Open Bug 1559342 Opened 10 months ago Updated 8 days ago

Add AC RAIZ FNMT-RCM SERVIDORES SEGUROS to NSS

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: alain, Assigned: wthayer)

Details

(Whiteboard: [ca-cps-review] - KW 2019-09-17)

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0

Steps to reproduce:

N/A
Root Inclusion

Actual results:

N/A
Root Inclusion

Expected results:

N/A
Root Inclusion

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Please find herewith the FNMT root inclusion request for:
ROOT 1: AC RAIZ FNMT-RCM SERVIDORES SEGUROS / 554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB
INTERMEDIATE 1.1: AC SERVIDORES SEGUROS TIPO1 / 1EDB6BD91274882DB795BFC514F8AABE10AD955CBCCFD3FD5A5B5FEBB2CE5B68
INTERMEDIATE 1.2: AC SERVIDORES SEGUROS TIPO2 / 9FF23CB9387B9E0083BD5AA1954EEDDF792890AA8E67CD4D38DD28AF4A439AD8

All the related information for this root inclusion request can be found in:

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000418

The link below shows the CA information that has been verified. Search in the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000418

In particular:

  1. Please attach this CA's latest BR Self Assessment to this bug
    https://wiki.mozilla.org/CA/BR_Self-Assessment

  2. Perform testing when the EV test websites are available
    a) Test with http://certificate.revocationcheck.com/ make sure there aren't any errors.
    b) Resolve or explain lint testing errors.
    I put the cert chain from https://testactivetipo2.cert.fnmt.es/ into the 'Certificate Linter' at https://crt.sh/?a=1
    end-entity cert: zlint ERROR Checks that a QC Statement that contains at least one of the ETSI ESI statements, also features the set of mandatory ETSI ESI QC statements.
    no errors for the intermediate and root certs.
    c) Provide successful output from EV Testing as described here https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

Type: defect → task
Whiteboard: [ca-verifying] - KW 2019-06-18 - Comment #2

Please find attached BR Self Assessment for AC RAIZ FNMT-RCM SERVIDORES SEGUROS

(In reply to alain from comment #3)

Created attachment 9072771 [details]
BR self assessment AC Servidores Seguros.pdf

Please find attached BR Self Assessment for AC RAIZ FNMT-RCM SERVIDORES SEGUROS

Thanks!

Please add another comment to this bug when the EV test websites are available and the tests have been successfully performed. (per item 2 of comment 2).

Whiteboard: [ca-verifying] - KW 2019-06-18 - Comment #2 → [ca-verifying] - KW 2019-06-19 - Comment #4

(In reply to Kathleen Wilson from comment #2)

The link below shows the CA information that has been verified. Search in the page for the word "NEED" to see where further clarification is requested.>
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000418

In particular:

  1. Perform testing when the EV test websites are available
    a) Test with http://certificate.revocationcheck.com/ make sure there aren't any errors.
    b) Resolve or explain lint testing errors.
    I put the cert chain from https://testactivetipo2.cert.fnmt.es/ into the 'Certificate Linter' at https://crt.sh/?a=1
    end-entity cert: zlint ERROR Checks that a QC Statement that contains at least one of the ETSI ESI statements, also features the set of mandatory ETSI ESI QC statements.
    no errors for the intermediate and root certs.
    c) Provide successful output from EV Testing as described here https://wiki.mozilla.org/PSM:EV_Testing_Easy_Version

Please be informed we have already uploaded the EV test websites:
https://testactivetipo1.cert.fnmt.es/
https://testrevokedtipo1.cert.fnmt.es/
https://testexpiredtipo1.cert.fnmt.es/
No errors found.
Output from EV Testing: ev-checker exited successfully

Alain,

  1. Please provide an Incident Report and status for the non-comformities listed in this audit statement. (I noticed that the audit statement for this root inclusion request is not the same as the audit statement discussed in Bug #1544586.)

https://www.aenor.com/Certificacion_Documentos/eiDas/2019%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-2019%200003%20-%20FNMT-v2.2.pdf

  1. https://certificate.revocationcheck.com/testactivetipo1.cert.fnmt.es shows a timeout error for me.
Whiteboard: [ca-verifying] - KW 2019-06-19 - Comment #4 → [ca-verifying] - KW 2019-09-16 - Comment #6

Kathleen,

  1. Please find herewith incident report for the following findings referred to audit report https://www.aenor.com/Certificacion_Documentos/eiDas/2019%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-2019%200003%20-%20FNMT-v2.2.pdf.
    (Please be aware that some of the findings have been already reported to bug 1544586 and bug 1495507)

