Open Bug 1674669 Opened 4 years ago Updated 6 months ago

Add Autoridade Certificadora Raiz Brasileira root certificate

Categories

(CA Program :: CA Certificate Root Program, task, P5)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: andre.caricatti, Assigned: bwilson)

Details

(Whiteboard: [ca-hold] -- Super-CA)

Attachments

(2 files)

ICP-Brasilv10.crt
2.32 KB, application/x-x509-ca-cert
Details
ITI - WebTrust Baseline SSL Management Assertion and Report-ITI v2-Assinado.pdf
423.99 KB, application/pdf
Details
Attached file ICP-Brasilv10.crt

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/86.0.4240.111 Safari/537.36

Steps to reproduce:

The Autoridade Certificadora Raiz Brasileira - AC Raiz - Brazilian Root Certification Authority - is the Super-CA of the Brazilian Public Key Infrastructure - Infraestrutura de Chaves Públicas Brasileira - ICP Brasil.

Provisional Measure 2,200-2 of August 24, 2001 started the implementation of this PKI.
The operating rules of the ICP Brasil are established by the Management Committee of ICP-Brasil, whose members, representatives of public authorities, organized civil society and academic research, are appointed by the President of the Republic.

The responsibility for maintaining and execute the policies of the Root CA if ICP Brasil - AC Raiz - is attributed to ITI - The National Institute of Information Technology - a federal autarchy, linked to the Civil House of the Presidency of the Republic.

Additional informations can be found on the page:

obs: the pages are in Portuguese.

We are sending the AC Root v10 certificate for inclusion in the Mozilla Root Store.
This certificate has already been included in the CCADB with the name:

  • "Raiz Brasileira Certification Authority v10"
    and has already been included in the Microsoft Trusted Root Program.

This certificate was issued to be the root of the exclusive SSL chain, following WebTrust requirements.

Emails for contact:

cgope@iti.gov.br
andre.caricatti@iti.gov.br

Note that Super-CAs must first ensure every subordinate they have signed is added as a root, as documented at https://wiki.mozilla.org/CA/Subordinate_CA_Checklist#Super-CAs

Please also note that Mozilla Policy, Sections 8, prohibit the certification of new subordinate CAs unless positive disposition is received from Mozilla, as the result of community discussion and review of each proposed sub-CA. Failure to do so can result in removal of the root.

Since it was noted this is v10, it would be useful to clarify what has changed from previous versions. ICP-Brazil has historically had a significant amount of misissuance and violation, and it’s reasonable for the community to not trust any subsequent CAs because of this. As such, it will be critical in determining the relevance to Mozilla users to understand how these policies, controls, and infrastructure have meaningfully changed and are now finally able to support being a publicly trusted CA.

On that topic, it would be useful to capture the general relevance to users as well. Information about the existence of the CA is provided here, but what appears missing is a discussion of the relevance to Website certificates and Mozilla users. For example, if there are requirements this CA in particular be used, it would be useful to highlight them. In general, requirements to use a particular CA can be counter to the security needs of users, by removing agility from the ecosystem, a problem faced both with the deprecation of WoSign and with Symantec.

Independent Assurance Report
Compliance with WebTrust Principles and Criteria for Certification Authorities – SSL Baseline Network Security Version 2.4.1.

Main institutional page with link to WebTrust certificate :

www.iti.gov.br
www.gov.br/iti

https://antigo.iti.gov.br/webtrust/?id=10469

As mentioned above, we clarify that AC Root V10 is a new root, issued exclusively to handle the issuance of SSL certificates.
This root has undergone audit processes in accordance with the corresponding Webtrust requirements and is already registered in the CCADB.

ICP Brasil, being a pki that has public and private entities, has no record of incidents with certifying authorities, serving widely to Brazilian citizens.
As for AC Raiz V10, as a chain exclusively dedicated to the issuance of SSL certificates, will be used for various public services such as the GOV.Br portal:

  • www.gov.br
    which concentrates the access of 80 million people to more than 1000 services.
Assignee: kwilson → bwilson
Status: UNCONFIRMED → ASSIGNED
Type: enhancement → task
Ever confirmed: true
Whiteboard: [ca-hold] -- Super-CA

I will take a look at the CP/CPS and other documentation to see whether this is a Super CA.

Flags: needinfo?(bwilson)

I visited https://www.gov.br/iti/pt-br/assuntos/repositorio and I did not encounter your Certification Practices Statement. Could you please direct me to where it is located?
Thanks,
Ben

Flags: needinfo?(bwilson) → needinfo?(andre.caricatti)

Dear Andre,
Is this the CPS that I should be reading? http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
I have started reading it, so please let me know if there is a different one to which I should pay attention.
Thanks,
Ben

(In reply to Ben Wilson from comment #7)

Dear Andre,
Is this the CPS that I should be reading? http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
I have started reading it, so please let me know if there is a different one to which I should pay attention.
Thanks,
Ben

I have read through the Declaração de Práticas de Certificação da Autoridade Certificadora Raiz da ICP-Brasil DOC-ICP-01-v5.2, and I think there are many things lacking. Can you get back to me with the Declaração de Práticas that I should be looking at? Thanks.

(In reply to Ben Wilson from comment #8)

(In reply to Ben Wilson from comment #7)

Dear Andre,
Is this the CPS that I should be reading? http://acraiz.icpbrasil.gov.br/DPCacraiz.pdf
I have started reading it, so please let me know if there is a different one to which I should pay attention.
Thanks,
Ben

I have read through the Declaração de Práticas de Certificação da Autoridade Certificadora Raiz da ICP-Brasil DOC-ICP-01-v5.2, and I think there are many things lacking. Can you get back to me with the Declaração de Práticas that I should be looking at? Thanks.

Dear Ben,

This Document is the CPS and also the CP for the Root CA.

There are two documents, referenced by this CPS, that are especially important:

  • ICP-Brasil Security Policy (Política de Segurança da ICP-Brasil) - DOC-ICP-02
  • ICP-Brasil Algorithms and Standards (PADRÕES E ALGORITMOS CRIPTOGRÁFICOS DA ICP-BRASIL) - DOC-ICP-01.01

Please let us know if you need any further information.
Thank you.

Flags: needinfo?(andre.caricatti)
Priority: -- → P5

There are numerous misissuances under this root, e.g.

Additionally, crt.sh reports the following problem with the OCSP responses for these certificates: "bad OCSP signature: crypto/rsa: verification error"

Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: