Open Bug 1707136 Opened 4 years ago Updated 6 months ago

Add GSE SMIME Roots to Mozilla root store

Categories

(CA Program :: CA Certificate Root Program, task, P4)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
ASSIGNED

People

(Reporter: leonardo.maldonado, Assigned: bwilson)

References

Details

(Whiteboard: [ca-verifying] 2023-04-07)

Attachments

(10 files, 1 obsolete file)

Root_ECD_GSE_RSA.pem
2.12 KB, application/octet-stream
Details
CCADB Case
47.32 KB, image/png
Details
Root_ECD_GSE_ECDSA.pem
1.25 KB, patch
Details | Diff | Splinter Review
2021 - GSE - Reporte de Atestiguamiento Independiente WT2021.pdf
693.92 KB, application/pdf
Details
GratefulRSA.cer
2.86 KB, application/x-x509-ca-cert
Details
LeonardoECDSA.cer
1.95 KB, application/x-x509-ca-cert
Details
Gestión de Seguridad Electrónica – GSE SA - Audit Report and Management Assertion 2022.pdf
349.69 KB, application/pdf
Details
JUSTIFICATION CASE n° 814.docx
26.48 KB, application/pdf
Details
Certificate_Policies_for_Digital_Certificates_V14.pdf
1.00 MB, application/pdf
Details
Certification_Practice_Statement_V15.pdf
1.71 MB, application/pdf
Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.72 Safari/537.36 Edg/90.0.818.42

Flags: needinfo?(kwilson)
Assignee: kwilson → bwilson
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: [ca-initial]
Type: enhancement → task

Contact information:
Leonardo Maldonado
Product Manager Specialist
leonardo.maldonado@gse.com.co
+573212527921

Alejandro Calderon
Commercial Director
alejandro.calderon@gse.com.co
+57316 4128907

Company name and address
Gestion de Seguridad Electronica S.A - GSE S.A - Calle 73 # 7 – 31 3rd. floor Tower B - Bogota – Colombia

Backup/Alternate contact name and address, preferably a durable contact that can survive employee turnover (eg, "legal@companynameDOTcom")
info@gse.com.co

Company web page address (URL)
https://gse.com.co

Link to a Certificate Practice Statement
https://gse.com.co/marco-regulatorio/ (In spanish version, attached you can find english translated version)

List of all current third-party audits your CA practice has passed
WebTrust: https://www.cpacanada.ca/webtrustseal?sealid=10430
ONAC: https://gse.com.co/wp-content/uploads/2020/10/Alcance-16-ECD-0012020-002-ECD-AGL.pdf

Certificate revocation server URL (CRL and OCSP)

Explanation of how your organization reports revocation status for expired code signing certificates. Explanation should include if expired certificates are pruned from CRLs/OCSPResponses as soon as they expire. If not, how long is revocation information maintained for expired certificates. Note: if not indefinite, we may decline new participants that do not retain expired information for an extended period of time.
We have not issued code signing certificates yet, we can review your suggestions when we start to issue it.

Number of roots you would like to submit
Two (Root_ECD_GSE_RSA.pem and Root_ECD_GSE_ECDSA.pem)

Answers to the following questions
-What business purpose and applications (ex: code signing, SSL Client SSL Server, S/MIME, etc) will certificates issued from these root certificates serve?

We only issue certificates for S/MIME for digital signature and encryption.

-Who will obtain certificates from your Certificate Authority and what are the processes used for doing so?

The certificates are obtained by any individual or business in Colombia, accordingly with local law (Law 527 of 1999, Decree 333 of 2014 and Specific Criteria for Accreditation), and with CPS attached to this message for use in digital signature (including electronic invoices, contracts and others).

§ Will you issue certificates to individuals, organizations, or both?

For both of them, individuals and organizations.

§ Do you only issue certificates to users from a specific region, language, demographic or other niche demographic?

Yes, we are issuing certificates for Colombia and planning to start business in near countries, like Peru and Ecuador.

