Add ACIN Global Trusted Sign root certificate
Categories
(NSS :: CA Certificate Root Program, task)
Tracking
(Not tracked)
People
(Reporter: info, Assigned: bwilson, NeedInfo)
Details
(Whiteboard: [ca-verifying] - BW 2020-07-30 Comment #30)
Attachments
(11 files)
750.02 KB,
application/pdf
|
Details | |
39.28 KB,
application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
|
Details | |
225.65 KB,
application/pdf
|
Details | |
361.95 KB,
application/pdf
|
Details | |
198.52 KB,
application/pdf
|
Details | |
186.08 KB,
application/pdf
|
Details | |
935.66 KB,
application/pdf
|
Details | |
515.38 KB,
application/pdf
|
Details | |
2.90 MB,
application/pdf
|
Details | |
308.70 KB,
application/pdf
|
Details | |
295.19 KB,
application/pdf
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160823121617 Steps to reproduce: We have implemented a new PKI with own Root and SubCA Actual results: In August 2017 we have been audited by APCER and GNS and have been sucessfully certified. At this moment we are already in the UE Trusted List - https://webgate.ec.europa.eu/tl-browser/#/tl/PT/0 Expected results: To have our root included as recognize in your browser.
Comment 1•3 years ago
|
||
Acknowledging receipt of this root inclusion request. I have a huge backlog of CA updates/requests to review, so this has been added to my list. I will update this bug when I begin information verification of this request as per step #2 of our process: https://wiki.mozilla.org/CA/Application_Process#Process_Overview In the meantime, please attach your completed BR Self Assessment to this bug. https://wiki.mozilla.org/CA/BR_Self-Assessment And provide all of the information listed here: https://wiki.mozilla.org/CA/Information_Checklist
Comment 2•2 years ago
|
||
The status of this request is that we are waiting for the representative of the CA to provide the required information.
https://wiki.mozilla.org/CA/Information_Checklist#Example_and_Template
Comment 5•2 years ago
|
||
I am not finding this CA in the Common CA Database (CCADB), so please fill out the Application for CCADB Access form here:
https://ccadb.org/cas/request-access#application-for-ccadb-access
Comment 6•2 years ago
|
||
Thank you for filling in the CCADB Access form. You will receive email when the CCADB CA Community License is issued to you.
Then please create a Root Inclusion Case in the CCADB as described here:
https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case
Hi
We submit the form in the 11-06 but until now we haven´t receive a confirmation submission or the License. The license takes how long ? should we submit the form again , just in case?
Best regards.
Comment 8•2 years ago
|
||
It appears that a license for this user was created on the same day. I just sent a password reset email - please check your bulk mail folder.
Reporter | ||
Comment 10•2 years ago
|
||
Hi ,
We just noticed that our audit letter is coming to and end, and we already ask APCER to send us a new one. We have the renew process that we attach here but it is in english, can we submit to CCAB the original audit letter in portuguese and a translated payper, our we need to wait until the new audit letter arraived to submit ??
Reporter | ||
Comment 11•2 years ago
|
||
Comment 12•2 years ago
|
||
The link below shows the CA information that needs to be provided and verified. Search in the page for the word "NEED" to see where further clarification is requested.
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000463
To start with:
-
NEED: Full audit history for both root certificates. All audit statements must list the SHA256 thumbprints for all of the root and intermediate certificates that were in scope of the audit, and must meet the requirements of Mozilla's Root Store Policy
NEED: All audit statements must meet the requirements of sections 3.1.3 and 3.1.4 of Mozilla's Root Store Policy:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/ -
NEED: Documents to be taken into consideration must be provided in English and as PDF.
This CP URL does not seem to work:
https://pki.globaltrustedsign.com/index.php/home_c/download/PL11_EN
NEED DP02 in English
https://pki.globaltrustedsign.com/index.php/home_c/download/DP02 -
CP/CPS Structured According to RFC 3647
NEED: CP/CPS documents must be structured according to RFC 3647. This requirement is stated in section 2.2 of the CA/Browser Forum Baseline Requirements, with the effective of 31 May 2018.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647
CAA Domains listed in CP/CPS: NEED: CA's Certificate Policy and/or Certification Practice Statement ... shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA "issue" or "issuewild" records as permitting it to issue.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS
Long-lived Certificates: 1 to 3 years, it will be revised as soon as possible.
