Open Bug 1694421 Opened 8 months ago Updated 4 months ago

Add DigitalSign's root certificates

Categories

(NSS :: CA Certificate Root Program, task, P3)

Tracking

(Not tracked)

ASSIGNED

People

(Reporter: jmarques, Assigned: bwilson)

Details

(Whiteboard: [ca-cps-review] BW 2021-06-21)

Attachments

(4 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36

Assignee: kwilson → bwilson
Status: UNCONFIRMED → ASSIGNED
Type: enhancement → task
Ever confirmed: true
Whiteboard: [ca-initial]
Attached file BR Self Assessment

This is an S/MIME certificate example from our RSA hierarchy

This is an S/MIME certificate example from our ECDSA HIERARCHY

Key Ceremony Report for the 2 pki hierarchies

Can you confirm for me that this request is just for the SMIME trust bit and not for the websites trust bit?
Thanks,
Ben

Flags: needinfo?(jmarques)
Priority: -- → P4

(In reply to Ben Wilson from comment #6)

Can you confirm for me that this request is just for the SMIME trust bit and not for the websites trust bit?
Thanks,
Ben

Hi Ben,
I can confirm that this request is just for the SMIME trust bit.
Thanks, Francisco.

Flags: needinfo?(jmarques)
Priority: P4 → P3
Whiteboard: [ca-initial] → [ca-verifying]

Where are your email address verification practices documented?
See: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Email_Challenge-Response and
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control
Let me know if you have any questions.
Thanks,
Ben

Flags: needinfo?(jmarques)

(In reply to Ben Wilson from comment #8)

Where are your email address verification practices documented?
See: https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Email_Challenge-Response and
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control
Let me know if you have any questions.
Thanks,
Ben

Dear Ben,

DigitalSign verifies the email address to be contained in a certificate by sending an email message containing Random Information to that email address. This Random Information (OTP) is required to complete the certificate issuance process.

This information was not completely clear in our CPS, so we’ve reviewed the CPS accordingly (item 3.2.2 and 3.2.3, already published at https://pki.digitalsign.pt/ ).

Best Regards

Flags: needinfo?(jmarques)
Flags: needinfo?(bwilson)

DigitalSign is pleased to inform that has concluded, in 2021-05-03, a complete audit (within ninety days of issuing the first Publicly-Trusted Certificate), according to 8.1 of the CA/Browser Forum Baseline Requirements.

The attestation letter can be consulted at: https://www.csqa.it/getattachment/Sicurezza-ICT/Documenti/Attestazione-di-Audit-secondo-i-requisiti-ETSI/2021-04-21-CSQA-Attestation-DigitalSign-2021-8012-signed.pdf.aspx?lang=it-IT

The date on the audit letter is wrong.

It should NOT have a "th" on May 12.

Also, it says 2020 - it should say 2021.

Also, this needs to be a period-of-time audit with a beginning and end of covering more than 60 days. It appears to be still a point-in-time audit, and not a period-of-time audit.

Flags: needinfo?(bwilson)

Section 3.2.2 of the CPS says, "DigitalSign verifies an organization’s right to use or control an email address to be contained in a certificate by sending an email message containing Random Information to the email address to be used in the certificate. This Random Information is required to complete the certificate issuance process."
Section 3.2.3 of the CPS says, DigitalSign verifies an individual’s right to use or control an email address to be contained in a certificate by sending an email message containing Random Information to the email address to be used in the certificate. This Random Information is required to complete the certificate issuance process."
It is unclear whether DigitalSign uses any methods from section 3.2.2.4 of the CA/Browser Forum's Baseline Requirements to verify just the organization's control over the domain portion of the email address (for enterprise-based issuance). See e.g. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#22-validation-practices

(In reply to Ben Wilson from comment #13)

Section 3.2.2 of the CPS says, "DigitalSign verifies an organization’s right to use or control an email address to be contained in a certificate by sending an email message containing Random Information to the email address to be used in the certificate. This Random Information is required to complete the certificate issuance process."
Section 3.2.3 of the CPS says, DigitalSign verifies an individual’s right to use or control an email address to be contained in a certificate by sending an email message containing Random Information to the email address to be used in the certificate. This Random Information is required to complete the certificate issuance process."
It is unclear whether DigitalSign uses any methods from section 3.2.2.4 of the CA/Browser Forum's Baseline Requirements to verify just the organization's control over the domain portion of the email address (for enterprise-based issuance). See e.g. https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#22-validation-practices

Dear Ben,
DigitalSign clarifies that the issued certificates under current CP/CPS are requested by the subscriber (natural or legal persons), and all included information in the DN is validated by DigitalSign, including the right to use or control an email address to be contained in a certificate, by the means described on CPS sections 3.2.2 and 3.2.3.
Enterprise-based issuance is not supported, i.e., DigitalSign does not allow an organization to issue/request certificates on behalf of the subscriber/end-user.
SSL certificates or device certificates are not issued under current CP/CPS, so domain name / FQDN validation also does not apply.
Best Regards,

(In reply to Ben Wilson from comment #11)

The date on the audit letter is wrong.

It should NOT have a "th" on May 12.

Also, it says 2020 - it should say 2021.

Dear Ben,
DigitalSign has sucessfuly updated the Standard Audit Statement link at CCADB, and the current Status is now showing "PASS".
Please find ou latest audit attestation letter here: https://www.csqa.it/getattachment/Sicurezza-ICT/Documenti/Attestazione-di-Audit-secondo-i-requisiti-ETSI/Certificadora-Digital-S-A-Attestation-DigitalSign-2021-8012-Rev-02-signed.pdf.aspx?lang=it-IT

Whiteboard: [ca-verifying] → [ca-cps-review] BW 2021-06-21
You need to log in before you can comment on or make changes to this bug.