS that describes the email verification process for the issuance of SMIME certificates
2 - Changes to the Fina OCSP responder so that it doesn't send unnecessary CA certificates as part of the OCSP response (https://certificate.revocationcheck.com/testsslvalid.fina.hr gives error "Valid signature but response includes an unnecessary certificate chain"
3 - Resolution of issues identified by https://cachecker-dot-ccadb-231121.appspot.com
4 - Updates to CPS based on review of compliance self assessment (Comment 13)
5 - Value justification (Comment 14)
|
|
Assignee | |
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 17•1 year ago
|
||
Applicant also needs to update its root information with an "Add/Update Root Request" in the CCADB (including information about root CA key generation).
Description
•