Open Bug 1479040 Opened 2 years ago Updated 1 month ago

CERTISIGN ROOT CERTIFICATE AUTHORITY REQUEST

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: patricia.leite, Assigned: wthayer)

References

Details

(Whiteboard: [ca-cps-review] - KW 2019-08-15)

Attachments

(14 files, 3 obsolete files)

4.78 MB, application/x-zip-compressed
Details
202.06 KB, application/pdf
Details
813.70 KB, application/pdf
Details
1.59 KB, application/x-x509-ca-cert
Details
59.14 KB, application/pdf
Details
57.73 KB, application/pdf
Details
38.55 KB, application/pdf
Details
37.20 KB, application/pdf
Details
155.43 KB, application/pdf
Details
784.32 KB, application/pdf
Details
747.54 KB, application/pdf
Details
775.75 KB, application/pdf
Details
6.94 MB, application/x-zip-compressed
Details
15.53 KB, application/x-zip-compressed
Details
Attached file Certisign_201807.zip
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99 Safari/537.36

Steps to reproduce:

Hello everyone.
I´ve made a mistake and cant access bug 1476739 anymore.
I´ve just check-out the "security" issue as asked for Kathleen.

so, let´s redo it.

Certisign requests to operate as a Root CA under Mozilla Root Program.

Certisign is a certification authority  with 22 years operating history in Brazil.
It was created in 1996 to issue SSL certificates operating under Symantec Trust Network.
Certisign also issue end-users certificates into Brazilian official PKI(ICP-Brasil) from its beginning. 
Since then, Certisign has been the CA leader in Brazilian market, issuing more than 100,000 certificates per month.
Duplicate of this bug: 1476739
Acknowledging receipt of this root inclusion request. I have a huge backlog of CA updates/requests to review, so this has been added to my list. I will update this bug when I begin information verification of this request as per step #2 of our process:
https://wiki.mozilla.org/CA/Application_Process#Process_Overview
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
It will take me a while longer before I get to this request. Just updating the Whiteboard for now.
Whiteboard: [ca-verifying]
Attached file certisignrootca.crt (obsolete) —
The CP/CPS documents are as follows.

Certisign Trust Network CPS (mostly refers to the CP):
http://ctn.certisign.com.br/ctn/pc/pc-certisign-trust-network-authority.pdf

Certisign Trust Network CP: 
http://ctn.certisign.com.br/ctn/dpc/dpc-certisign-trust-network-authority.pdf
"This CP is applicable to CERTISIGN ROOT CERTIFICATION AUTHORITY and Subordinates CAs:
- CERTISIGN SSL CERTIFICATION AUTHORITY
- CERTISIGN SSL EV CERTIFICATION AUTHORITY
CERTISIGN Subordinates CAs operate as CAs under CERTISIGN TRUST NETWORK CP, issuing end-user
subscriber certificates."

Root CPS:
http://ctn.certisign.com.br/root/dpc/dpc-certisign-root-certification-authority.pdf
"This CPS is applicable to CERTISIGN ROOT CERTIFICATION AUTHORITY."

SSL CPS
http://ctn.certisign.com.br/ssl/dpc/dpc-certisign-ssl-certification-authority.pdf
"This CPS is applicable to CERTISIGN SSL CERTIFICATION AUTHORITY, who operates as CAs under CERTISIGN
TRUST NETWORK CP, issuing end-user subscriber certificates."

EV SSL CPS
http://ctn.certisign.com.br/ssl-ev/dpc/dpc-certisign-ssl-ev-certification-authority.pdf
"This CPS is applicable to CERTISIGN SSL EV CERTIFICATION AUTHORITY, who operates as CAs under CERTISIGN
TRUST NETWORK CP, issuing end-user subscriber certificates."

CA CPS:
http://ctn.certisign.com.br/certisign-ca/dpc/dpc-certisign-ca-certification-authority.pdf
"This CPS is applicable to CERTISIGN CERTIFICATION AUTHORITY, who operates as CAs under CERTISIGN TRUST
NETWORK CP, issuing end-user subscriber certificates."


