Open Bug 1454977 Opened 3 years ago Updated 1 month ago

Add ACIN Global Trusted Sign root certificate

Categories

(NSS :: CA Certificate Root Program, task)

Product:
NSS
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: info, Assigned: bwilson, NeedInfo)

Details

(Whiteboard: [ca-verifying] - BW 2020-07-30 Comment #30)

Attachments

(11 files)

I1002_v2_EN_Audit letter eIDAS_SSL.PDF
750.02 KB, application/pdf
Details
ACIN_CA's BR Self Assessment_Final_ENG.xlsx
39.28 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
EN I994 - Verificação PAC_W_Julho 2019 Rev 1.1-1.pdf
225.65 KB, application/pdf
Details
I994 - Verificação PAC_W_Julho 2019 Rev 1.1.pdf
361.95 KB, application/pdf
Details
I1002_v2_EN_Audit letter eIDAS_SSL_10_2019.pdf
198.52 KB, application/pdf
Details
I1002_v3_EN_Audit letter eIDAS_SSL_ACIN_Jan2020.pdf
186.08 KB, application/pdf
Details
ACIN TSP_Request.pdf
935.66 KB, application/pdf
Details
AAL_10999698_2020_01-Rev. 01.pdf
515.38 KB, application/pdf
Details
ACIN - iCloud Solutions Lda-eIDAS-RECERTA-AR-24072020_CF_NCRSolvedSigned.pdf
2.90 MB, application/pdf
Details
AAL_10999698_2020_01-Rev. 01_test.pdf
308.70 KB, application/pdf
Details
AAL_10999698_2020_01-Rev. 02_test.pdf
295.19 KB, application/pdf
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160823121617

Steps to reproduce:

We have implemented a new PKI with own Root and SubCA


Actual results:

In August 2017 we have been audited by APCER and GNS and have been sucessfully certified.
At this moment we are already in the UE Trusted List - https://webgate.ec.europa.eu/tl-browser/#/tl/PT/0


Expected results:

To have our root included as recognize in your browser.
Acknowledging receipt of this root inclusion request. I have a huge backlog of CA updates/requests to review, so this has been added to my list. I will update this bug when I begin information verification of this request as per step #2 of our process:
https://wiki.mozilla.org/CA/Application_Process#Process_Overview

In the meantime, please attach your completed BR Self Assessment to this bug.
https://wiki.mozilla.org/CA/BR_Self-Assessment

And provide all of the information listed here:
https://wiki.mozilla.org/CA/Information_Checklist
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-verifying] - Need BR Self Assessment

The status of this request is that we are waiting for the representative of the CA to provide the required information.
https://wiki.mozilla.org/CA/Information_Checklist#Example_and_Template

QA Contact: kwilson

As requested the br requirements assessment is attached.

I am not finding this CA in the Common CA Database (CCADB), so please fill out the Application for CCADB Access form here:
https://ccadb.org/cas/request-access#application-for-ccadb-access

Whiteboard: [ca-verifying] - Need BR Self Assessment → [ca-verifying] - CA is new to CCADB

Thank you for filling in the CCADB Access form. You will receive email when the CCADB CA Community License is issued to you.

Then please create a Root Inclusion Case in the CCADB as described here:
https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case

Hi
We submit the form in the 11-06 but until now we haven´t receive a confirmation submission or the License. The license takes how long ? should we submit the form again , just in case?
Best regards.

It appears that a license for this user was created on the same day. I just sent a password reset email - please check your bulk mail folder.

We just submitted the Root Inclusion Case as requested.

Hi ,
We just noticed that our audit letter is coming to and end, and we already ask APCER to send us a new one. We have the renew process that we attach here but it is in english, can we submit to CCAB the original audit letter in portuguese and a translated payper, our we need to wait until the new audit letter arraived to submit ??

