Closed Bug 1466252 Opened 2 years ago Closed 10 months ago

Cybertrust Japan: three test websites not provided

Categories

(NSS :: CA Certificate Compliance, task)

Product:
NSS
Component:
CA Certificate Compliance
Type:
task
Priority:
Not set

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kwilson, Assigned: masahiro.shikutani)

Details

(Whiteboard: [ca-compliance] - Next update 19-Oct-2018) 

Section 2.2 of the BR says: "The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate.  At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired."

These three test websites are not provided for the following root certificate:

CN=SecureSign RootCA11
SHA-256 Fingerprint: BF:0F:EE:FB:9E:3A:58:1A:D5:F9:E9:DB:75:89:98:57:43:D2:61:08:5C:4D:31:4F:6F:5D:72:59:AA:42:16:12

This root cert needs to be in full compliance with Mozilla's Root Store Policy and the CA/Browser Forum's Baseline Requirements, which includes having the 3 test websites. Or this root cert needs to be removed.
Whiteboard: [ca-compliance]
Hi, please let us check/discuss internally and update here.
We are preparing to issue the test websites.  They will be ready for public at least by the end of September.
Regarding with the test website, could you please wait a little more until October 19th?
We encountered an error while we tried to access the new test website for which we configured the SSL certificate issued from our new technically constrained SubCA under the JCSI root.
After our investigation, we found that we should make the SubCA again to revise the value of Name Constraints extension in the SubCA certificate. So, please allow us some more time.
Whiteboard: [ca-compliance] → [ca-compliance] - Next update 19-Oct-2018
Followings are the URLs of our test websites (valid, expired, revoked). 
https://jcsi-valid.managedpki.ne.jp/ 
https://jcsi-expired.managedpki.ne.jp/ 
https://jcsi-revoke.managedpki.ne.jp/ 
We wrote above info at Case Comments on CCADB.
These test websites look good to me, so I added them to the Root Cert Record in the CCADB. I believe this bug may be closed.
Kathleen-san, Thank you.
Test websites are one of the most basic requirements placed on CAs. From comment #2, I am led to believe that these test websites never existed. Please explain why these websites did not exist, and how Cybertrust Japan was able to obtain an unqualified opinion from KPMG AZSA for the period ending February 28, 2018. Also, has Cybertrust Japan undertaken a thorough internal review to ensure that they are in full compliance with the BRs and Mozilla policy? If so, what were the results?
Flags: needinfo?(masahiro.shikutani)
Masahiro: please respond to the questions in comment #7. It is not acceptable for you to ignore these questions.
Assignee: wthayer → masahiro.shikutani

Masahiro: Do you have an update?

Status: NEW → ASSIGNED

Apporogize my late response.
The period of last audit was from March 2017 to End of Feb. 2018.

As written in Case 00000123 on CAADB, we got an exception regarding with the test website for that moment(2017/07/29) and we explained it to KPMG AZSA for the period ending February 28 and also to our internal review.
So, Cybertrust Japan was able to obtain an unqualified opinion from KPMG AZSA.

Please note that we CTJ are now under next audit which period is from March 2018 to End of Feb. 2019 and we'll let KPMG AZSA know this buglist.

Flags: needinfo?(masahiro.shikutani)

I'm afraid of asking this kind of basic question but is it possible to add "jcsi-r@cybertrust.ne.jp" for notification of this Bug?
I didn't intend to to ignore these questions, but again I aporogize for my very late response.

QA Contact: kwilson → wthayer

(In reply to masahiro.shikutani from comment #11)

I'm afraid of asking this kind of basic question but is it possible to add "jcsi-r@cybertrust.ne.jp" for notification of this Bug?
I didn't intend to to ignore these questions, but again I aporogize for my very late response.

You can create a bugzilla account here:
https://bugzilla.mozilla.org/createaccount.cgi

Then add the new account to the CC list of this bug.

Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.