1) Please explain the purpose of the dpc-certisign-ca-certification-authority.pdf document (CA CPS).
I thought it might be for the subCAs for non-SSL certs, but it has  detailed domain validation procedures.

2) Are you requesting that the email (S/MIME) trust bit also be enabled for this root certificate?
If yes, then where in the CP/CPS is the description of how the CA/RA verifies that the certificate subscriber owns/controls the email address to be included in the cert?
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control

3) I looked through all of the CP/CPS documents, but could not find the permitted CAA domain(s). I see section 3.2.2.8, but I could not find the permitted CAA domain(s) in there.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CAA_Domains_listed_in_CP.2FCPS

4) I noted in the CP:
"Either the value id‐kpserverAuth [RFC5280] or id‐kp‐clientAuth [RFC5280] or both values MUST be present."
Please see action #3 in our recent CA Communication about this:
https://wiki.mozilla.org/CA/Communications#September_2018_CA_Communication
Attached file certisignrootca.crt
Attachment #9013827 - Attachment is obsolete: true
ALso, Please update the test websites to serve up the intermediate cert with the SSL cert.
I attached the audit statements I found in the zip file. Missing the WebTrust CA audit statement, please attach.

Please also attach any other relevant audit statements.

I'm not familiar with this particular auditor: "Ernst & Young Auditores Independentes S.S."
So I'll have to dig into that later -- to find out if "Auditores Independentes S.S." is part of the EY in this list:
http://www.webtrust.org/licensed-webtrust-practitioners-international/item64419.aspx

I'm seeing that the certs for the test websites were create 2018-06-13T20:17:35Z
And the point-in-time audits performed on June 14th 2018.

When do you plan to have the period-of-time audits?

BRs section 8.1: "If the CA does not have a currently valid Audit Report indicating compliance with one of the audit schemes listed in Section 8.1, then, before issuing Publicly-Trusted Certificates, the CA SHALL successfully complete a point-in-time
readiness assessment performed in accordance with applicable standards under one of the audit schemes listed in
Section 8.1. The point-in-time readiness assessment SHALL be completed no earlier than twelve (12) months prior
to issuing Publicly-Trusted Certificates and SHALL be followed by a complete audit under such scheme within
ninety (90) days of issuing the first Publicly-Trusted Certificate.

Please also make sure that all audit statements meet Mozilla's requirements:
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#314-public-audit-information
Whiteboard: [ca-verifying] → [ca-verifying] - KW Comments #7,9,14 2018-10-02

Kathleen Wilson, good morning!
First of all, sorry for the delay on answering this bug.
We decided to wait the Period of time reports to answer the bug.
I´ve attached your requests and ours answers at "CERTISIGN _ Mozilla_answers_201901"

Attached file CERTISIGN _ Mozilla_answers_201901.zip (obsolete) —

Good morning.
I´ve defined wrongly the "the content type" of "9039503: CERTISIGN´s Mozilla answers update at 2019-01-28"

Please consider this one.

Attachment #9039503 - Attachment is obsolete: true

The link below shows the CA information that has been verified. Search in the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000328

In particular:

  1. If the audit statements/seals are on the CPA Canada website, then please send me the URL to the WebTrust seals.

  2. Per section 7.1.3 of the CP and CPS documents, it appears that SHA-1 certs are still allowed to be issued in this CA Hierarchy, as long as they do not have the CABF Algorithm object identifier.
    Please see https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Issuance_of_SHA-1_Certificates
    and section 7.1.3 of the CA/Browser Forum's Baseline Requirements.

  3. OCSP appears to not be working or to not be set up properly. This causes the Revoked test website to not show up as revoked in my browser even though I have "Check OCSP" set.
    You can also see this problem in the OCSP section of
    https://certificate.revocationcheck.com/revokedevssl.certisign.com.br
    This also causes errors when checking the revocation setup for the valid test website
    https://certificate.revocationcheck.com/trustedevssl.certisign.com.br
    Errors:
    http://ocsp-certisign-ssl-ev-ca.certisign.com.br (GET)
    Unexpected HTTP response: 404 Not Found
    http://ocsp-certisign-ssl-ev-ca.certisign.com.br (POST)
    Unexpected HTTP response: 500 Server Error
    http://ocsp-certisign-ssl-ev-ca.certisign.com.br (UNKNOWN)
    Unexpected HTTP response: 404 Not Found

This also causes EV testing to fail.

