This review is based on version 1.7.4 of the EV Guidelines. Let's discuss.
Netlock’s Service Practice Statement for Qualified Certificate Services (v. 20200901) and Service Practice Statement for Non Qualified Certificate Services (v. 20200901) - Downloaded from https://netlock.hu/szabalyzatok-regulations/
Section 8.1 - the CA shall notify the CAB Forum if a provision of the EV Guidelines is illegal under local government laws. - Meh
Language not found.
Sections 8.2.1, 8.2.2, and Mozilla Root Store Policy - the CA must publicly disclose its business practices and update its CP/CPS on at least an annual basis (and re-versions the CP/CPS, even if there are no other changes). The CP/CPS must be formatted according to RFC 3647. -
I could not find language about publishing the CP/CPS annually, even if there are no other updates. - Discuss/Fix
Section 8.3 - the CA shall have a statement that it conforms to the current version of the EV guidelines and that in the event of any inconsistency, the EV guidelines take precedence. - Good
Found in section 1.1.1 in each of the CPSes.
Section 8.4 - the CA shall maintain liability insurance of US$2 million and professional liability insurance of US$5 million. - Good
Found in section 9.2.1 in each of the CPSes.
Section 9.2.1 - the organization name must include the full legal name for the subscribing organization as listed in official records. - Meh
Generally found in section 3.2.2.a. in each of the CPSes. Could be improved.
Sections 9.2.3, 11.2.1 and 11.2.2 – The CA must verify the Applicant’s legal existence and identity directly with the incorporating agency or registration agency and the business category field must contain one of the following: "Private Organization", "Government Entity", "Business Entity", or "Non-Commercial Entity" - Discuss/Fix
Business Category fields only appear in section 7.1 of the CPS under Certificate Profile under “Subject fields for EV website authentication certificate profiles”. No information is provided as to how each of these is determined.
Section 9.2.4 - jurisdiction of incorporation/registration fields must not contain information that is not relevant to the level of the incorporating agency or registration agency. - Meh
Section 7.1 of the CPS under Certificate Profile under “Subject fields for EV website authentication certificate profiles” says “The jurisdictionLocalityName and jurisdictionStateOrProvinceName fields also have to be filled out if they are applicable.” Could be improved.
Sections 9.2.4, 9.2.5, and 11.1.3 – the CA shall maintain a publicly available list of its verification sources, incorporating agencies, and registration agencies (e.g. QIISes, QGISes, QGTISes). Information about where this information can be located must appear in section 3.2 of the CPS. - Discuss/Fix
This information is partially listed in section 3.2 of the CPS, but the requirement is that they be separately maintained lists and that section 3.2 point to where they are located.
Sections 9.2.5 and 11.2.1 - subject registration number: if the jurisdiction of incorporation or registration does not provide a registration number, then the date of incorporation or registration is entered in this field. - Meh
This language about the registration number was not found in either CPS.
Section 9.2.6 - subject physical address of place of business must contain the address of the physical location of the business. - Discuss/Fix
The “streetAdress” field is listed in Subject fields for “EV website authentication certificate profiles”. However, it is unclear how this information is verified / validated.
Section 9.2.7 - the CA shall implement a process that prevents an organizational unit from including a trade name unless the CA has verified that information. - Good
CPS states, “The Subscriber has to certify its existence in order to be included in the certificate.” It also states, “The veracity of the organizational unit of the Subscriber to be indicated in the certificate (Subject/organizationalUnitName) shall be supported by the declaration of the Subscriber regarding the existence of the organizational unit.” And, “Authenticity of the organization unit displayed in the certificate is ensured by the statement of the Subscriber in the Service Agreement – in case the verification options above are not available.”
Sections 9.2.8, 9.8.2, and Appendix H – if included in the certificate, the CA shall confirm registration references for legal entities. - Meh
Sections 3.1, 3.1.2, and 3.2.2.a. of the CPSes purportedly set forth how Netlock meets this requirement.
Section 9.2.9 - the CA shall not include any subject attributes except as specified in section 9.2 of the EV Guidelines. - Meh/Discuss/Fix
Other than the certificate profile for EV certificates, it is unclear how Netlock meets this requirement.
Sections 9.3.2 and 9.3.5 - subscriber certificates shall contain the appropriate EV policy OIDs. - Discuss/Fix
The certificate profiles in section 7.1 do not have a row for the certificate policy OIDs. The CPSes list the EVCP policy OID of 0.4.0.2042.1.4. (For what it’s worth, the CABF EV Policy OID is 18.104.22.168.1.)
Section 9.4 - the validity period for an EV certificate shall not exceed 398 days. - Good
Section 6.3.2 of the CPSes states that the validity period of an EV website authentication certificate is a maximum of 1 year.
Section 9.8.1 - wildcard certificates are not allowed. - Good
The EV certificate profiles in the CPSes state that DNSnames cannot contain wildcards in the Subjective Alternative Name. (And that for commonNames, “If the field is present, it can contain one domain name from among those included in the SAN/dNSName”.)
Section 10.1.2 - the roles of certificate requestor, certificate approver, and contract signer are required for the issuance of EV certificates. Discuss/Fix
These roles are not found described in the CPSes.
Section 11.2.2(4) - principal individuals must be validated in a face-to-face setting. Discuss/Fix
It is unclear for Business Entities whether the principal individual (natural person) must personally appear as part of the certificate application process.