§ How do you market your organization, and more specifically, how do users request a certificate from you (please be specific for each of individuals and organizations if different)?

Individuals and organizations request certificates accordingly from the CPS, depending on the use and the conditions that need to be included in the certificate, all the documents are sended by users using our Webpage, and the information is validated by our Registration Authority Agents. Depending on the document's review and the payment verification, the certificate is recommended to be issued by the Certification Authority. All the verifications are reviewed individually as requested by CPS and local law, audited periodically by National Organism of Accreditation of Colombia - ONAC

-What is the validation process for someone requesting a certificate issued from these roots?

The process consists in verify each document sended by requestor, against third party databases recognized as official or trustable, also the RA officer review that the information is absolutely readable, and is not apparently manipulated in any way. Also the payment is validated, but is not a compromise to get approved in the certificate request. In case of doubt or in case that the information is not validated accordingly the CPS and local law, the certificate request can be denided.

A copy of the root(s) to be evaluated can be included in the e-mail for initial examination.
-----BEGIN CERTIFICATE-----
MIIF+jCCA+KgAwIBAgIKFqEmCSFtTI9g4DANBgkqhkiG9w0BAQsFADBmMR4wHAYJ
KoZIhvcNAQkBFg9pbmZvQGdzZS5jb20uY28xGzAZBgNVBAMTEkF1dG9yaWRhZCBS
YWl6IEdTRTEMMAoGA1UECxMDUEtJMQwwCgYDVQQKEwNHU0UxCzAJBgNVBAYTAkNP
MCAXDTIwMDExNTE1MzkxNVoYDzIwNTAwMTA3MTUzOTE1WjBmMR4wHAYJKoZIhvcN
AQkBFg9pbmZvQGdzZS5jb20uY28xGzAZBgNVBAMTEkF1dG9yaWRhZCBSYWl6IEdT
RTEMMAoGA1UECxMDUEtJMQwwCgYDVQQKEwNHU0UxCzAJBgNVBAYTAkNPMIICIjAN
BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAtrni1ixVBsRYAhbGM72JD+ZFFmKE
J101d5PcoiIQwUOvx05RspB05B9WZTtyZIW3jvpCBFNeu9/J9vmWoSWv2ye4/Mqm
4Zo+lZVsh+PjKi75LqjHWlP/fs7QFSADWT31Hbd1WZiI5hfEqpUmvTviFSIx4JfO
c1foLlpwgOfdn9gXE90gqE6CsvCvsINWAq5Qf7NX4MDbHZOcHcBuyZwxoP6yKUxx
aKKNlIO05mtgd5HJ7yA6R1rig8uDZklCX4bxLOi0rbup/fLUZzfDzu8Z9wMTddH9
rq/UtAFS8ztw5Mgwa8aerj+s5T6x0bym8GTKRjXUgmPWMjLXwivQVHWqIl1eswU+
WN9lQD6CsGVr3VuTT3o2IsnGBJuHVl7V4LcHuq8RgTjeeS+cOfqUIMnl6T8CWrhe
GRIdXCk5v2+5bUzX67C/A1EUm2MriUvm/LKcLWca8NgoIT78tfmihztB10CSU5n0
5SeX3PgvpE1eTrXJQOumGY3reFACBt1q0ZrLFvkdDXZ68OCkvsodXelA+buYZHKq
F9sySVk+8TuX8ewg0puc8MGRKlONLi/JZSbx1RLGeFBSu8mfMegdzP+WVO3Fck7t
