Open Bug 1592138 Opened 1 year ago Updated 4 months ago

Add Macao Post eSignTrust root certificate

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set
enhancement

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: kwilson, Assigned: bwilson)

Details

(Whiteboard: [ca-verifying] BW 2020-08-11 Awaiting response to Comment 3)

A representative of Macao Post created a Root Inclusion Case here:

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000396

The Case was created on 2/28/2019, but I did not ever see a corresponding Bugzilla Bug about it, so creating one now.
(reference: https://wiki.mozilla.org/CA/Application_Instructions#Create_Root_Inclusion.2FUpdate_Request)

The request is to include the following root certificate:
CN=eSignTrust Root Certification Authority (G03); O=Macao Post and Telecommunications Bureau; C=MO
SHA-256 Fingerprint: 0E30D04A94DCC423E26FDC4C24AFCF4923BD80D83B661B06A2F5856361560407
Serial Number: 3CFB7DF47EA4B4C672A03FC3D25C7CC6
Valid From: 1/1/2017
Valid To: 12/31/2041

The "Macao Post eSignTrust Root Certification Authority (G02)" root certificate is currently in Microsoft's program, with the Client Authentication trust bit enabled.

Audit Statement for period 2/1/2017 - 2/28/2018:
https://www.cpacanada.ca/generichandlers/aptifyattachmenthandler.ashx?attachmentid=221255

Audit Statement for period 3/1/2018 - 2/28/2019:
https://www.cpacanada.ca/generichandlers/aptifyattachmenthandler.ashx?attachmentid=229895

The link below shows the information that has been verified for this root inclusion request. Search in the page for the word "NEED" to see where further clarification is requested. Please add a comment to this bug when you have provided all of the requested information.

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000396

In particular, please provide the following:

  1. Version table or changelog in the CPS.
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Revision_Table

  2. Check usage of "No stipulation" throughout CPS.
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#CP.2FCPS_Structured_According_to_RFC_3647
    The words "No Stipulation" mean that the particular document imposes no requirements related to that section.

  3. CPS section that describes how the CA must verify the email address to be included in the certificate.
    https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control

  4. A public URL through which the CA certificate can be directly downloaded.

  5. Add records for the existing intermediate certs to the CCADB as described here: https://ccadb.org/cas/intermediates#adding-intermediate-certificate-data

Summary: Add Macao Post root certificate → Add Macao Post eSignTrust root certificate
Whiteboard: [ca-verifying] → [ca-verifying] - KW 2019-10-28 - Comment #2
Status: NEW → ASSIGNED

Updated audit and CPS info and re-ran checks. Need to review email verification practices.

Assignee: kwilson → bwilson
Whiteboard: [ca-verifying] - KW 2019-10-28 - Comment #2 → [ca-verifying] BW 2020-08-11

Today I reviewed this application for the inclusion of the eSignTrust Root Certification Authority (G03) (for email trust bit).

Here are some things we still need:

1 - The CPS needs to explain the email verification process in greater detail. It currently does not meet Mozilla requirements. 
2 - We need the full CA hierarchy under the Root.  Macao Post needs to add records for all existing intermediate certificates into the CCADB
3 - The CPS needs a Revision Table or Changelog, updated annually. 
4 - The CCADB application indicates that External Third Party CAs and RAs are allowed under the PKI hierarchy, therefore we need to have written assurances in the CPS that the domain part of verification will not be delegated to any third party.  ("The CA SHALL NOT delegate validation of the domain portion of an email address. The CA MAY rely on validation the CA has performed for an Authorization Domain Name (as specified in the Baseline Requirements) as being valid for subdomains of that Authorization Domain Name. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification."  Mozilla Root Store Policy section 2.2.) We'll also need more explanation of how delegated third party CAs will be chosen, authorized, and overseen. (When an external third party is provided a CA certificate, there is the potential to lose control over certification practices, etc. Yet, Mozilla will still hold the root operator fully responsible, and the negligence of a third party CA can result in the revocation of trust of the Root CA.

Whiteboard: [ca-verifying] BW 2020-08-11 → [ca-verifying] BW 2020-08-11 Awaiting response to Comment 3

(In reply to Ben Wilson from comment #3)
CA responded by email to me on 15-Aug-2020 indicating as follows:

1 - The CPS needs to explain the email verification process in greater detail. It currently does not meet Mozilla requirements. 
[pi] We will check.
2 - We need the full CA hierarchy under the Root.  Macao Post needs to add records for all existing intermediate certificates into the CCADB
[pi] We will add the records accordingly.
3 - The CPS needs a Revision Table or Changelog, updated annually. 
[pi] We will follow accordingly.
4 - The CCADB application indicates that External Third Party CAs and RAs are allowed under the PKI hierarchy, therefore we need to have written assurances in the CPS that the domain part of verification will not be delegated to any third party.  ("The CA SHALL NOT delegate validation of the domain portion of an email address. The CA MAY rely on validation the CA has performed for an Authorization Domain Name (as specified in the Baseline Requirements) as being valid for subdomains of that Authorization Domain Name. The CA's CP/CPS must clearly specify the procedure(s) that the CA employs to perform this verification."  Mozilla Root Store Policy section 2.2.) We'll also need more explanation of how delegated third party CAs will be chosen, authorized, and overseen. (When an external third party is provided a CA certificate, there is the potential to lose control over certification practices, etc. Yet, Mozilla will still hold the root operator fully responsible, and the negligence of a third party CA can result in the revocation of trust of the Root CA.
[pi] I just want to clarify that there is not any SSL certs to be issued under the PKI hierarchy of Macao Post and Telecommunications Bureau. At present, we do not have any plans to have External Thirty Part CAs. We have appointed other government entities to perform I&A of the applicants.

You need to log in before you can comment on or make changes to this bug.