NEED: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Long-lived_Certificates
Non-Standard Email Address Prefixes for Domain Ownership Validation: This will be revised to explicity and added to DP02 13.3
NEED: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Non-Standard_Email_Address_Prefixes_for_Domain_Ownership_Validation -
NEED: Add existing intermediate certificates to the CCADB, as described here:
https://www.ccadb.org/cas/intermediates#adding-intermediate-certificate-data -
NEED: URLs to the three test websites (valid, revoked, expired) whose TLS certs chain up to this root certificate. This is required per section 2.2 of the CA/Browser Forum Baseline Requirements. NEED: If you are requesting EV treatment, then the TLS cert for each test website must be EV.
NEED: Test with http://certificate.revocationcheck.com/ make sure there aren't any errors.
NEED: If EV treatment is being requested, then provide successful output from EV Testing as described here https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version
Updated•2 years ago
|
Reporter | ||
Comment 13•2 years ago
|
||
Hi
We are still waiting for the APCER issues the new audit statements as soon as we received we will sended to you.
In the CCAB we already submited the PEM info about the Root certificate and the SUbCA certificate, you can check the certificates using the following URL´s :
https://pki.globaltrustedsign.com/index.php/home_c/download/ROOT
https://pki.globaltrustedsign.com/index.php/home_c/download/SUBCA
CP/CPS
https://pki.globaltrustedsign.com/index.php/home_c/download/PL11
https://pki.globaltrustedsign.com/index.php/home_c/download/DP02
We will be updating the topic as soon as we have the other information requested.
Best Regards.
Comment 14•1 year ago
|
||
(In reply to GTS from comment #13)
In the CCAB we already submited the PEM info about the Root certificate and the SUbCA certificate, you can check the certificates using the following URL´s :
https://pki.globaltrustedsign.com/index.php/home_c/download/ROOT
https://pki.globaltrustedsign.com/index.php/home_c/download/SUBCA
I see...
This request is for the inclusion of the "Global Trusted Sign Root Certification Authority 01" root certificate which has one subordinate CA, "Global Trusted Sign Certification Authority 01".
I will move the information for the subordinate CA to an intermediate certificate record in the CCADB, and then I will delete the extra root case that had been created with the subCA information.
We will be updating the topic as soon as we have the other information requested.
Please add a comment to this bug when all of the information requested in Comment #12 has been provided.
Reporter | ||
Comment 15•1 year ago
|
||
Hi,
we send you the document that was missing from the original request.
If you need more information, please contact us
Regards
Comment 16•1 year ago
|
||
(In reply to GTS from comment #15)
Created attachment 9104912 [details]
I1002_v2_EN_Audit letter eIDAS_SSL_10_2019.pdf
This audit statement appears to only be for the subordinate CA, and does not appear to meet Mozilla's requirements.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#31-audits
We need the full history of audit statements for the root and intermediate cert, as per
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Complete_Audit_History
And those audit statements must contain the information listed here:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#314-public-audit-information
we send you the document that was missing from the original request.
If you need more information, please contact us
Please add a comment to this bug to reply to all of the items listed in Comment #12.
Also note that I ran some tests:
Revocation Tested: https://certificate.revocationcheck.com/gtsvalid.pt
http://ocsp.globaltrustedsign.com/ (GET)
Unexpected HTTP response: 400
ERROR: OCSP signing certificate does not contain the OCSP No Check extension
ERROR: Content-Type in response is not set to 'application/ocsp-response' but to 'application/ocsp-response;charset=UTF8'
Lint Tested: I ran https://crt.sh/lintcert on the SSL cert for https://gtsvalid.pt/ which resulted in these errors:
cablint ERROR BR certificates with CRL Distribution Point must include HTTP URL
zlint ERROR Subscriber certificate cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service
The CRL URL in the cert is https://pki.globaltrustedsign.com/subca/gts_subca_crl.crl but section 7.1.2.3 of the BRs require it to be http and not https.