3qHyAGDBa3iw/RFOM5zSsuh1Gk+N+IEFtyMz+yF2+dzc8q7xSul0/cX19L4voGli
gxrDLwxR3DhOChUCAwEAAaOBpzCBpDAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQY
MBaAFM5vZMt2pOAs1OAlEi/FrM01ropEMEEGCCsGAQUFBwEBBDUwMzAxBggrBgEF
BQcwAoYlaHR0cHM6Ly9jZXJ0czIuZ3NlLmNvbS5jby9DQV9ST09ULmNydDAdBgNV
HQ4EFgQUzm9ky3ak4CzU4CUSL8WszTWuikQwDgYDVR0PAQH/BAQDAgEGMA0GCSqG
SIb3DQEBCwUAA4ICAQCcZzjQBxrXP6zg2mGs2tXsWwGrJAN3x9AS3WUNibnLh7Sv
qpwF+b+9uJ+xbTMUHrdd3j/ZMfH5d85d9luTp+BM7pcai0CW0lGkEGu0vGSLBjLC
GxtaO0HUu56CCS9EOqAWAn6SSqnmuddkM5MKc1ASARd6+ZziRCbG6sP7QUKTr5tw
96toDx1BnOtEazHdULSHd8kjZ1LGRlI+ha+wTst8tXJ4Oz/e6Q9cnDSybvg8U4o1
Y0SU1EU7jA2a4ZsLB4G/0FyViCTOl5pH05UsMWghBFD21CYElKGQStEV1N0o2Hbk
VT4VZbFL7Z98b+f76akdm9tP4fCOA9Brq3eBvUooHKSe7v+7UXXJ5GDDX9SsstQT
oLPgMr15nAjnQ+6dK1yn8Vtxz0ffYpJH9IsKLeDwv4x8jXip27MiC2WTw5F58ieY
ZUg3H8HDtW6v43HhvlTiekzsQxCPWpwEbZbKa+nxr7/lj0tbHGh0Bu9jRW/pThOa
ytmTEJoNnpnbncSPRwbm1AoziZEHolxEj/8GmigseOCbHhtUv1mAhHXZMvhP/Ye5
4ZaSGICj38W91w54bwyuKADAuCus/VlBbVeMB/QhHuqo3JncnsQ5GE+sJVR6QX5Q
zS+ogWI0WifRuyvkNgdkpRsNGfQjWkVFA9qJWdCHuvu7na1s8Zks/78rLjFkYA==
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEIjCCA6mgAwIBAgIKVYZzU+V9eI6wOzAKBggqhkjOPQQDAzCB7DEXMBUGA1UE
CRMOd3d3LmdzZS5jb20uY28xHjAcBgkqhkiG9w0BCQEWD2luZm9AZ3NlLmNvbS5j
bzEXMBUGA1UEAxMOR1NFIEVDRFNBIFJBSVoxEjAQBgNVBAUTCTkwMDIwNDI3ODEX
MBUGA1UECxMOR1NFIENBIFJBSVogUjIxLTArBgNVBAoTJEdFU1RJT04gREUgU0VH
VVJJREFEIEVMRUNUUk9OSUNBIFMuQTEUMBIGA1UEBxMLQm9nb3RhIEQuQy4xGTAX
BgNVBAgTEERpc3RyaXRvIENhcGl0YWwxCzAJBgNVBAYTAkNPMB4XDTIxMDQwNzE0
NTUyMFoXDTMxMDQwNTE0NTUyMFowgfYxFzAVBgNVBAkTDnd3dy5nc2UuY29tLmNv
MR4wHAYJKoZIhvcNAQkBFg9pbmZvQGdzZS5jb20uY28xHjAcBgNVBAMTFUdTRSBF
Q0RTQSBTVUJPUkRJTkFEQTESMBAGA1UEBRMJOTAwMjA0Mjc4MRowGAYDVQQLExFH
U0UgRUNEU0EgUjIgU1VCMTEtMCsGA1UEChMkR0VTVElPTiBERSBTRUdVUklEQUQg
RUxFQ1RST05JQ0EgUy5BMRQwEgYDVQQHEwtCb2dvdGEgRC5DLjEZMBcGA1UECBMQ
RGlzdHJpdG8gQ2FwaXRhbDELMAkGA1UEBhMCQ08wdjAQBgcqhkjOPQIBBgUrgQQA
IgNiAAT/HSIZNg2FwQ2azdOwHeq7KpD7TyWw4ody5vywqedYGMlFHmAw/NMUwDa3
uNV/vUHDHNPrbJ/2qn2gV3k9Wzz99baoy5Rdph4W+XxZCS/89sC55cIwoKCbs7tC
QHpu7d6jggEIMIIBBDAPBgNVHRMBAf8EBTADAQH/MB8GA1UdIwQYMBaAFIdAToWZ
qCdXkOQPTgv9OkShAVVQMGkGCCsGAQUFBwEBBF0wWzAzBggrBgEFBQcwAoYnaHR0
cHM6Ly9jZXJ0czIuZ3NlLmNvbS5jby9DQV9FQ1JPT1QuY3J0MCQGCCsGAQUFBzAB
hhhodHRwczovL29jc3AyLmdzZS5jb20uY28wNgYDVR0fBC8wLTAroCmgJ4YlaHR0
cHM6Ly9jcmwyLmdzZS5jb20uY28vQ0FfRUNST09ULmNybDAdBgNVHQ4EFgQU9DNR
qBzfBmLl3ujvYXkDT5j2uwkwDgYDVR0PAQH/BAQDAgGGMAoGCCqGSM49BAMDA2cA
MGQCMDc8FHPMY36oP9Cswdn1LV2PhdeGeC0t5QGfUKFsBSKkXwLPDC4BVVdphAqX
J0sT0gIwMUqSOgZbd5pA8lKW9bJA7x4FB/UdPCecOicAOZBbCBZr+KHp/FQCFbSk
f/1877ll
-----END CERTIFICATE-----