The link below shows the CA information that needs to be provided and verified. Search in the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000463

To start with:

  1. NEED: Full audit history for both root certificates. All audit statements must list the SHA256 thumbprints for all of the root and intermediate certificates that were in scope of the audit, and must meet the requirements of Mozilla's Root Store Policy
    NEED: All audit statements must meet the requirements of sections 3.1.3 and 3.1.4 of Mozilla's Root Store Policy:
    https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

  2. NEED: Documents to be taken into consideration must be provided in English and as PDF.
    This CP URL does not seem to work:
    https://pki.globaltrustedsign.com/index.php/home_c/download/PL11_EN
    NEED DP02 in English
    https://pki.globaltrustedsign.com/index.php/home_c/download/DP02

  3. CP/CPS Structured According to RFC 3647
    NEED: CP/CPS documents must be structured according to RFC 3647. This requirement is stated in section 2.2 of the CA/Browser Forum Baseline Requirements, with the effective of 31 May 2018.
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647
    CAA Domains listed in CP/CPS: NEED: CA's Certificate Policy and/or Certification Practice Statement ... shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA "issue" or "issuewild" records as permitting it to issue.
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS
    Long-lived Certificates: 1 to 3 years, it will be revised as soon as possible.
    NEED: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Long-lived_Certificates
    Non-Standard Email Address Prefixes for Domain Ownership Validation: This will be revised to explicity and added to DP02 13.3
    NEED: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Non-Standard_Email_Address_Prefixes_for_Domain_Ownership_Validation

  4. NEED: Add existing intermediate certificates to the CCADB, as described here:
    https://www.ccadb.org/cas/intermediates#adding-intermediate-certificate-data

  5. NEED: URLs to the three test websites (valid, revoked, expired) whose TLS certs chain up to this root certificate. This is required per section 2.2 of the CA/Browser Forum Baseline Requirements. NEED: If you are requesting EV treatment, then the TLS cert for each test website must be EV.
    NEED: Test with http://certificate.revocationcheck.com/ make sure there aren't any errors.
    NEED: If EV treatment is being requested, then provide successful output from EV Testing as described here https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

Whiteboard: [ca-verifying] - CA is new to CCADB → [ca-verifying] - KW 2019-09-17 - Comment #12
Summary: Add Global Trusted Sign root certificate → Add ACIN Global Trusted Sign root certificate

Hi
We are still waiting for the APCER issues the new audit statements as soon as we received we will sended to you.
In the CCAB we already submited the PEM info about the Root certificate and the SUbCA certificate, you can check the certificates using the following URL´s :
https://pki.globaltrustedsign.com/index.php/home_c/download/ROOT
https://pki.globaltrustedsign.com/index.php/home_c/download/SUBCA

CP/CPS
https://pki.globaltrustedsign.com/index.php/home_c/download/PL11
https://pki.globaltrustedsign.com/index.php/home_c/download/DP02

We will be updating the topic as soon as we have the other information requested.

Best Regards.

(In reply to GTS from comment #13)

In the CCAB we already submited the PEM info about the Root certificate and the SUbCA certificate, you can check the certificates using the following URL´s :
https://pki.globaltrustedsign.com/index.php/home_c/download/ROOT
https://pki.globaltrustedsign.com/index.php/home_c/download/SUBCA

I see...

This request is for the inclusion of the "Global Trusted Sign Root Certification Authority 01" root certificate which has one subordinate CA, "Global Trusted Sign Certification Authority 01".

I will move the information for the subordinate CA to an intermediate certificate record in the CCADB, and then I will delete the extra root case that had been created with the subCA information.

We will be updating the topic as soon as we have the other information requested.

Please add a comment to this bug when all of the information requested in Comment #12 has been provided.

Whiteboard: [ca-verifying] - KW 2019-09-17 - Comment #12 → [ca-verifying] - KW 2019-10-14 - Comment #14

Hi,
we send you the document that was missing from the original request.
If you need more information, please contact us

Regards

(In reply to GTS from comment #15)

Created attachment 9104912 [details]
I1002_v2_EN_Audit letter eIDAS_SSL_10_2019.pdf

This audit statement appears to only be for the subordinate CA, and does not appear to meet Mozilla's requirements.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#31-audits

We need the full history of audit statements for the root and intermediate cert, as per
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Complete_Audit_History

And those audit statements must contain the information listed here:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#314-public-audit-information

we send you the document that was missing from the original request.
If you need more information, please contact us

Please add a comment to this bug to reply to all of the items listed in Comment #12.

