Open Bug 1454977 Opened 2 years ago Updated 1 month ago

Add ACIN Global Trusted Sign root certificate

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: info, Assigned: kwilson)

Details

(Whiteboard: [ca-verifying] - KW 2019-11-04 - Comment #16)

Attachments

(6 files)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160823121617

Steps to reproduce:

We have implemented a new PKI with own Root and SubCA


Actual results:

In August 2017 we have been audited by APCER and GNS and have been sucessfully certified.
At this moment we are already in the UE Trusted List - https://webgate.ec.europa.eu/tl-browser/#/tl/PT/0


Expected results:

To have our root included as recognize in your browser.
Acknowledging receipt of this root inclusion request. I have a huge backlog of CA updates/requests to review, so this has been added to my list. I will update this bug when I begin information verification of this request as per step #2 of our process:
https://wiki.mozilla.org/CA/Application_Process#Process_Overview

In the meantime, please attach your completed BR Self Assessment to this bug.
https://wiki.mozilla.org/CA/BR_Self-Assessment

And provide all of the information listed here:
https://wiki.mozilla.org/CA/Information_Checklist
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-verifying] - Need BR Self Assessment

The status of this request is that we are waiting for the representative of the CA to provide the required information.
https://wiki.mozilla.org/CA/Information_Checklist#Example_and_Template

QA Contact: kwilson

As requested the br requirements assessment is attached.

I am not finding this CA in the Common CA Database (CCADB), so please fill out the Application for CCADB Access form here:
https://ccadb.org/cas/request-access#application-for-ccadb-access

Whiteboard: [ca-verifying] - Need BR Self Assessment → [ca-verifying] - CA is new to CCADB

Thank you for filling in the CCADB Access form. You will receive email when the CCADB CA Community License is issued to you.

Then please create a Root Inclusion Case in the CCADB as described here:
https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case

Hi
We submit the form in the 11-06 but until now we haven´t receive a confirmation submission or the License. The license takes how long ? should we submit the form again , just in case?
Best regards.

It appears that a license for this user was created on the same day. I just sent a password reset email - please check your bulk mail folder.

We just submitted the Root Inclusion Case as requested.

Hi ,
We just noticed that our audit letter is coming to and end, and we already ask APCER to send us a new one. We have the renew process that we attach here but it is in english, can we submit to CCAB the original audit letter in portuguese and a translated payper, our we need to wait until the new audit letter arraived to submit ??

The link below shows the CA information that needs to be provided and verified. Search in the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000463

To start with:

  1. NEED: Full audit history for both root certificates. All audit statements must list the SHA256 thumbprints for all of the root and intermediate certificates that were in scope of the audit, and must meet the requirements of Mozilla's Root Store Policy
    NEED: All audit statements must meet the requirements of sections 3.1.3 and 3.1.4 of Mozilla's Root Store Policy:
    https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

  2. NEED: Documents to be taken into consideration must be provided in English and as PDF.
    This CP URL does not seem to work:
    https://pki.globaltrustedsign.com/index.php/home_c/download/PL11_EN
    NEED DP02 in English
    https://pki.globaltrustedsign.com/index.php/home_c/download/DP02

  3. CP/CPS Structured According to RFC 3647
    NEED: CP/CPS documents must be structured according to RFC 3647. This requirement is stated in section 2.2 of the CA/Browser Forum Baseline Requirements, with the effective of 31 May 2018.
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647
    CAA Domains listed in CP/CPS: NEED: CA's Certificate Policy and/or Certification Practice Statement ... shall clearly specify the set of Issuer Domain Names that the CA recognises in CAA "issue" or "issuewild" records as permitting it to issue.
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS
    Long-lived Certificates: 1 to 3 years, it will be revised as soon as possible.
    NEED: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Long-lived_Certificates
    Non-Standard Email Address Prefixes for Domain Ownership Validation: This will be revised to explicity and added to DP02 13.3
    NEED: https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Non-Standard_Email_Address_Prefixes_for_Domain_Ownership_Validation

  4. NEED: Add existing intermediate certificates to the CCADB, as described here:
    https://www.ccadb.org/cas/intermediates#adding-intermediate-certificate-data