Flags: needinfo?(bwilson)
Attached file Root_ECD_GSE_RSA.pem
Flags: needinfo?(bwilson)
Attached file Root_ECD_GSE_ECDSA.pem (obsolete) —
Flags: needinfo?(bwilson)
Flags: needinfo?(kwilson)
Flags: needinfo?(bwilson)
Priority: -- → P3

Please create a root inclusion case in the CCADB:
https://wiki.mozilla.org/CA/Information_Checklist#Create_a_Root_Inclusion_Case
https://ccadb-public.secure.force.com/ccadb/AccessRequestForm
Let me know if you have any questions.

Flags: needinfo?(leonardo.maldonado)

Dear Ben,
The case created in CCADB is Case 00000814.

Flags: needinfo?(leonardo.maldonado)
Summary: Add GSE root certificates → Add GSE SMIME Roots to Mozilla root store
Attached image CCADB Case

Thanks. To help you get going, I'll upload the PEMs of your root certificates into Case 814 in the CCADB.

Thanks a lot Ben, I'll be waiting to continue providing additional information by your request.

The PEM files you have provided for the EC root (GSE ECDSA RAIZ) are actually for the "GSE ECDSA SUBORDINADA", and I didn't see the 384-bit ECDSA root downloadable from your website, only the RSA root.