Also note that I ran some tests:

Revocation Tested: https://certificate.revocationcheck.com/gtsvalid.pt
http://ocsp.globaltrustedsign.com/ (GET)
Unexpected HTTP response: 400
ERROR: OCSP signing certificate does not contain the OCSP No Check extension
ERROR: Content-Type in response is not set to 'application/ocsp-response' but to 'application/ocsp-response;charset=UTF8'

Lint Tested: I ran https://crt.sh/lintcert on the SSL cert for https://gtsvalid.pt/ which resulted in these errors:
cablint ERROR BR certificates with CRL Distribution Point must include HTTP URL
zlint ERROR Subscriber certificate cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service
The CRL URL in the cert is https://pki.globaltrustedsign.com/subca/gts_subca_crl.crl but section 7.1.2.3 of the BRs require it to be http and not https.

EV Tested: https://tls-observatory.services.mozilla.com/static/ev-checker.html
https://gtsvalid.pt/
1.3.6.1.4.1.50302.1.1.2.2.1.0
exit status 1, Stderr: GetFirstEVPolicyForCert failed: SEC_ERROR_EXTENSION_NOT_FOUND This may mean that the specified EV Policy OID was not found in the end-entity certificate.

Whiteboard: [ca-verifying] - KW 2019-10-14 - Comment #14 → [ca-verifying] - KW 2019-11-04 - Comment #16

Comment #12
Hi,
We submitting the new audit letter, for your evaluation.

Best Regards

Hi,
we still waiting for your feedback about the audit letter.
Best Regards.

We have not yet submitted this year's Audit letter because the audit has been postponed to July due to the COVID-19 crisis. Therefore, and in light of this attenuating cricumstance, we ask if it is possible to proceed with the process, and then we will submit the Audit letter after the July audit.

Attached file ACIN TSP_Request.pdf

Hi,
we are submitting a new audit letter, witch will replace all previous versions. Therefore we ask you to validate the new one for our PKI.
We kindly remind you that we are a trusted european certificate authority, and that we require this approval from Mozilla in order to conduct business.

Hope to hear fromn you soon.

Regards

(In reply to GTS from comment #20)

Created attachment 9159373 [details]
ACIN TSP_Request.pdf

Hi,
we are submitting a new audit letter, witch will replace all previous versions. Therefore we ask you to validate the new one for our PKI.
We kindly remind you that we are a trusted european certificate authority (https://webgate.ec.europa.eu/tl-browser/#/tl/PT/7), and that we require this approval from Mozilla in order to conduct business.

Hope to hear fromn you soon.

Regards

Hi,
we send you this message to know how the all process of our admition is going.

Looking forward to hear from you

regards

Hi,
we send you this message to know how the all process of our admition is going.

Looking forward to hear from you

regards

(In reply to GTS from comment #23)

Hi,
we send you this message to know how all process of our admition is going.

Looking forward to hear from you

regards

Hi,
we send you a message to know how all the process of our admition is going.

Looking forward to hear from you

regards

Hi Ryan,
Thanks for your reply.
we re-read the process of verification again just to be sure that we had submited all the information, and we did. We would like to know what stage the verification is at, to inform our administration.

Once again thank you for your time.
Regards

You are somewhere between Steps 1 and 2 of https://wiki.mozilla.org/CA/Application_Process

Hello again,
Just keeping the thread alive, while waiting for feedback.

Thank you for your time
Best Regards

Requesting information regarding: official company name, whether EV requested, period-of-time audit dates, and 2020 CPS.

Whiteboard: [ca-verifying] - KW 2019-11-04 - Comment #16 → [ca-verifying] - BW 2020-07-30 Comment #30

Still awaiting a response to Comment #30.