  1. Please resolve Lint test ERRORS
    https://crt.sh -> Advanced -> Certificate Linter
    Input trustedevsslcertisigncombr.crt
    output:
    cablint ERROR Constraint failure in CertificatePolicies: ASN.1 constraint check failed: policyQualifiers: constraint failed (PolicyInformation.c:31)

PS: I also ran that test on the subCA, and got the following notices. I'm providing this info in case it helps you figure out what's going wrong with OCSP.
Input: CERTISIGNSSLEVCERTIFICATIONAUTHORITY.crt
output:
cablint INFO CA certificate identified
zlint WARNING Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.
zlint NOTICE Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set

QA Contact: kwilson
Whiteboard: [ca-verifying] - KW Comments #7,9,14 2018-10-02 → [ca-verifying] - KW 2019-01-31 - Comment #22

Good morning!
Here are our answers to the “needs” requirements:

a) We´ve already correct or complement this issues:
• General information about CA's associated organization
Problem Reporting Mechanism
NEED: An email address (that the CA closely monitors) for reporting suspected Private Key Compromise, Certificate misuse, or other types of fraud, compromise, or any other matter related to certificates
CERTISIGN ANSWER: normas@certisign.com.br is an email address that we closely monitors and is assigned as point of contact in all CP/CPS

• CP/CPS and Audit Statements
Standard Audit ALV Comments
BR Audit ALV Comments
EV SSL Audit ALV Comments
NEED: If the Webtrust seal is available on the CPA Canada, please provide the link. Otherwise Kathleen will need to send email to EY to confirm the authenticity of the document.
CERTISIGN ANSWER: The links were made available by CPA and are in our site at https://www.certisign.com.br/certisign/institucional
Click over "WEBTRUST" image, that will open an sub-page with all our current WEBTRUST seals.
https://www.cpacanada.ca/webtrustseal?sealid=10110
https://www.cpacanada.ca/webtrustseal?sealid=10111
https://www.cpacanada.ca/webtrustseal?sealid=10112

NOTE: these links are valid only if they are opened from Certisign webpages. Otherwise you will receive a message saying that the link is not valid.

• Forbidden and Potentially Problematic Practices
CA's Response to Forbidden Practices
8. Issuance of SHA-1 Certificates: CP/CPS sections 6.1.5, 7.1.3
NEED: Per section 7.1.3 of the CP and CPS documents, it appears that SHA-1 certs are still allowed to be issued in this CA Hierarchy, as long as they do not have the CABF Algorithm object identifier.
Please see https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Issuance_of_SHA-1_Certificates and section 7.1.3 of the CA/Browser Forum's Baseline Requirements.
CERTISIGN ANSWER: we have already correct and republished our policies.

• CA Hierarchy Information
Description of PKI Hierarchy
NEED: CA to enter their intermediate certs into the CCADB as described here: https://ccadb.org/cas/intermediates#adding-intermediate-certificate-data
Kathleen needs to issue CCADB CA Community License to the CA first.
CERTISIGN ANSWER: I´ve understand that we must wait Mozilla actions first

b) We are working on these subjects and will present evidences in 2 weeks:

• Test Websites or Example Cert
Test Notes
NEED: OCSP appears to not be working or to not be set up properly.
This causes the Revoked test website to not show up as revoked in my browser even though I have "Check OCSP" set. You can also see this problem in the OCSP section of https://certificate.revocationcheck.com/revokedevssl.certisign.com.br

• Test Results (When Requesting the SSL/TLS Trust Bit)
Revocation Tested
NEED: Fix OCSP
https://certificate.revocationcheck.com/trustedevssl.certisign.com.br
http://ocsp-certisign-ssl-ev-ca.certisign.com.br (GET)
Unexpected HTTP response: 404 Not Found
http://ocsp-certisign-ssl-ev-ca.certisign.com.br (POST)
Unexpected HTTP response: 500 Server Error
http://ocsp-certisign-ssl-ev-ca.certisign.com.br (UNKNOWN)
Unexpected HTTP response: 404 Not Found

EV Tested
NEED: Fix OCSP
https://tls-observatory.services.mozilla.com/static/ev-checker.html with https://trustedevssl.certisign.com.br/ and 1.3.6.1.4.1.30253.17
Results in error: The response from the OCSP server was corrupted or improperly formed.
CERTISIGN ANSWER:

c) We´re having some difficulties in understanding these errors. Could you recommend any URL or technical person to discuss about them?