Dear Ben,
Sorry by my mistake.
All certificates from GSE are published in the URL https://certs2.gse.com.co/
Also I copy the base64 following
-----BEGIN CERTIFICATE-----
MIIDcjCCAvigAwIBAgIKKb64em7LKJmZKTAKBggqhkjOPQQDAzCB7DEXMBUGA1UE
CRMOd3d3LmdzZS5jb20uY28xHjAcBgkqhkiG9w0BCQEWD2luZm9AZ3NlLmNvbS5j
bzEXMBUGA1UEAxMOR1NFIEVDRFNBIFJBSVoxEjAQBgNVBAUTCTkwMDIwNDI3ODEX
MBUGA1UECxMOR1NFIENBIFJBSVogUjIxLTArBgNVBAoTJEdFU1RJT04gREUgU0VH
VVJJREFEIEVMRUNUUk9OSUNBIFMuQTEUMBIGA1UEBxMLQm9nb3RhIEQuQy4xGTAX
BgNVBAgTEERpc3RyaXRvIENhcGl0YWwxCzAJBgNVBAYTAkNPMB4XDTIxMDQwNzE0
MzAwOFoXDTQ2MDQwODE0MzAwOFowgewxFzAVBgNVBAkTDnd3dy5nc2UuY29tLmNv
MR4wHAYJKoZIhvcNAQkBFg9pbmZvQGdzZS5jb20uY28xFzAVBgNVBAMTDkdTRSBF
Q0RTQSBSQUlaMRIwEAYDVQQFEwk5MDAyMDQyNzgxFzAVBgNVBAsTDkdTRSBDQSBS
QUlaIFIyMS0wKwYDVQQKEyRHRVNUSU9OIERFIFNFR1VSSURBRCBFTEVDVFJPTklD
QSBTLkExFDASBgNVBAcTC0JvZ290YSBELkMuMRkwFwYDVQQIExBEaXN0cml0byBD
YXBpdGFsMQswCQYDVQQGEwJDTzB2MBAGByqGSM49AgEGBSuBBAAiA2IABO81xiow
fNrWzx8C93a3fSH8UBsDak+Diih/n2j2qeaRi83CqdXIj9sBxArssce3v/EJuLkk
qoFc4axjitJvEFmz3Yva5Yk+BwRKs8GG7MEumOvb798ZO+a+VAPFJ6DclqNjMGEw
DwYDVR0TAQH/BAUwAwEB/zAfBgNVHSMEGDAWgBSHQE6FmagnV5DkD04L/TpEoQFV
UDAdBgNVHQ4EFgQUh0BOhZmoJ1eQ5A9OC/06RKEBVVAwDgYDVR0PAQH/BAQDAgGG
MAoGCCqGSM49BAMDA2gAMGUCMHaWmMBJRbNTVeJoQVdqfgflEzmyjiUGdJ5ZoY1n
txE6mhEWaG8vM08DkQ6pSgZ2ngIxAOiJx26d5G2cx1va0lIu/vTX84GhJZOPc+Jy
c+YEPoVaCRupQIJYRVRaJxyxv5OO4w==
-----END CERTIFICATE-----

Attachment #9218397 - Attachment is obsolete: true

The 2021 WebTrust Audit report with seal has been added to the CCADB. I now need to confirm that GSE has a CPS that addresses email validation.

For each root - "If only requesting the Email trust bit, then attach an example S/MIME certificate to the bug."

There is a requirement in section 3.3.5 of the Mozilla Root Store Policy,
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#33-cps-and-cpses, that requires CPSs and CPSes follow RFC 3647 - "Effective for versions dated April 1, 2020 or later, CPs and CPSes MUST be structured according to RFC 3647." It should be in English, and although I can translate the relevant language, I am looking for language that shows that GSE CAs check for the applicant's control over the email address prior to certificate issuance. See https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Email_Challenge-Response and https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control.

(In reply to Ben Wilson from comment #15)