The CA's audit letter makes reference to "PL03_GTS_V4 – Website authentication EV Certificates Policy" but there is not a reference to compliance with the CA/B Forum's Extended Validation Guidelines. Do you still intend to pursue EV recognition with us?

Is the name of your company "ACIN-iCloud Solutions, Lda" or "ACIN iCloud Solutions S.A."? There appears to be a mismatch between the record in the CCADB and the audit letter.

The audit dates are not clearly period-of-time dates. In other words, it is currently required that the audit state the period of time (beginning and end) for which the audit covers. This is in addition to when the auditors were actually auditing your CA with onsite visits, which is what appears in the audit letter. Then there is the third date - the date of the audit report. The ALV processing had a difficult time with the date of the audit report. I don't think it appears in the text-readable part of the letter, but is only in the digital signatures of the auditors.
If you or your auditors need additional explanation of what is needed, please let me know and I will provide a more thorough explanation.

Also, we need an updated CPS because Mozilla requires that a new one be published at least every 12 months even if there are no substantive changes.

Flags: needinfo?(info)

Hi,
we changed our repository here´s the new address https://pki.globaltrustedsign.com/.

We currently are fixing somes issues regarding the external audit and extimated to get the new and valid audit letter in october.

As soon we received we will send you, so that can be validaded by mozilla.

Best Regards,

Flags: needinfo?(info)
Assignee: kwilson → bwilson

(In reply to Ben Wilson from comment #31)

Hello,
Sorry for the delay.
we submited two documents, the audit letter and the report, we also updated our policies and they are placed in https://pki.globaltrustedsign.com/en.

Thank you for your time.
Best Regards

(In reply to GTS from comment #35)

we submited two documents, the audit letter and the report, we also updated our policies and they are placed in https://pki.globaltrustedsign.com/en.
Which are the relevant policy documents that I should review for SSL/TLS certificate issuance?
I see several that are dated 2020/09/18, but nothing more recent.
Thanks.

(In reply to Ben Wilson from comment #36)
The documents related to the SSL/TLS certificates are "2020/11/05 - Certificate Policies for SSL OV v6.0.0" and "2020/11/05 - Certificate Policies for SSL EV v6.0.0".

Here are the links:
https://pki.globaltrustedsign.com/storage/docs/en/PL04_GTS.pdf
https://pki.globaltrustedsign.com/storage/docs/en/PL03_GTS.pdf

Let us know if you need something else, thanks for your time
Regards

Hello again,
Just keeping the thread alive, while waiting for feedback.

Thank you for your time
Best Regards

Flags: needinfo?(bwilson)

Hello again,
Just keeping the thread alive, while waiting for feedback.

Thank you for your time
Best Regards

Hello again,
Just keeping the thread alive, while waiting for feedback.

Thank you for your time
Best Regards and happy new year

Here are some comments based on my review today:
1 - The certificates for the test websites (gtsvalid.pt and gtsrevoked.pt) have expired (9/20/2020);
2 - The CP/CPS are not in the format required by RFC 3647;
3 - The audit/attestation letter from Bureau Veritas is not downloadable from the Bureau Veritas website; and
4 - The audit/attestation letter also fails the Automated Letter Validation (ALV) processing.

Flags: needinfo?(bwilson)

(In reply to Ben Wilson from comment #41)

Here are some comments based on my review today:
1 - The certificates for the test websites (gtsvalid.pt and gtsrevoked.pt) have expired (9/20/2020);
2 - The CP/CPS are not in the format required by RFC 3647;
3 - The audit/attestation letter from Bureau Veritas is not downloadable from the Bureau Veritas website; and
4 - The audit/attestation letter also fails the Automated Letter Validation (ALV) processing.

Hi
We are restructuring our documentation and we already fixed the certificates and our auditor already send you the audit letter.
Can you please tell us if all the documents have do be exatly like the RFC our can we make some changes ?
If you have encountered some erros in the certificates available please tell us , so we can fix them .

best regards

Flags: needinfo?(bwilson)
You need to log in before you can comment on or make changes to this bug.