Open Bug 1579454 Opened 2 years ago Updated 3 months ago

Enable EV Treatment for included root NetLock Arany (Class Gold) Főtanúsítvány

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: varga.viktor, Assigned: bwilson)

Details

(Whiteboard: [ca-cps-review] - BW 2020-12-10 Comment #9)

Attachments

(4 files)

33.46 KB, application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
Details
20.05 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
475.77 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
490.78 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36

Steps to reproduce:

Dear Program Managers,
I would like to send my request to Enable EV Treatment for already included root NetLock Arany (Class Gold) Főtanúsítvány.

The CCADB link:
https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000488

Also attached the BR Self Assessment.
Yours, Viktor Varga, POC of NETLOCK

Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true

Acknowledging receipt of this request. However, I am currently about 2 months behind in reviewing CA updates to root inclusion/change requests. I will add another comment to the bug when I review this request.

Type: enhancement → task

NON EIDAS
CP https://netlock.hu/download/sp-noneidascert_en/?wpdmdl=53945
CPS https://netlock.hu/download/sps-noneidascert_en/?wpdmdl=53957

NONQUALIFIED
CP https://netlock.hu/download/tsp-nonqualcert_en/?wpdmdl=53944
CPS https://netlock.hu/download/tsps-nonqualcert_en/?wpdmdl=53940

QUALIFIED
CP https://netlock.hu/download/tsp-qualcert_en/?wpdmdl=53937
CPS https://netlock.hu/download/tsps-qualcert_en/?wpdmdl=53939

Viktor, It appears that the 'NON EIDAS' CP/CPS pertain to DV SSL. Is it reasonable to think of the 'NONQUALIFIED' CP/CPS as pertaining to OV SSL, and the 'QUALIFIED' CP/CPS as pertaining to EV SSL?

Not exactly.
NON-EIDAS is DV, and QUALIFIED is EV, these are right
but NON-QUALIFIED includes OV and EV too.

The link below shows the CA information that has been verified. Search in the page for the word "NEED" to see where further clarification is requested.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000488

In particular please provide:

  1. Updated CP/CPS documents
  1. Updated audit statements

  2. Resolve and explain all errors listed here:
    https://crt.sh/?caid=173&opt=cablint,zlint,x509lint&minNotBefore=2015-01-01
    https://crt.sh/?caid=677&opt=cablint,zlint,x509lint&minNotBefore=2015-01-01
    https://crt.sh/?caid=34169&opt=cablint,zlint,x509lint&minNotBefore=2015-01-01

Whiteboard: [ca-verifying] - KW 2019-10-10 - Comment #4
  1. Updated CP/CPS documents
    Provide more detail in CPS about domain verification, as per
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Domain_Name_Ownership
    https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Non-Standard_Email_Address_Prefixes_for_Domain_Ownership_Validation
    Make sure the CP/CPS are very clear that domain validation happens for test certs as well.
    Make sure the CPS is very clear about what validation external CAs and external RAs are allowed to do, especially in regards to domain validation.

Our new CP/CPSs are ready and published in hungarian, whcih includes the requested parts.
The translation will be finished in 2 weeks. I will update you with the links as soon as possible.

  1. Updated audit statements

We will update as soon as possible. Our audit in progress, estimated close of the audit on 10-28.

  1. Resolve and explain all errors listed.

The links lists 47 errors and warnings.
The other 14 errors or warnings were repaired earlier.
I attached the a word document with the details.

The translations were finaly finished. (I will also update in the CCADB soon.)

  1. Updated CPs and CPSes
    For detailed BRG validations and validation of test SSLs please look at the Section 3.2.5 in the CPSes.
    For the external RA/CA question please look for Registration Administrator point in the 1.6.1 Definistions..
    It explicitly told that for server (SSL) certificates are external entities are not used.

Qualified
CP
https://netlock.hu/download/sp-qc-en-draft/?wpdmdl=59471
CPS
https://netlock.hu/download/sps-qc-en-draft/?wpdmdl=59472

Non-qualified
CP
https://netlock.hu/download/sp-nqc-en/?wpdmdl=53944
CPS
https://netlock.hu/download/sps-nqc-en/?wpdmdl=53940

Non-eidas
CP
https://netlock.hu/download/sp-c-en/?wpdmdl=53945
CPS
https://netlock.hu/download/sps-c-en/?wpdmdl=53957

  1. Updated audit statements

Certification report:
https://netlock.hu/download/cert-root-programs-en/?wpdmdl=59475

Please drop a message if something is wrong, they were made by translator.