For each root - "If only requesting the Email trust bit, then attach an example S/MIME certificate to the bug."
Hello Ben,
For RSA, following lines are the certificate
-----BEGIN CERTIFICATE-----
MIIIITCCBgmgAwIBAgIKetw10TUwhruCzTANBgkqhkiG9w0BAQsFADCBhjEeMBwG
CSqGSIb3DQEJARYPaW5mb0Bnc2UuY29tLmNvMSUwIwYDVQQDExxBdXRvcmlkYWQg
U3Vib3JkaW5hZGEgMDEgR1NFMQwwCgYDVQQLEwNQS0kxDDAKBgNVBAoTA0dTRTEU
MBIGA1UEBxMLQm9nb3RhIEQuQy4xCzAJBgNVBAYTAkNPMB4XDTIwMTIwMjIwMzMw
MFoXDTIyMTIwMjIwMzMwMFowggGKMSkwJwYDVQQJDCBDQUxMRSA3MyAjIDcgLSAz
MSBQSVNPIDMgVE9SUkUgQjFDMEEGA1UEDQw6UGVydGVuZWNpZW50ZSBFbXByZXNh
IHBvciBHU0UgQ2FsbGUgNzMgNy0zMSBQaXNvIDMgVG9ycmUgQjEmMCQGA1UEAwwd
R1JBVEVGVUwgREVBRCBNT05UQcORTyBTSUVSUkExETAPBgNVBAUTCDEzNzE5MDQ5
MRIwEAYDVQQIDAlTQU5UQU5ERVIxFDASBgNVBAcMC0JVQ0FSQU1BTkdBMS0wKwYJ
KoZIhvcNAQkBFh5ncmF0ZWZ1bC5tb250YW5vQHBheW5ldC5jb20uY28xCzAJBgNV
BAYTAkNPMTkwNwYDVQQMDDBEaXJlY3RvciBTZWd1cmlkYWQgRWxlY3Ryb25pY2Eg
QWRtaW5pc3RyYWRvciBQS0kxEzARBgNVBAoMClBBWU5FVCBTQVMxGTAXBgorBgEE
AaRmAQMCDAk5MDEwNDMwMDQxDDAKBgNVBCkMA0MuQzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAIAw80P/52ZyzKoKsYqdH1ZBEkhAO6g7fhlHVIwwNH0N
4maFMnf6D00UARh0MK3HzzMBUW8wKwOgqxrDi6rpBzCDl1kHi9JrBXJak5HuJZoY
OZihLEtVVdSeCkEVgRL8LORf4rBptfIxJhuwywY0NlorImtYTwTyMXUD0BEymA5l
WLCGp2Gt6+DY4OcRQhMvs4WoWi7bnXQcTcaip4hOny1HkfkjF+05ssEWm07a/4nw
yDAh57R64scB6WVbMzr4dQE/ex5czm6jm9lZ++T1pHYSNVYhRNFMC6/orlKdV7yS
alP9+ng4R4dsq0yBbgdrQCA9Jpep7n4kHz1onfj/1QkCAwEAAaOCAogwggKEMAwG
A1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUQbzUOXi4g6MXGgiaqbgEAgkt2JkwaAYI
KwYBBQUHAQEEXDBaMDIGCCsGAQUFBzAChiZodHRwczovL2NlcnRzMi5nc2UuY29t
LmNvL0NBX1NVQjAxLmNydDAkBggrBgEFBQcwAYYYaHR0cHM6Ly9vY3NwMi5nc2Uu
Y29tLmNvMCkGA1UdEQQiMCCBHmdyYXRlZnVsLm1vbnRhbm9AcGF5bmV0LmNvbS5j
bzCCATcGA1UdIAEB/wSCASswggEnMIIBIwYLKwYBBAGB8yABBAgwggESMHkGCCsG
AQUFBwICMG0Ma0xhIHV0aWxpemFjacOzbiBkZSBlc3RlIGNlcnRpZmljYWRvIGVz
dMOhIHN1amV0byBhIGxhcyBQb2zDrXRpY2FzIGRlIENlcnRpZmljYWRvIGV4cHVl
c3RhcyBlbiBsYSBVUkwgZGUgQ1BTMIGUBggrBgEFBQcCARaBh2h0dHBzOi8vZ3Nl
LmNvbS5jby9kb2N1bWVudG9zL2Zvcm11bGFyaW9zLzI1YWJyMTkvMDgwNDIwMjAv
UG9sJUMzJUFEdGljYXMlMjBkZSUyMENlcnRpZmljYWRvJTIwcGFyYSUyMENlcnRp
ZmljYWRvcyUyMERpZ2l0YWxlcyUyMFY4LnBkZjAdBgNVHSUEFjAUBggrBgEFBQcD
AgYIKwYBBQUHAwQwNQYDVR0fBC4wLDAqoCigJoYkaHR0cHM6Ly9jcmwyLmdzZS5j
b20uY28vQ0FfU1VCMDEuY3JsMB0GA1UdDgQWBBRc6Oj099/fmGrCDr33481ZHVgw
pDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQELBQADggIBAETyJAyXEMQT2ssu
5ixH92j6YgdJOKvJ3fUzHD+/auAAljRK1rwjgFecuTXOi7s4egtOdHu4Yjk3UpRx
1Jtinm8Ov63arqPorNZLCEiWOpFDvczNp3/gd6jlcf6kwse5EQKeEOhdvHStnYOy
YNP0+E7TY+t5JkIBO9K48EsyCNbHluu8oFQmKw26b+dWAZ0V1cnxSWyiooX2Sost
aXo56tAzpsGdO+XuLpd5qJWkZT8RP6gNhaUi7BI/6ybrVV7cnPITXWxIGiX9uyG6
InUw+tmL2s7Nab64y5PQXBEWTercoS8X2/TyERKKZro3Vs1y1OuqGVo4dp37VBo2
2N5MTkd78HEsDCPAqgMHUb+e8foY8DjDW+IC2BHQ+b7odkUni+S3H/tcNJi0tPkU
Dx4ZjtYhfIGgQJ7aLL04AyzRc4jJ53zsG1B6RGYEUKMeD+iSco9HOABljwqK4/L2
hGyJxWBJVHK0EiAgfvsMZSRvd/IdjaKcgQcErsDAV+SqSEqTMsX/ZCBJukWGthjj
xEn39JWlNt5vbBgaEOt6ESwy26srVd6MHgCaRpppR1nDDU2jkaHXFF4mJ3aKREWm
AS/qd+9IBbT9EKkSEm4uEJusivZ2oKLBoR7AGjZuoeGTN/LI3xVW1y+GRJMIrV0k
Am7PWLhRpa7TD2OZNhp66gG9KmZD
-----END CERTIFICATE-----