EV Tested: https://tls-observatory.services.mozilla.com/static/ev-checker.html
https://gtsvalid.pt/
1.3.6.1.4.1.50302.1.1.2.2.1.0
exit status 1, Stderr: GetFirstEVPolicyForCert failed: SEC_ERROR_EXTENSION_NOT_FOUND This may mean that the specified EV Policy OID was not found in the end-entity certificate.
Reporter | ||
Comment 17•1 year ago
|
||
Comment #12
Hi,
We submitting the new audit letter, for your evaluation.
Best Regards
Reporter | ||
Comment 18•9 months ago
|
||
Hi,
we still waiting for your feedback about the audit letter.
Best Regards.
Reporter | ||
Comment 19•9 months ago
|
||
We have not yet submitted this year's Audit letter because the audit has been postponed to July due to the COVID-19 crisis. Therefore, and in light of this attenuating cricumstance, we ask if it is possible to proceed with the process, and then we will submit the Audit letter after the July audit.
Reporter | ||
Comment 20•9 months ago
|
||
Hi,
we are submitting a new audit letter, witch will replace all previous versions. Therefore we ask you to validate the new one for our PKI.
We kindly remind you that we are a trusted european certificate authority, and that we require this approval from Mozilla in order to conduct business.
Hope to hear fromn you soon.
Regards
Reporter | ||
Comment 21•9 months ago
|
||
(In reply to GTS from comment #20)
Created attachment 9159373 [details]
ACIN TSP_Request.pdfHi,
we are submitting a new audit letter, witch will replace all previous versions. Therefore we ask you to validate the new one for our PKI.
We kindly remind you that we are a trusted european certificate authority (https://webgate.ec.europa.eu/tl-browser/#/tl/PT/7), and that we require this approval from Mozilla in order to conduct business.Hope to hear fromn you soon.
Regards
Reporter | ||
Comment 22•8 months ago
|
||
Hi,
we send you this message to know how the all process of our admition is going.
Looking forward to hear from you
regards
Reporter | ||
Comment 23•8 months ago
|
||
Hi,
we send you this message to know how the all process of our admition is going.
Looking forward to hear from you
regards
Reporter | ||
Comment 24•8 months ago
|
||
(In reply to GTS from comment #23)
Hi,
we send you this message to know how all process of our admition is going.Looking forward to hear from you
regards
Reporter | ||
Comment 25•8 months ago
|
||
Hi,
we send you a message to know how all the process of our admition is going.
Looking forward to hear from you
regards
Comment 26•8 months ago
|
||
Please review https://wiki.mozilla.org/CA/Application_Process and https://wiki.mozilla.org/CA/Application_Verification to understand the process.
Reporter | ||
Comment 27•8 months ago
|
||
Hi Ryan,
Thanks for your reply.
we re-read the process of verification again just to be sure that we had submited all the information, and we did. We would like to know what stage the verification is at, to inform our administration.
Once again thank you for your time.
Regards
Comment 28•8 months ago
|
||
You are somewhere between Steps 1 and 2 of https://wiki.mozilla.org/CA/Application_Process
Reporter | ||
Comment 29•8 months ago
|
||
Hello again,
Just keeping the thread alive, while waiting for feedback.
Thank you for your time
Best Regards
Assignee | ||
Comment 30•7 months ago
|
||
Requesting information regarding: official company name, whether EV requested, period-of-time audit dates, and 2020 CPS.
Assignee | ||
Comment 31•6 months ago
|
||
Still awaiting a response to Comment #30.
The CA's audit letter makes reference to "PL03_GTS_V4 – Website authentication EV Certificates Policy" but there is not a reference to compliance with the CA/B Forum's Extended Validation Guidelines. Do you still intend to pursue EV recognition with us?
Is the name of your company "ACIN-iCloud Solutions, Lda" or "ACIN iCloud Solutions S.A."? There appears to be a mismatch between the record in the CCADB and the audit letter.