Section 11.3.1 - assumed names must be verified with an appropriate government agency or a QIIS that has verified the assumed name with the appropriate government agency. - Good
The certificate profile describes that for the “O” field (organizationName), “Certified DBA name, after which the organisation name is indicated in parentheses.” Section 3.2.2.c. states, “If the Applicant requests that a name or identifier of an asset, system, or product, a DBA / Trademark, or other unique name is indicated as the Subject of the certificate (independently or with a natural or legal person), the Service Provider shall ascertain that the Client is in rightful possession of the name and identifier and that these are not misleading. The check has to be based on an official document, reliable data source, or discussions with the official body that manages the identifier, if any are available.”
Section 11.5.1 - the CA must establish of verified method of communication with the applicant. - Meh/Discuss/Fix
Section 9.11 discusses how Netlock communicates with applicant, and section 3.2 discusses how Netlock performs initial identity validation, but the CPS does not say how the endpoints of communications are initially established as trustworthy with the true organization or individual (natural person) and not a fraudster. For example, does it look up a phone number from a trusted source and independently contact the organization/natural person without using unverified self-provided information from the applicant?
Section 11.6.1 - the CA must verify that the applicant has the ability to engage in business. The EV issuance process requires that the operational existence be established in one of 4 ways: “(1) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has been in existence for at least three years, as indicated by the records of an Incorporating Agency or Registration Agency; (2) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company is listed in either a current QIIS or QTIS; (3) Verifying that the Applicant, Affiliate, Parent Company, or Subsidiary Company has an active current Demand Deposit Account with a Regulated Financial Institution by receiving authenticated documentation of the Applicant's, Affiliate's, Parent Company's, or Subsidiary Company's Demand Deposit Account directly from a Regulated Financial Institution; or (4) Relying on a Verified Professional Letter to the effect that the Applicant has an active current Demand Deposit Account with a Regulated Financial Institution.”
Language to this effect was not found in the CPSes. Discuss/Fix
Section 11.7.1 - domain name verification must use a procedure from section 22.214.171.124 of the Baseline Requirements (BR) - Good
Provisions of BR section 126.96.36.199 are included in section 3.2.5 of the CPSes.
Section 11.8.1 - the CA must verify the name and title of the contract signer and certificate approver - Discuss
The CPSes did not outline the roles of the contract signer and certificate approver.
Section 11.9 - the CA must verify the signature on the subscriber agreement and certificate request - Discuss
The CPSes did not outline the roles of the contract signer and certificate requester.
Section 11.11.5 - the CA shall use documented processes to check the accuracy of a QIIS. - Meh
The term “QIIS” or “Qualified Independent Information Source” was not used in the CPSes. However, section 3.2 states, “Before the Service Provider starts using any data source as a reliable data source or database, it shall be evaluated as regards reliability, accuracy, and resistance to change and falsification. During the evaluation, the Service Provider takes the following into account: 1. The date of the provided information, 2. The frequency of updates to the information source, 3. The purpose of the data provider and data collection, 4. The public accessibility of the data, 5. The relative difficulty of falsifying or changing the data.”
Section 11.12.2 - the CA must check whether the applicant, contract signer, or certificate approver is on denied persons lists, etc.. Discuss/Fix
Language about checking databases as to whether the applicant should be denied an EV certificate because it is a terrorist, money launderer, etc., is absent from the CPSes.
Sections 11.13, 14.1.3 and 16 - the CA must perform final cross-correlation and other due diligence based on the entire corpus of information and have multi-person, auditable controls to ensure separation of duties with respect to EV certificate issuance - Fix
Language about final checking of the certificate application and a two-person certificate approval process for EV were missing from the CPSes.
Section 11.14.3 - validation data cannot be reused after 13 months - Good
The CPSes state in section 3.3, “In case of applications for the management of website authentication certificates (QCP-w and EVCP), Service Provider shall repeat the verification of the data and the identification at least in every 13 months” and “In case of applications for the management of website authentication certificates (IVCP, OVCP and EVCP), Service Provider shall repeat the verification of the data and the identification at least in every 13 months.”
Section 12 - root CA private keys must not be used to sign EV certificates. - Good
Section 6.1.7.a. of the CPSes adequately addresses this requirement.
Section 14.1.1 - a CA must verify the identity and trustworthiness of anyone involved in EV processes. - Good
This is adequately addressed in section 5.3 of the CPSes.
Section 14.1.2 – the internal examination of specialists must include the EV certificate validation criteria of the EV guidelines.
Section 5.3.1 of the CPS states, “Following their appointment, Validation Specialists participate in basic training that provides them with the theoretical and practical knowledge required for their position; they are to take an exam at the end of the training. The main purpose of this form of training is to become familiar with and understand the uniform security policy applicable to the service in the interest of correctly applying the current procedures based on those. The Personnel Policy contains more information.” Section 5.3.3 also addresses training requirements. These should mention something about the EV Guidelines’ validation requirements. - Discuss/Fix
Section 14.2.1 - the CA shall ensure that third-party personnel satisfy the training and skills requirements of section 14 of the EV guidelines. - Meh
Section 5.3.7 states, “The same security rules apply to any contractors used by the Service Provider in other than employment relationships as to its employees.” However, this section 14.2.1 of the EV Guidelines seems to place this obligation on External RAs, if Netlock has any.