CA/Browser Forum Lint Test
NEED: Resolve Lint test ERRORS
https://crt.sh -> Advanced -> Certificate Linter
Input trustedevsslcertisigncombr.crt
output: cablint ERROR Constraint failure in CertificatePolicies: ASN.1 constraint check failed: policyQualifiers: constraint failed (PolicyInformation.c:31)

Test Website Lint Test
NEED: CA also found the error in their testing:
E: Constraint failure in CertificatePolicies: ASN.1 constraint check failed: policyQualifiers: constraint failed (PolicyInformation.c:31) trustedssl.cer

best regards
Patricia T O Leite
CERTISIGN CERTIFICADORA DIGITAL S.A.

The link below shows the CA information that has been verified.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000328

(In reply to Patricia Leite from comment #23)

current WEBTRUST seals.
https://www.cpacanada.ca/webtrustseal?sealid=10110
https://www.cpacanada.ca/webtrustseal?sealid=10111
https://www.cpacanada.ca/webtrustseal?sealid=10112

entered into CCADB, and ALV passed.

CA's Response to Forbidden Practices
8. Issuance of SHA-1 Certificates: CP/CPS sections 6.1.5, 7.1.3
NEED: Per section 7.1.3 of the CP and CPS documents, it appears that SHA-1 certs are still allowed to be issued in this CA Hierarchy, as long as they do not have the CABF Algorithm object identifier.
Please see https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Issuance_of_SHA-1_Certificates and section 7.1.3 of the CA/Browser Forum's Baseline Requirements.
CERTISIGN ANSWER: we have already correct and republished our policies.

verified

Description of PKI Hierarchy
NEED: CA to enter their intermediate certs into the CCADB as described here: https://ccadb.org/cas/intermediates#adding-intermediate-certificate-data
Kathleen needs to issue CCADB CA Community License to the CA first.
CERTISIGN ANSWER: I´ve understand that we must wait Mozilla actions first

We will issue a CCADB CA Community License to you, and you will receive email when that happens.

OCSP Problems
We are working on these subjects and will present evidences in 2 weeks:

Maybe the following will help identify the OCSP problems
Input: CERTISIGNSSLEVCERTIFICATIONAUTHORITY.crt
output:
cablint INFO CA certificate identified
zlint WARNING Subordinate CA Certificate: authorityInformationAccess SHOULD also contain the HTTP URL of the Issuing CA's certificate.
zlint NOTICE Root and Subordinate CA Certificates that wish to use their private key for signing OCSP responses will not be able to without their digital signature set

EV Test Results in error: The response from the OCSP server was corrupted or improperly formed.
CERTISIGN ANSWER:
We´re having some difficulties in understanding these errors. Could you recommend any URL or technical person to discuss about them?

I think the EV test failures will be resolved when you get OCSP working correctly.

Whiteboard: [ca-verifying] - KW 2019-01-31 - Comment #22 → [ca-verifying] - KW 2019-03-25 - Comment #24

Update:

  1. The CA has entered the intermediate cert data into the CCADB.

  2. EV test passes

  3. https://certificate.revocationcheck.com/trustedevssl.certisign.com.br
    only has these errors now:
    http://certisign-ca.certisign.com.br/certisignsslevca/lcr/LatestCRL.crl
    ERROR: NextUpdate is 1s before the date in the Expires cache header
    http://ocsp-certisign-ssl-ev-ca.certisign.com.br (GET)
    ERROR: Response is not yet valid

Patricia, Please resolve those errors.