Flags: needinfo?(kwilson)

The information for this EV enablement request is available at the following URL.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000488

This EV enablement request is ready for the Detailed CP/CPS Review phase, step 3 of
https://wiki.mozilla.org/CA/Application_Process#Process_Overview
so assigning this bug to Wayne.

There is a queue waiting for detailed CP/CPS reviews:
https://wiki.mozilla.org/CA/Dashboard#Detailed_CP.2FCPS_Review

It takes significant time and concentration to do a detailed CP/CPS review, so please be patient. In the meantime, I recommend looking at the results of the detailed CP/CPS reviews that have been previously completed.
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21

Assignee: kwilson → wthayer
Flags: needinfo?(kwilson)
Whiteboard: [ca-verifying] - KW 2019-10-10 - Comment #4 → [ca-cps-review] - KW 2019-11-14
Assignee: wthayer → bwilson

Hi Viktor,

This review is based on version 1.7.4 of the EV Guidelines. Let's discuss.

Netlock’s Service Practice Statement for Qualified Certificate Services (v. 20200901) and Service Practice Statement for Non Qualified Certificate Services (v. 20200901) - Downloaded from https://netlock.hu/szabalyzatok-regulations/

Section 8.1 - the CA shall notify the CAB Forum if a provision of the EV Guidelines is illegal under local government laws. - Meh

      Language not found.

Sections 8.2.1, 8.2.2, and Mozilla Root Store Policy - the CA must publicly disclose its business practices and update its CP/CPS on at least an annual basis (and re-versions the CP/CPS, even if there are no other changes). The CP/CPS must be formatted according to RFC 3647. -

      I could not find language about publishing the CP/CPS annually, even if there are no other updates. - Discuss/Fix

Section 8.3 - the CA shall have a statement that it conforms to the current version of the EV guidelines and that in the event of any inconsistency, the EV guidelines take precedence. - Good

      Found in section 1.1.1 in each of the CPSes.

Section 8.4 - the CA shall maintain liability insurance of US$2 million and professional liability insurance of US$5 million. - Good

      Found in section 9.2.1 in each of the CPSes.

Section 9.2.1 - the organization name must include the full legal name for the subscribing organization as listed in official records. - Meh

      Generally found in section 3.2.2.a. in each of the CPSes. Could be improved.

Sections 9.2.3, 11.2.1 and 11.2.2 – The CA must verify the Applicant’s legal existence and identity directly with the incorporating agency or registration agency and the business category field must contain one of the following: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" - Discuss/Fix

      Business Category fields only appear in section 7.1 of the CPS under Certificate Profile under “Subject fields for EV website authentication certificate profiles”. No information is provided as to how each of these is determined.

Section 9.2.4 - jurisdiction of incorporation/registration fields must not contain information that is not relevant to the level of the incorporating agency or registration agency. - Meh

      Section 7.1 of the CPS under Certificate Profile under “Subject fields for EV website authentication certificate profiles” says “The jurisdictionLocalityName and jurisdictionStateOrProvinceName fields also have to be filled out if they are applicable.” Could be improved.

Sections 9.2.4, 9.2.5, and 11.1.3 – the CA shall maintain a publicly available list of its verification sources, incorporating agencies, and registration agencies (e.g. QIISes, QGISes, QGTISes). Information about where this information can be located must appear in section 3.2 of the CPS. - Discuss/Fix

      This information is partially listed in section 3.2 of the CPS, but the requirement is that they be separately maintained lists and that section 3.2 point to where they are located.

Sections 9.2.5 and 11.2.1 - subject registration number: if the jurisdiction of incorporation or registration does not provide a registration number, then the date of incorporation or registration is entered in this field. - Meh

      This language about the registration number was not found in either CPS.

Section 9.2.6 - subject physical address of place of business must contain the address of the physical location of the business. - Discuss/Fix

      The “streetAdress” field is listed in Subject fields for “EV website authentication certificate profiles”. However, it is unclear how this information is verified / validated.