Findings:
#1 - In the case of the QCP-w certificates that will be issued by "AC SERVIDORES SEGUROS TIPO1" with the new validation platform, evidence has been found during the tests…..,
#2 We could not find evidence of the formal definition and assignment of the validation
specialist profile, as ……– Please refer to bug 1544586 (topic 3#)
#3 The incidents that have an impact on the availability of the services are not classified as security incidents…..– Please refer to bug 1544586 (topic 4#)
#4 We have not been able to find evidence of the TSP’s monitorization procedure of the status of the QSCD certification…..
#5 We have evidence qualified certificates issued with errors:

  • (QCP-n) 1.3.6.1.4.1.5734.3.3.4.4.2: Certificates with organizationName or organizationUnitName bigger than 64 characters…..– Please refer to bug 1495507.
    #6 Although follow-up and actions are performed aimed at improving the level of compliance of the public website with regards to accessibility standards, … – Please refer to bug 1544586 (topic 6#)
    #7 The entity makes available the CPS and CP, including adherence to the requirements of the CA / B Forum, although the adherence to the EVCGs requirements in the general CPS are not included. It should be noted that we have not been able to find evidence of the availability of test sites for the new hierarchy "AC RAIZ FNMT-RCM SERVIDORES SEGUROS".

Incident report

  1. How your CA first became aware of the problem.
    Topic #1 (validation and the approval of the certificate request)
    During the face-to-face review by the auditors, it was evidenced the existence of a bug in the application developed to manage the dual roles for approving the issuance of a QCP-w. To date only test certificates have been issued.
    Topic #4 (monitorization procedures of the status of the QSCD certification)
    During the face-to-face review by the auditors, it has not been possible to demonstrate how the TSP monitors the status of the QSCD certifications for the QCP-n-remote certificates or the appropriate measures in the DPC in case of loss of status as QSCD.
    Topic #7 (adherence to the EVCGs requirements in the general CPS)
    During the documental review by the auditors, it was pointed out that only the specific CP included the required reference to the EVCGs requirements. Also, at that time on ly the OVCP test websites for AC Servidores Seguros were available.
  2. A timeline of the actions your CA took in response..
    Topic #1 (validation and the approval of the certificate request)
    After the meeting about the results of the Audit, which took place on February 8th, the software development team proceed to review and correct of the app code in order to prevent a validator from approving the issuance of the same certificate in accordance with EVCG 14.1.3.
    Topic #4 (monitorization procedures of the status of the QSCD certification)
    On March 5, 2019 took place an extraordinary TSP Management Committee meeting, agreeing to include the following controls in the agenda of the ordinary call of its quarterly meetings:
  3. Establish a periodic check at least every 3 months in order to confirm the status of the QSCD certification. Specifically evidence will be collected from
  • Trusted list of the European Commission of qualified signature / stamp creation devices
  • communications of any from the manufacturer itself as well as from the supervisory body.
  1. Include in the agenda of the ordinary (quarterly) calls of the TSP Management Committee, the results of the controls established in relation to the monitoring of the certifications. In case of loss, the TSP Management Committee will be called as soon as the event is known to execute the corresponding actions.

  2. Include in the General CPS the form of action in case of loss of the QSCD certification (CPS section 9.17, paragraph 430)
    Topic #7 (adherence to the EVCGs requirements in the general CPS)
    Version 5.4 of the General CPS approved and published on 05/03/2019, states in section 9.17. OTHER STIPULATIONS, paragraph 428, the required statement
    EVCP test websites for AC Servidores Seguros were available on July 11th 2019.

  3. Whether your CA has stopped, or has not yet stopped, issuing certificates with the problem
    Topic #1 (validation and the approval of the certificate request)
    The problem has been solved in time so no certificates have been issued with this problem. To date, only test certificates have been issued.
    Topic #4 (monitorization procedures of the status of the QSCD certification)
    The only certificates that could have been affected are the qcp-n remote certificates. No certification had undergone any variation and therefore there is no certificate affected by this problem
    Topic #7 (adherence to the EVCGs requirements in the general CPS)
    The specific certificate policy for AC Servidores Seguros have always stated the required adherence to EVCGs. (CP Section 9.6.1. CA's obligations – paragraph 217: “In addition, the FNMT-RCM undertakes to comply, with regard to the issue of EV Certificates (Website certificate, EV Certificate and SAN EV Certificate), all requirements established by the entity CA/Browser for these types of Certificates, and which can be consulted at https://cabforum.org/extended-validation/)”
    Therefore no EV certificates have been issued with this problem. To date only test certificates have been issued.

  4. A summary of the problematic certificates.
    Topic #1 (validation and the approval of the certificate request)
    The problem has been solved in time so no certificates are involved.
    Topic #4 (monitorization procedures of the status of the QSCD certification)
    The monitoring controls have been implemented and no certificates are involved.
    Topic #7 (adherence to the EVCGs requirements in the general CPS)
    No certificates involved.

  5. The complete certificate data for the problematic certificates.
    Topic #1 (validation and the approval of the certificate request)
    The problem has been solved in time so no certificates are involved.
    Topic #4 (monitorization procedures of the status of the QSCD certification)
    The monitoring controls have been implemented and no certificates are involved.
    Topic #7 (adherence to the EVCGs requirements in the general CPS)
    No certificates involved.

  6. Explanation about how and why the mistakes were made or bugs introduced, and how they avoided detection until now.
    Topic #1 (validation and the approval of the certificate request)
    Only when using the Internet Explorer browser, the technical control that prevents a validator from approving the request for issuing the same certificate was not applied.
    Topic #4 (monitorization procedures of the status of the QSCD certification)
    The monitorization procedures of the status of the QSCD certification were not documented at that moment.
    Topic #7 (adherence to the EVCGs requirements in the general CPS)
    The adherence to the EVCGs was only expressly indicated in the particular CP. In regards the EV test websites, at that moment, we were updating the EV profiles to the latest version of EV guidelines (removal of OrganizationIdentifier field)

  7. List of steps your CA is taking to resolve the situation and ensure such issuance will not be repeated in the future, accompanied with a timeline of when your CA expects to accomplish these things.
    Topic #1 (validation and the approval of the certificate request)
    The bug in the app code has been already fixed and the correct functioning of the tool has been verified for all supported browsers. Evidences were already forwarded to the audit team within the corrective action plan.
    Topic #4 (monitorization procedures of the status of the QSCD certification)
    The monitorization procedures of the status of the QSCD certification results have been integrated in the agenda of the ordinary (quarterly) calls of the TSP Management Committee
    Topic #7 (adherence to the EVCGs requirements in the general CPS)
    A new and updated version of the general CPS (v5.4 – 05/03/2019) has been published in order to resolve this problem. EV test websites made available on July 11th.

  8. As in regards the timeout error within the revocation check, I’m afraid we are not able to reproduce it...
    Kathleen, could you please send us further details?

(In reply to alain from comment #7)

Kathleen,

  1. Please find herewith incident report for the following findings referred to audit report https://www.aenor.com/Certificacion_Documentos/eiDas/2019%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-2019%200003%20-%20FNMT-v2.2.pdf.
    (Please be aware that some of the findings have been already reported to bug 1544586 and bug 1495507)

Thanks

  1. As in regards the timeout error within the revocation check, I’m afraid we are not able to reproduce it...
    Kathleen, could you please send us further details?

The timeout has gone away.
I will not the warning:
"http://ocspfnmtss1.cert.fnmt.es/ocspss1/OcspResponder (UNKNOWN)
Certificate status is 'Revoked' expecting 'Unknown' "
But I don't think that's an actual violation...
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#OCSP

  • OCSP Responders SHALL NOT respond “Good” for Unissued Certificates. (section 4.9.10)

The information for this root inclusion request is available at the following URL.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000418

This root inclusion request is ready for the Detailed CP/CPS Review phase, step 3 of
https://wiki.mozilla.org/CA/Application_Process#Process_Overview
so assigning this bug to Wayne.

There is a queue waiting for detailed CP/CPS reviews:
https://wiki.mozilla.org/CA/Dashboard#Detailed_CP.2FCPS_Review

It takes significant time and concentration to do a detailed CP/CPS review, so please be patient. In the meantime, I recommend looking at the results of the detailed CP/CPS reviews that have been previously completed.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21

Assignee: kwilson → wthayer
Whiteboard: [ca-verifying] - KW 2019-09-16 - Comment #6 → [ca-cps-review] - KW 2019-09-17

On 30/03/2019 we received the audit reports for the period from January 13, 2019 until January 12, 2020. We are working on the incident report for the findings which will be attached to this bug asap.
Please find herewith links to annual audit report and to our updated CPS:

ETSI EN 319 411-2 (AC SERVIDORES SEGUROS TIPO 1)
https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%201%20ETSI%20319%20411-2%20PSC-2019-003%20-%20FNMT-v0.1%20-%20rev4.pdf

ETSI EN 319 411-1 (AC SERVIDORES SEGUROS TIPO 2)
https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-2019-003%20-%20FNMT-v0.1%20-%20rev4.pdf

UPDATED GENERAL CPS
https://www.sede.fnmt.gob.es/documents/10445900/10536309/dgpc_english.pdf

UPDATED CPS AC SERVIDORES SEGUROS
https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf

(In reply to Brox from comment #10)

On 30/03/2019 we received the audit reports for the period from January 13, 2019 until January 12, 2020. We are working on the incident report for the findings which will be attached to this bug asap.

I have filed Bug #1626805 for the minor non-conformities that are listed in the 2020 audit statement. Please provide the incident in that bug.

You need to log in before you can comment on or make changes to this bug.