Add Autoridade Certificadora Raiz Brasileira root certificate
Categories
(CA Program :: CA Certificate Root Program, task, P5)
Tracking
(Not tracked)
People
(Reporter: andre.caricatti, Assigned: bwilson)
Details
(Whiteboard: [ca-hold] -- Super-CA)
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36
Steps to reproduce:
The Autoridade Certificadora Raiz Brasileira - AC Raiz - Brazilian Root Certification Authority - is the Super-CA of the Brazilian Public Key Infrastructure - Infraestrutura de Chaves Públicas Brasileira - ICP Brasil.
Provisional Measure 2,200-2 of August 24, 2001 started the implementation of this PKI.
The operating rules of the ICP Brasil are established by the Management Committee of ICP-Brasil, whose members, representatives of public authorities, organized civil society and academic research, are appointed by the President of the Republic.
The responsibility for maintaining and execute the policies of the Root CA if ICP Brasil - AC Raiz - is attributed to ITI - The National Institute of Information Technology - a federal autarchy, linked to the Civil House of the Presidency of the Republic.
Additional informations can be found on the page:
obs: the pages are in Portuguese.
We are sending the AC Root v10 certificate for inclusion in the Mozilla Root Store.
This certificate has already been included in the CCADB with the name:
- "Raiz Brasileira Certification Authority v10"
and has already been included in the Microsoft Trusted Root Program.
This certificate was issued to be the root of the exclusive SSL chain, following WebTrust requirements.
Emails for contact:
Comment 1•4 years ago
|
||
Note that Super-CAs must first ensure every subordinate they have signed is added as a root, as documented at https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Super-CAs
Please also note that Mozilla Policy, Sections 8, prohibit the certification of new subordinate CAs unless positive disposition is received from Mozilla, as the result of community discussion and review of each proposed sub-CA. Failure to do so can result in removal of the root.
Since it was noted this is v10, it would be useful to clarify what has changed from previous versions. ICP-Brazil has historically had a significant amount of misissuance and violation, and it’s reasonable for the community to not trust any subsequent CAs because of this. As such, it will be critical in determining the relevance to Mozilla users to understand how these policies, controls, and infrastructure have meaningfully changed and are now finally able to support being a publicly trusted CA.
On that topic, it would be useful to capture the general relevance to users as well. Information about the existence of the CA is provided here, but what appears missing is a discussion of the relevance to Website certificates and Mozilla users. For example, if there are requirements this CA in particular be used, it would be useful to highlight them. In general, requirements to use a particular CA can be counter to the security needs of users, by removing agility from the ecosystem, a problem faced both with the deprecation of WoSign and with Symantec.
Reporter | ||
Comment 2•4 years ago
|
||
Independent Assurance Report
Compliance with WebTrust Principles and Criteria for Certification Authorities – SSL Baseline Network Security Version 2.4.1.
Reporter | ||
Comment 3•4 years ago
|
||
Main institutional page with link to WebTrust certificate :
Reporter | ||
Comment 4•4 years ago
|
||
As mentioned above, we clarify that AC Root V10 is a new root, issued exclusively to handle the issuance of SSL certificates.
This root has undergone audit processes in accordance with the corresponding Webtrust requirements and is already registered in the CCADB.
ICP Brasil, being a pki that has public and private entities, has no record of incidents with certifying authorities, serving widely to Brazilian citizens.
As for AC Raiz V10, as a chain exclusively dedicated to the issuance of SSL certificates, will be used for various public services such as the GOV.Br portal:
- www.gov.br
which concentrates the access of 80 million people to more than 1000 services.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 5•4 years ago
|
||
I will take a look at the CP/CPS and other documentation to see whether this is a Super CA.
Assignee | ||
Comment 6•4 years ago
|
||
I visited https://www.gov.br/iti/pt-br/assuntos/repositorio and I did not encounter your Certification Practices Statement. Could you please direct me to where it is located?
Thanks,
Ben
Assignee | ||
Comment 7•4 years ago
|
||
Dear Andre,
Is this the CPS that I should be reading? http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
I have started reading it, so please let me know if there is a different one to which I should pay attention.
Thanks,
Ben
Assignee | ||
Comment 8•4 years ago
|
||
(In reply to Ben Wilson from comment #7)
Dear Andre,
Is this the CPS that I should be reading? http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
I have started reading it, so please let me know if there is a different one to which I should pay attention.
Thanks,
Ben
I have read through the Declaração de Práticas de Certificação da Autoridade Certificadora Raiz da ICP-Brasil DOC-ICP-01-v5.2, and I think there are many things lacking. Can you get back to me with the Declaração de Práticas that I should be looking at? Thanks.
Reporter | ||
Comment 9•4 years ago
|
||
(In reply to Ben Wilson from comment #8)
(In reply to Ben Wilson from comment #7)
Dear Andre,
Is this the CPS that I should be reading? http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
I have started reading it, so please let me know if there is a different one to which I should pay attention.
Thanks,
BenI have read through the Declaração de Práticas de Certificação da Autoridade Certificadora Raiz da ICP-Brasil DOC-ICP-01-v5.2, and I think there are many things lacking. Can you get back to me with the Declaração de Práticas that I should be looking at? Thanks.
Dear Ben,
This Document is the CPS and also the CP for the Root CA.
There are two documents, referenced by this CPS, that are especially important:
- ICP-Brasil Security Policy (Política de Segurança da ICP-Brasil) - DOC-ICP-02
- ICP-Brasil Algorithms and Standards (PADRÕES E ALGORITMOS CRIPTOGRÁFICOS DA ICP-BRASIL) - DOC-ICP-01.01
Please let us know if you need any further information.
Thank you.
Assignee | ||
Updated•4 years ago
|
Comment 10•3 years ago
|
||
There are numerous misissuances under this root, e.g.
- Invalid DNS name
Extrato Selic - Producao
: https://crt.sh/?sha256=EA3C92E97AFD44850E7A8FFF51F9D008A44FBC0598BF9424BB2DAC28829F7CBA - Non-existent TLD
flexa.pgfn.fazenda
: https://crt.sh/?sha256=DB10D67DB83EC90DF919C7E69413A6BEACED4F52C9458FB6093182E708E751E8 - Non-existent TLD
sgconf.rfoc.srf
: https://crt.sh/?sha256=0C42B0988104AE2ACA01CB46A6773BD949885A182F0058E02747E30D4699EFC6 - Non-existent TLD
SEGES-171379.mp.intra
: https://crt.sh/?sha256=81E8C2F06F92415E4F6A0FB1840E85FEC88652AA18F237FEFAF50B8027F7488E - Invalid DNS name
ibmwebspheremqsefazsc
: https://crt.sh/?sha256=3CD4EB9F2780FCDC049ADEE231F2546F8439343DE7F0CA87B82C10804FC9E8FE - Invalid DNS name
https://hom-carneleaoweb.estaleiro.serpro.gov.br/carneleao/
: https://crt.sh/?sha256=514B2C9F928A44FFEEC8E8B3F9A278A736344A30D6AD67E465BDE01AB5C71B9A
Additionally, crt.sh reports the following problem with the OCSP responses for these certificates: "bad OCSP signature: crypto/rsa: verification error"
Updated•2 years ago
|
Description
•