Closed Bug 1688382 Opened 3 years ago Closed 3 years ago

Camerfirma: No disclosure of verification sources

Categories

(CA Program :: CA Certificate Compliance, task)

Product:
CA Program
Component:
CA Certificate Compliance
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: clavesnostrum, Assigned: ana.lopes)

Details

(Whiteboard: [ca-compliance] [policy-failure])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:84.0) Gecko/20100101 Firefox/84.0

Camerfirma discloses in its CPS "The documentation necessary to issue a certificate is published at: http://www.camerfirma.com/index/buscador-documentos.php".

The page however returns a HTTP 500 error. Does this breach section 11.1.3 of the EVGL?

Assignee: bwilson → ana.lopes
Status: UNCONFIRMED → ASSIGNED
Type: defect → task
Ever confirmed: true
Whiteboard: [ca-compliance]

If we are not wrong, that is a link included in an old version of our CPS. If you check the updated official CPS (https://www.camerfirma.com/publico/DocumentosWeb/politicas/CPS_eidas_EN_1.2.12.pdf) you won’t find it anymore.
Could you please let us know where did you find the link so we can manage the issue in order to avoid any misunderstanding?

I think that the underlying issue is that section 11.1.3 of the Extended Validation Guidelines requires that as of October 1, 2020, CAs have to publicly identify, somewhere in section 3.2 of their CP or CPS, all of their validation sources -- in some form of online data structure. See:

https://github.com/digicert/reports/tree/master/validation-sources
https://www.globalsign.com/en/repository/Incorporating_Agency_and_Registration_Agency_List_v1.3.xlsx
https://sectigo.com/uploads/files/Sectigo-JoI-Data-Source-List-v1_0_13.pdf
https://www.entrust.com/legal-compliance/approved-incorporating-agencies

Thank you Ben.

We will incorporate the information about the Agencies of Registration in the next version of the CPS that we will publish in the next few days.

We will let you know when it is published.

The new version of our CPS which includes information of the Agencies of Registration in section 3.2 is available at
https://rest.camerfirma.com/publico/DocumentosWeb/politicas/CPS_eidas_EN_1.2.14.pdf

We do not have more updates for this bug.

We do not have more updates for this bug.

We do not have more updates for this bug.

Hi Ben,

One month ago we've updated our CPS with information of the Agencies of Registration, we believe this bug can be closed.

Kind regards

I'll close it this week sometime.

Flags: needinfo?(bwilson)
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Flags: needinfo?(bwilson)
Resolution: --- → FIXED
Product: NSS → CA Program
Summary: CamerFirma: No disclosure of verification sources → Camerfirma: No disclosure of verification sources
Whiteboard: [ca-compliance] → [ca-compliance] [policy-failure]
You need to log in before you can comment on or make changes to this bug.