For ECDSA, following lines are the certificate:
-----BEGIN CERTIFICATE-----
MIIFezCCBQKgAwIBAgIKcMkSib5xqUEpqTAKBggqhkjOPQQDAzCB9jEXMBUGA1UE
CRMOd3d3LmdzZS5jb20uY28xHjAcBgkqhkiG9w0BCQEWD2luZm9AZ3NlLmNvbS5j
bzEeMBwGA1UEAxMVR1NFIEVDRFNBIFNVQk9SRElOQURBMRIwEAYDVQQFEwk5MDAy
MDQyNzgxGjAYBgNVBAsTEUdTRSBFQ0RTQSBSMiBTVUIxMS0wKwYDVQQKEyRHRVNU
SU9OIERFIFNFR1VSSURBRCBFTEVDVFJPTklDQSBTLkExFDASBgNVBAcTC0JvZ290
YSBELkMuMRkwFwYDVQQIExBEaXN0cml0byBDYXBpdGFsMQswCQYDVQQGEwJDTzAe
Fw0yMTA0MDcxNDU1MjBaFw0yMjExMDcxNzExMDBaMIIBkzEtMCsGA1UECQwkQ0FM
TEUgNzMgIyA3IC0gMzEgRURJRklDSU8gRUwgQ0FNSU5PMUMwQQYDVQQNDDpQZXJ0
ZW5lY2llbnRlIEVtcHJlc2EgcG9yIEdTRSBDYWxsZSA3MyA3LTMxIFBpc28gMyBU
b3JyZSBCMSwwKgYDVQQDDCNBTkdFTE8gTEVPTkFSRE8gTUFMRE9OQURPIENPTlRS
RVJBUzERMA8GA1UEBRMINzk2MzA2ODExDzANBgNVBAgMBkJPR09UQTEUMBIGA1UE
BwwLQk9HT1RBIEQuQy4xLDAqBgkqhkiG9w0BCQEWHWxlb25hcmRvLm1hbGRvbmFk
b0Bnc2UuY29tLmNvMQswCQYDVQQGEwJDTzEjMCEGA1UEDAwaUFJPRFVDVCBNQU5B
R0VSIFNQRUNJQUxJU1QxLDAqBgNVBAoMI0dFU1RJT04gREUgU0VHVVJJREFEIEVM
RUNUUk9OSUNBIFNBMRkwFwYKKwYBBAGkZgEDAgwJOTAwMjA0MjcyMQwwCgYDVQQp
DANDLkMwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARKSXpblOLQJN6/s6+CSb7F
1TfuxlW85BPnzhFBMrPtzf+ApTVLVlHzvGZ75TClHM5yvlEegsX1R7RYPz4dwwvj
o4IB1jCCAdIwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBT0M1GoHN8GYuXe6O9h
eQNPmPa7CTBqBggrBgEFBQcBAQReMFwwNAYIKwYBBQUHMAKGKGh0dHBzOi8vY2Vy
dHMyLmdzZS5jb20uY28vQ0FfRUNTVUIwMS5jcnQwJAYIKwYBBQUHMAGGGGh0dHBz
Oi8vb2NzcDIuZ3NlLmNvbS5jbzAoBgNVHREEITAfgR1sZW9uYXJkby5tYWxkb25h
ZG9AZ3NlLmNvbS5jbzCBggYDVR0gBHsweTB3BgsrBgEEAYHzIAEECTBoMGYGCCsG
AQUFBwIBFlpodHRwczovL2dzZS5jb20uY28vZG9jdW1lbnRvcy9jYWxpZGFkL0RQ
Qy9EZWNsYXJhY2lvbl9kZV9QcmFjdGljYXNfZGVfQ2VydGlmaWNhY2lvbl9WOS5w
ZGYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMDgGA1UdHwQxMC8wLaAr
oCmGJ2h0dHRwczovL2NybDIuZ3NlLmNvbS5jby9DQV9FQ1NVQjAxLmNybDAdBgNV
HQ4EFgQU3SKFBDj7AVkUgVDBavkJZsnPQW0wDgYDVR0PAQH/BAQDAgTwMAoGCCqG
SM49BAMDA2cAMGQCMHznYMHl/XVOxFDz+DTeOuzGk0HOJli0QBekeLcVMwUFNS36
QPN1TdoWbzO9WQbX7QIwCK5h7D8l//lI6HhuTnVa0eJGUfN7nEj/LX6zcGSLyyr0
cYTU1yspLPcmsUAmnTHr
-----END CERTIFICATE-----