Section 9.2.7 - the CA shall implement a process that prevents an organizational unit from including a trade name unless the CA has verified that information. - Good

      CPS states, “The Subscriber has to certify its existence in order to be included in the certificate.” It also states, “The veracity of the organizational unit of the Subscriber to be indicated in the certificate (Subject/organizationalUnitName) shall be supported by the declaration of the Subscriber regarding the existence of the organizational unit.” And, “Authenticity of the organization unit displayed in the certificate is ensured by the statement of the Subscriber in the Service Agreement – in case the verification options above are not available.”

Sections 9.2.8, 9.8.2, and Appendix H – if included in the certificate, the CA shall confirm registration references for legal entities. - Meh

      Sections 3.1, 3.1.2, and 3.2.2.a. of the CPSes purportedly set forth how Netlock meets this requirement.

Section 9.2.9 - the CA shall not include any subject attributes except as specified in section 9.2 of the EV Guidelines. - Meh/Discuss/Fix

      Other than the certificate profile for EV certificates, it is unclear how Netlock meets this requirement.

Sections 9.3.2 and 9.3.5 - subscriber certificates shall contain the appropriate EV policy OIDs. - Discuss/Fix

      The certificate profiles in section 7.1 do not have a row for the certificate policy OIDs. The CPSes list the EVCP policy OID of 0.4.0.2042.1.4. (For what it’s worth, the CABF EV Policy OID is 2.23.140.1.1.)

Section 9.4 - the validity period for an EV certificate shall not exceed 398 days. - Good

      Section 6.3.2 of the CPSes states that the validity period of an EV website authentication certificate is a maximum of 1 year.

Section 9.8.1 - wildcard certificates are not allowed. - Good

      The EV certificate profiles in the CPSes state that DNSnames cannot contain wildcards in the Subjective Alternative Name. (And that for commonNames, “If the field is present, it can contain one domain name from among those included in the SAN/dNSName”.)

Section 10.1.2 - the roles of certificate requestor, certificate approver, and contract signer are required for the issuance of EV certificates. Discuss/Fix

      These roles are not found described in the CPSes.

Section 11.2.2(4) - principal individuals must be validated in a face-to-face setting. Discuss/Fix

      It is unclear for Business Entities whether the principal individual (natural person) must personally appear as part of the certificate application process.

Section 11.3.1 - assumed names must be verified with an appropriate government agency or a QIIS that has verified the assumed name with the appropriate government agency. - Good

      The certificate profile describes that for the “O” field (organizationName), “Certified DBA name, after which the organisation name is indicated in parentheses.” Section 3.2.2.c. states, “If the Applicant requests that a name or identifier of an asset, system, or product, a DBA / Trademark, or other unique name is indicated as the Subject of the certificate (independently or with a natural or legal person), the Service Provider shall ascertain that the Client is in rightful possession of the name and identifier and that these are not misleading. The check has to be based on an official document, reliable data source, or discussions with the official body that manages the identifier, if any are available.”

Section 11.5.1 - the CA must establish of verified method of communication with the applicant. - Meh/Discuss/Fix

      Section 9.11 discusses how Netlock communicates with applicant, and section 3.2 discusses how Netlock performs initial identity validation, but the CPS does not say how the endpoints of communications are initially established as trustworthy with the true organization or individual (natural person) and not a fraudster. For example, does it look up a phone number from a trusted source and independently contact the organization/natural person without using unverified self-provided information from the applicant?

Section 11.6.1 - the CA must verify that the applicant has the ability to engage in business. The EV issuance process requires that the operational existence be established in one of 4 ways: “(1) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency; (2) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS; (3) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant's, Affiliate's, Parent Company's, or Subsidiary Company's Demand Deposit Account directly from a Regulated Financial Institution; or (4) Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution.”

      Language to this effect was not found in the CPSes. Discuss/Fix

Section 11.7.1 - domain name verification must use a procedure from section 3.2.2.4 of the Baseline Requirements (BR) - Good

      Provisions of BR section 3.2.2.4 are included in section 3.2.5 of the CPSes.

Section 11.8.1 - the CA must verify the name and title of the contract signer and certificate approver - Discuss

      The CPSes did not outline the roles of the contract signer and certificate approver.

Section 11.9 - the CA must verify the signature on the subscriber agreement and certificate request - Discuss

      The CPSes did not outline the roles of the contract signer and certificate requester.