  1. https://crt.sh/?caid=115633&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
    no errors

https://crt.sh/?caid=115641&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
ERROR: Constraint failure in CertificatePolicies: ASN.1 constraint check failed: policyQualifiers: constraint failed (PolicyInformation.c:31)
failed for the 3 test website certs.

Patricia, Please resolve or explain this error.

Whiteboard: [ca-verifying] - KW 2019-03-25 - Comment #24 → [ca-verifying] - KW 2019-05-14 - Comment #25

Kathleen, good morning!
We attached the tests made yesterday when errors mentioned were solved.

Attachment #9039759 - Attachment is obsolete: true

I'm still seeing errors...

  1. https://certificate.revocationcheck.com/trustedevssl.certisign.com.br
    is listing these errors:
    http://certisign-ca.certisign.com.br/certisignsslevca/lcr/LatestCRL.crl
    ERROR: NextUpdate is 1s before the date in the Expires cache header
    http://certisign-ca.certisign.com.br/certisignrootca/lcr/LatestCRL.crl
    ERROR: NextUpdate is 4h53m28s before the date in the Expires cache header
    ERROR: The Cache-Control max-age header outlives NextUpdate with 4h53m28s
    http://ocsp-certisign-ssl-ev-ca.certisign.com.br (GET)
    ERROR: Response is not yet valid

  2. Please also resolve or explain this error:
    https://crt.sh/?caid=115641&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
    ERROR: Constraint failure in CertificatePolicies: ASN.1 constraint check failed: policyQualifiers: constraint failed (PolicyInformation.c:31)
    failed for the 3 test website certs.

Whiteboard: [ca-verifying] - KW 2019-05-14 - Comment #25 → [ca-verifying] - KW 2019-06-04 - Comment #28

Kathleen Wilson, good morning!
Here are our answers:

  1. https://certificate.revocationcheck.com/trustedevssl.certisign.com.br is listing these errors:
    a) http://certisign-ca.certisign.com.br/certisignsslevca/lcr/LatestCRL.crl
    ERROR: NextUpdate is 1s before the date in the Expires cache header
    &
    b) http://certisign-ca.certisign.com.br/certisignrootca/lcr/LatestCRL.crl
    ERROR: NextUpdate is 4h53m28s before the date in the Expires cache header
    ERROR: The Cache-Control max-age header outlives NextUpdate with 4h53m28s
    [CERTISIGN] These errors occur due to the fact that our CA software generates the LCR / OCSP internally and then publishes this information in an external directory / service.
    So, occasionally the date of the published data may have a difference of 1 second for the date entered in the LCR / OCSP, causing these error messages.
    If you use the "Certificate Upload" option at https://certificate.revocationcheck.com/ the error messages don´t appear.
    As “TLS / SSL Connection" option uses cach the errors should remain.

c) http://ocsp-certisign-ssl-ev-ca.certisign.com.br (GET)
ERROR: Response is not yet valid
[CERTISIGN] We are still working on it.

  1. https://crt.sh/?caid=115641&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
    ERROR: Constraint failure in CertificatePolicies: ASN.1 constraint check failed: policyQualifiers: constraint failed (PolicyInformation.c:31)
    failed for the 3 test website certs.
    [CERTISIGN] We re-issued the test website certs in order to correct this error. Use them ((certificates.zip)) to test certilint e X509lint

these certificates must be used to complete 7th,June,2019 analisys

Hello!
Here is our last response:
c) http://ocsp-certisign-ssl-ev-ca.certisign.com.br (GET)
ERROR: Response is not yet valid
[CERTISIGN] "Response is not yet valid" error can occur when the certificate status check request is made up to 300 milliseconds or less for the second turn.
That's because our service (Application + web server) takes 300 milliseconds to respond to the client's request.

best regards
Patricia Leite
CERTISIGN S.A.

(In reply to Patricia Leite from comment #31)

Hello!
Here is our last response:
c) http://ocsp-certisign-ssl-ev-ca.certisign.com.br (GET)
ERROR: Response is not yet valid
[CERTISIGN] "Response is not yet valid" error can occur when the certificate status check request is made up to 300 milliseconds or less for the second turn.
That's because our service (Application + web server) takes 300 milliseconds to respond to the client's request.