  5. NEED: URLs to the three test websites (valid, revoked, expired) whose TLS certs chain up to this root certificate. This is required per section 2.2 of the CA/Browser Forum Baseline Requirements. NEED: If you are requesting EV treatment, then the TLS cert for each test website must be EV.
    NEED: Test with http://certificate.revocationcheck.com/ make sure there aren't any errors.
    NEED: If EV treatment is being requested, then provide successful output from EV Testing as described here https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

Whiteboard: [ca-verifying] - CA is new to CCADB → [ca-verifying] - KW 2019-09-17 - Comment #12
Summary: Add Global Trusted Sign root certificate → Add ACIN Global Trusted Sign root certificate

Hi
We are still waiting for the APCER issues the new audit statements as soon as we received we will sended to you.
In the CCAB we already submited the PEM info about the Root certificate and the SUbCA certificate, you can check the certificates using the following URL´s :
https://pki.globaltrustedsign.com/index.php/home_c/download/ROOT
https://pki.globaltrustedsign.com/index.php/home_c/download/SUBCA

CP/CPS
https://pki.globaltrustedsign.com/index.php/home_c/download/PL11
https://pki.globaltrustedsign.com/index.php/home_c/download/DP02

We will be updating the topic as soon as we have the other information requested.

Best Regards.

(In reply to GTS from comment #13)

In the CCAB we already submited the PEM info about the Root certificate and the SUbCA certificate, you can check the certificates using the following URL´s :
https://pki.globaltrustedsign.com/index.php/home_c/download/ROOT
https://pki.globaltrustedsign.com/index.php/home_c/download/SUBCA

I see...

This request is for the inclusion of the "Global Trusted Sign Root Certification Authority 01" root certificate which has one subordinate CA, "Global Trusted Sign Certification Authority 01".

I will move the information for the subordinate CA to an intermediate certificate record in the CCADB, and then I will delete the extra root case that had been created with the subCA information.

We will be updating the topic as soon as we have the other information requested.

Please add a comment to this bug when all of the information requested in Comment #12 has been provided.

Whiteboard: [ca-verifying] - KW 2019-09-17 - Comment #12 → [ca-verifying] - KW 2019-10-14 - Comment #14

Hi,
we send you the document that was missing from the original request.
If you need more information, please contact us

Regards

(In reply to GTS from comment #15)

Created attachment 9104912 [details]
I1002_v2_EN_Audit letter eIDAS_SSL_10_2019.pdf

This audit statement appears to only be for the subordinate CA, and does not appear to meet Mozilla's requirements.
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#31-audits

We need the full history of audit statements for the root and intermediate cert, as per
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Complete_Audit_History

And those audit statements must contain the information listed here:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#314-public-audit-information

we send you the document that was missing from the original request.
If you need more information, please contact us

Please add a comment to this bug to reply to all of the items listed in Comment #12.

Also note that I ran some tests:

Revocation Tested: https://certificate.revocationcheck.com/gtsvalid.pt
http://ocsp.globaltrustedsign.com/ (GET)
Unexpected HTTP response: 400
ERROR: OCSP signing certificate does not contain the OCSP No Check extension
ERROR: Content-Type in response is not set to 'application/ocsp-response' but to 'application/ocsp-response;charset=UTF8'

Lint Tested: I ran https://crt.sh/lintcert on the SSL cert for https://gtsvalid.pt/ which resulted in these errors:
cablint ERROR BR certificates with CRL Distribution Point must include HTTP URL
zlint ERROR Subscriber certificate cRLDistributionPoints extension must contain the HTTP URL of the CA’s CRL service
The CRL URL in the cert is https://pki.globaltrustedsign.com/subca/gts_subca_crl.crl but section 7.1.2.3 of the BRs require it to be http and not https.

EV Tested: https://tls-observatory.services.mozilla.com/static/ev-checker.html
https://gtsvalid.pt/
1.3.6.1.4.1.50302.1.1.2.2.1.0
exit status 1, Stderr: GetFirstEVPolicyForCert failed: SEC_ERROR_EXTENSION_NOT_FOUND This may mean that the specified EV Policy OID was not found in the end-entity certificate.

Whiteboard: [ca-verifying] - KW 2019-10-14 - Comment #14 → [ca-verifying] - KW 2019-11-04 - Comment #16

Comment #12
Hi,
We submitting the new audit letter, for your evaluation.

Best Regards

You need to log in before you can comment on or make changes to this bug.