Section 11.11.5 - the CA shall use documented processes to check the accuracy of a QIIS. - Meh

      The term “QIIS” or “Qualified Independent Information Source” was not used in the CPSes. However, section 3.2 states, “Before the Service Provider starts using any data source as a reliable data source or database, it shall be evaluated as regards reliability, accuracy, and resistance to change and falsification. During the evaluation, the Service Provider takes the following into account: 1. The date of the provided information, 2. The frequency of updates to the information source, 3. The purpose of the data provider and data collection, 4. The public accessibility of the data, 5. The relative difficulty of falsifying or changing the data.”

Section 11.12.2 - the CA must check whether the applicant, contract signer, or certificate approver is on denied persons lists, etc.. Discuss/Fix

      Language about checking databases as to whether the applicant should be denied an EV certificate because it is a terrorist, money launderer, etc., is absent from the CPSes.

Sections 11.13, 14.1.3 and 16 - the CA must perform final cross-correlation and other due diligence based on the entire corpus of information and have multi-person, auditable controls to ensure separation of duties with respect to EV certificate issuance - Fix

      Language about final checking of the certificate application and a two-person certificate approval process for EV were missing from the CPSes.

Section 11.14.3 - validation data cannot be reused after 13 months - Good

      The CPSes state in section 3.3, “In case of applications for the management of website authentication certificates (QCP-w and EVCP), Service Provider shall repeat the verification of the data and the identification at least in every 13 months” and “In case of applications for the management of website authentication certificates (IVCP, OVCP and EVCP), Service Provider shall repeat the verification of the data and the identification at least in every 13 months.”

Section 12 - root CA private keys must not be used to sign EV certificates. - Good

      Section 6.1.7.a. of the CPSes adequately addresses this requirement.

Section 14.1.1 - a CA must verify the identity and trustworthiness of anyone involved in EV processes. - Good

      This is adequately addressed in section 5.3 of the CPSes.

Section 14.1.2 – the internal examination of specialists must include the EV certificate validation criteria of the EV guidelines.

      Section 5.3.1 of the CPS states, “Following their appointment, Validation Specialists participate in basic training that provides them with the theoretical and practical knowledge required for their position; they are to take an exam at the end of the training. The main purpose of this form of training is to become familiar with and understand the uniform security policy applicable to the service in the interest of correctly applying the current procedures based on those. The Personnel Policy contains more information.” Section 5.3.3 also addresses training requirements. These should mention something about the EV Guidelines’ validation requirements. - Discuss/Fix

Section 14.2.1 - the CA shall ensure that third-party personnel satisfy the training and skills requirements of section 14 of the EV guidelines. - Meh

      Section 5.3.7 states, “The same security rules apply to any contractors used by the Service Provider in other than employment relationships as to its employees.” However, this section 14.2.1 of the EV Guidelines seems to place this obligation on External RAs, if Netlock has any.

Whiteboard: [ca-cps-review] - KW 2019-11-14 → [ca-cps-review] - BW 2020-12-10 Comment #9

Dear Ben,

I checked every non-good item, and here are the answers. I also will add early drafts with track changes, to confirm they fullfils the needs.


Section 8.1 - the CA shall notify the CAB Forum if a provision of the EV Guidelines is illegal under local government laws. - Meh
Language not found.

  • There are no clashing rules. Explicitly not displayed yet. Will be updated in the next version of CPS.

Sections 8.2.1, 8.2.2, and Mozilla Root Store Policy - the CA must publicly disclose its business practices and update its CP/CPS on at least an annual basis (and re-versions the CP/CPS, even if there are no other changes). The CP/CPS must be formatted according to RFC 3647. -
I could not find language about publishing the CP/CPS annually, even if there are no other updates. - Discuss/Fix

  • Included in:
    ** NQC: section 2.2 pargraph 2
    ** QC: section 2.2 (earlier 2.5 paragraph 2, misnumbering was corrected)
    "The Policy Adopting Unit of Service Provider shall revise the Practice Statement and the Certificate Polcy at least once in every year and shall modify them if necessary (see Chapter 9.12)."

Section 9.2.1 - the organization name must include the full legal name for the subscribing organization as listed in official records. - Meh
Generally found in section 3.2.2.a. in each of the CPSes. Could be improved.

  • Also included in the Section 3.1 Naming (tables) and in the Section 7.1 Certificate profiles EV/qualified SSL table.