I don't understand the explanation, but I checked again, and I still see the same error.
https://certificate.revocationcheck.com/trustedevssl.certisign.com.br

(In reply to K Wilson from comment #32)

[CERTISIGN]
I think my bad english didn´t make you understand my explanation....
The "Response is not yet valid" error occurs because our infrastructure, based on best practices, keeps the OCSP service segregated across a different network segment of the front end.
We have servers to attend the client on the front end, segregated from the OCSP service servers in the backend by firewall.
The time lag between front-end receipt, forwarding to the back-end, back-end response, forwarding to the front end, and customer response is about 300 milliseconds.
When the OCSP demand is routed close to the next second, the answer forwarded in the next second.
If several tests are performed (waiting for buffer expiration), it is possible to identify successful tests (that is, response in the same second).

(In reply to Patricia Leite from comment #33)

(In reply to K Wilson from comment #32)

[CERTISIGN]
I think my bad english didn´t make you understand my explanation....
The "Response is not yet valid" error occurs because our infrastructure, based on best practices, keeps the OCSP service segregated across a different network segment of the front end.
We have servers to attend the client on the front end, segregated from the OCSP service servers in the backend by firewall.
The time lag between front-end receipt, forwarding to the back-end, back-end response, forwarding to the front end, and customer response is about 300 milliseconds.
When the OCSP demand is routed close to the next second, the answer forwarded in the next second.
If several tests are performed (waiting for buffer expiration), it is possible to identify successful tests (that is, response in the same second).

Patricia: I also do not understand this response. Are you saying that the clock on the CERTISIGN OCSP signer is slightly ahead of the clock on the revocationcheck.com website, or that the revocationcheck.com website is incorrectly comparing the thisUpdate time in the OCSP response to its clock time? Or are you saying that the CERTISIGN system will sometimes return OCSP responses that are timestamped slightly in the future? Or something else is wrong?

Hello!
We´ve identified an internal error. Could you please checked again?
Best Regards
Patricia Leite

Hello!
Is there any news about it?
Best Regards

Flags: needinfo?(kwilson)

The information for this root inclusion request is available at the following URL.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000328

This root inclusion request is ready for the Detailed CP/CPS Review phase, step 3 of
https://wiki.mozilla.org/CA/Application_Process#Process_Overview
so assigning this bug to Wayne.

There is a queue waiting for detailed CP/CPS reviews:
https://wiki.mozilla.org/CA/Dashboard#Detailed_CP.2FCPS_Review

It takes significant time and concentration to do a detailed CP/CPS review, so please be patient. In the meantime, I recommend looking at the results of the detailed CP/CPS reviews that have been previously completed.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21

Assignee: kwilson → wthayer
Flags: needinfo?(kwilson)
Whiteboard: [ca-verifying] - KW 2019-06-04 - Comment #28 → [ca-cps-review] - KW 2019-08-15

Hello!
Is there any news about it?
Best Regards

Flags: needinfo?(patricia.leite)

(In reply to Patricia Leite from comment #38)

Hello!
Is there any news about it?
Best Regards

Per Comment #37, you can watch the queue here:
https://wiki.mozilla.org/CA/Dashboard#Detailed_CP.2FCPS_Review
(Click on the "Whiteboard" column to sort so you can see the CP/CPS Reviews based on date they entered the queue.)

Flags: needinfo?(patricia.leite)

Hello!

I am Certisign's new contact for interactions on this ID.
Do we have any news about this process?
Thank you.
Best Regards.

Flags: needinfo?(bspirandelli)

If you sort https://wiki.mozilla.org/CA/Dashboard#Detailed_CP.2FCPS_Review by the "Whiteboard" column, you can see that there are three requests in the queue ahead of yours. The request with the oldest date in the Whiteboard field is the one that will be reviewed next.

Please note that the 'needinfo' flag is used to notify others that you need their response. I have cleared the 'needinfo' you set for yourself.

Flags: needinfo?(bspirandelli)
You need to log in before you can comment on or make changes to this bug.