The audit dates are not clearly period-of-time dates. In other words, it is currently required that the audit state the period of time (beginning and end) for which the audit covers. This is in addition to when the auditors were actually auditing your CA with onsite visits, which is what appears in the audit letter. Then there is the third date - the date of the audit report. The ALV processing had a difficult time with the date of the audit report. I don't think it appears in the text-readable part of the letter, but is only in the digital signatures of the auditors.
If you or your auditors need additional explanation of what is needed, please let me know and I will provide a more thorough explanation.
Also, we need an updated CPS because Mozilla requires that a new one be published at least every 12 months even if there are no substantive changes.
Reporter | ||
Comment 32•5 months ago
|
||
Hi,
we changed our repository here´s the new address https://pki.globaltrustedsign.com/.
We currently are fixing somes issues regarding the external audit and extimated to get the new and valid audit letter in october.
As soon we received we will send you, so that can be validaded by mozilla.
Best Regards,
Assignee | ||
Updated•5 months ago
|
Reporter | ||
Comment 33•4 months ago
|
||
Reporter | ||
Comment 34•4 months ago
|
||
Reporter | ||
Comment 35•4 months ago
|
||
(In reply to Ben Wilson from comment #31)
Hello,
Sorry for the delay.
we submited two documents, the audit letter and the report, we also updated our policies and they are placed in https://pki.globaltrustedsign.com/en.
Thank you for your time.
Best Regards
Assignee | ||
Comment 36•4 months ago
|
||
(In reply to GTS from comment #35)
we submited two documents, the audit letter and the report, we also updated our policies and they are placed in https://pki.globaltrustedsign.com/en.
Which are the relevant policy documents that I should review for SSL/TLS certificate issuance?
I see several that are dated 2020/09/18, but nothing more recent.
Thanks.
Reporter | ||
Comment 37•4 months ago
|
||
(In reply to Ben Wilson from comment #36)
The documents related to the SSL/TLS certificates are "2020/11/05 - Certificate Policies for SSL OV v6.0.0" and "2020/11/05 - Certificate Policies for SSL EV v6.0.0".
Here are the links:
https://pki.globaltrustedsign.com/storage/docs/en/PL04_GTS.pdf
https://pki.globaltrustedsign.com/storage/docs/en/PL03_GTS.pdf
Let us know if you need something else, thanks for your time
Regards
Reporter | ||
Comment 38•3 months ago
|
||
Hello again,
Just keeping the thread alive, while waiting for feedback.
Thank you for your time
Best Regards
Assignee | ||
Updated•3 months ago
|
Reporter | ||
Comment 39•3 months ago
|
||
Hello again,
Just keeping the thread alive, while waiting for feedback.
Thank you for your time
Best Regards
Reporter | ||
Comment 40•2 months ago
|
||
Hello again,
Just keeping the thread alive, while waiting for feedback.
Thank you for your time
Best Regards and happy new year
Assignee | ||
Comment 41•2 months ago
|
||
Here are some comments based on my review today:
1 - The certificates for the test websites (gtsvalid.pt and gtsrevoked.pt) have expired (9/20/2020);
2 - The CP/CPS are not in the format required by RFC 3647;
3 - The audit/attestation letter from Bureau Veritas is not downloadable from the Bureau Veritas website; and
4 - The audit/attestation letter also fails the Automated Letter Validation (ALV) processing.
Assignee | ||
Comment 42•1 month ago
|
||
Assignee | ||
Comment 43•1 month ago
|
||
Reporter | ||
Comment 44•1 month ago
|
||
(In reply to Ben Wilson from comment #41)
Here are some comments based on my review today:
1 - The certificates for the test websites (gtsvalid.pt and gtsrevoked.pt) have expired (9/20/2020);
2 - The CP/CPS are not in the format required by RFC 3647;
3 - The audit/attestation letter from Bureau Veritas is not downloadable from the Bureau Veritas website; and
4 - The audit/attestation letter also fails the Automated Letter Validation (ALV) processing.
Hi
We are restructuring our documentation and we already fixed the certificates and our auditor already send you the audit letter.
Can you please tell us if all the documents have do be exatly like the RFC our can we make some changes ?
If you have encountered some erros in the certificates available please tell us , so we can fix them .
best regards
Assignee | ||
Updated•1 month ago
|
Description
•