Sections 9.2.3, 11.2.1 and 11.2.2 – The CA must verify the Applicant’s legal existence and identity directly with the incorporating agency or registration agency and the business category field must contain one of the following: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" - Discuss/Fix
Business Category fields only appear in section 7.1 of the CPS under Certificate Profile under “Subject fields for EV website authentication certificate profiles”. No information is provided as to how each of these is determined.

  • Its included in the internal document about detailed validation. Will be improved in the next version of CPS.

Section 9.2.4 - jurisdiction of incorporation/registration fields must not contain information that is not relevant to the level of the incorporating agency or registration agency. - Meh
Section 7.1 of the CPS under Certificate Profile under “Subject fields for EV website authentication certificate profiles” says “The jurisdictionLocalityName and jurisdictionStateOrProvinceName fields also have to be filled out if they are applicable.” Could be improved.

  • Will be improved in the next version of CPS.

Sections 9.2.4, 9.2.5, and 11.1.3 – the CA shall maintain a publicly available list of its verification sources, incorporating agencies, and registration agencies (e.g. QIISes, QGISes, QGTISes). Information about where this information can be located must appear in section 3.2 of the CPS. - Discuss/Fix
This information is partially listed in section 3.2 of the CPS, but the requirement is that they be separately maintained lists and that section 3.2 point to where they are located.

  • 3.2.2 a paragraph 3 references this document, it is published on the webpage. Direct link will be added in the next version of CPS.

Sections 9.2.5 and 11.2.1 - subject registration number: if the jurisdiction of incorporation or registration does not provide a registration number, then the date of incorporation or registration is entered in this field. - Meh
This language about the registration number was not found in either CPS.

  • Its included in the internal document about detailed validation. Will be detailed in the next version of CPS.

Section 9.2.6 - subject physical address of place of business must contain the address of the physical location of the business. - Discuss/Fix
The “streetAdress” field is listed in Subject fields for “EV website authentication certificate profiles”. However, it is unclear how this information is verified / validated.

  • 3.2.2.a paragraph 8
    "Service Provider shall verify the other data of the non natural person to be indicated in the certificate like abovea on the basis of other reliable data source,... "

Sections 9.2.8, 9.8.2, and Appendix H – if included in the certificate, the CA shall confirm registration references for legal entities. - Meh
Sections 3.1, 3.1.2, and 3.2.2.a. of the CPSes purportedly set forth how Netlock meets this requirement.

  • Set as Meh, but looks OK. Can you recommend some change?

Section 9.2.9 - the CA shall not include any subject attributes except as specified in section 9.2 of the EV Guidelines. - Meh/Discuss/Fix
Other than the certificate profile for EV certificates, it is unclear how Netlock meets this requirement.

  • The profile sets the usable subject fields and extensions. Should we add some explicit prohibit lines?

Sections 9.3.2 and 9.3.5 - subscriber certificates shall contain the appropriate EV policy OIDs. - Discuss/Fix
The certificate profiles in section 7.1 do not have a row for the certificate policy OIDs. The CPSes list the EVCP policy OID of 0.4.0.2042.1.4. (For what it’s worth, the CABF EV Policy OID is 2.23.140.1.1.)

  • In the Section 9.15 the OID is included and marked as EVCP. In the Section 1.2.1 c. the tables last 2 lines includes the EVCP too. Also the Section 1.2.1 paragraph 1 references the Section 1.2.1 of the CP, which includes this OID too. Should we add the OID column to the tables of Section 1.2.1 of the CPS?

Section 10.1.2 - the roles of certificate requestor, certificate approver, and contract signer are required for the issuance of EV certificates. Discuss/Fix
These roles are not found described in the CPSes.

  • By default only authorized agent (owner, registered agent) can request, sign and approve EV SSL requests. It is possible to delegate these rights (all of them) to an employer to act on behalf of organization with a writen authorization for these three roles.
    So there is not so much difference. Will be detailed in the next version of CPS.; 1.6.1 Definitions will include 3 more rows for clarification

Section 11.2.2(4) - principal individuals must be validated in a face-to-face setting. Discuss/Fix
It is unclear for Business Entities whether the principal individual (natural person) must personally appear as part of the certificate application process.

EV In CPS in section 3.2.3. a paragraph 2 says:
"In the case of the application for an EV website authentication certificate, Service Provider shall check the identity of the Applicant by any of the methods set out in point i, together with the data verification method set out in point iv.
i. Authentication based on appearance (or equivalent method) [...]"

You need to log in before you can comment on or make changes to this bug.