Open Bug 1449941 Opened 2 years ago Updated 2 years ago

Add "Fina Root CA" root certificate


(NSS :: CA Certificate Root Program, task)

Not set


(Not tracked)



(Reporter: pma, Assigned: kwilson)


(Whiteboard: [ca-verifying] - KW Comment #2 2018-08-17)


(2 files)

40.39 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
157.36 KB, application/pdf
No description provided.
Acknowledging receipt of this root inclusion request. I have a huge backlog of CA updates/requests to review, so this has been added to my list. I will update this bug when I begin information verification of this request as per step #2 of our process:

In the meantime, please attach your completed BR Self Assessment to this bug.
Ever confirmed: true
Whiteboard: [ca-verifying] - Need BR Self Assessment
Attached is the information that has been verified for this request. Within the document search for "NEED" to find where further information is needed from the CA.

In particular:

1) The Audit Statements do not properly specify the audit period start and end dates, and the SHA-256 fingerprints of each root and intermediate certificate that was in scope.

Audit period is NOT the same as the dates that the audit was performed.
Sections 3.1.3 and 3.1.4 of
Audit Period: In a period-of-time audit, the period between the first day (start) and the last day of operations (end) covered by the auditors in their engagement. (This is not the same as the period of time when the auditors are on-site at the CA.) The coverage rules and maximum length of audit periods are defined in section 8.1.

2) If requesting the Email (S/MIME) trust bit, then the CP and/or CPS must explain how the CA confirms that the certificate requester owns/controls the email address to be included in the certificate.
Furthermore, In the Qualified and Non-Qualified CP/CPS documents, section 3.2.4 says that e-mail address is not verified. 

3) Need the URLs to the 3 test websites as per section 2.2 of the CA/Browser Forum's Baseline Requirements: "At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i)valid, (ii) revoked, and (iii) expired."

4) Provide Test Results for
-- Revocation testing:
-- BR Lint Test:
-- X.509 Lint Test:

5) Attach your CA's BR Self Assessment to this bug
Whiteboard: [ca-verifying] - Need BR Self Assessment → [ca-verifying] - KW Comment #2 2018-08-17
You need to log in before you can comment on or make changes to this bug.