Attached file GratefulRSA.cer

Certificate for S-Mime with RSA algorithm

Attached file LeonardoECDSA.cer

Certificate for S/MIME with ECDSA Algorithm

(In reply to Ben Wilson from comment #16)

There is a requirement in section 3.3.5 of the Mozilla Root Store Policy,
https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#33-cps-and-cpses, that requires CPSs and CPSes follow RFC 3647 - "Effective for versions dated April 1, 2020 or later, CPs and CPSes MUST be structured according to RFC 3647." It should be in English, and although I can translate the relevant language, I am looking for language that shows that GSE CAs check for the applicant's control over the email address prior to certificate issuance. See https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Email_Challenge-Response and https://wiki.mozilla.org/CA/Required_or_Recommended_Practices#Verifying_Email_Address_Control.

Hello Ben,
The mail address is validated in the process of issuance, as can be verified in the section 6.5 of our CPS that I copy a translation into english below
The applicant's data: type of identification, identification number, names, surname, nit (applies for company), business name (applies for company), address information: department, municipality, address and »EMAIL« are reviewed and / or validated in together with the application form and the documentation provided for each type of digital certificate.

I put between »« symbols the part that specyfy the need to verify EMAIL

Please let me know if this requirement is satisfyied with this translation.
Best regars, Leonardo.

Flags: needinfo?(bwilson)
Flags: needinfo?(bwilson)
Whiteboard: [ca-initial] → [ca-verifying] BW 2021-12-01

Dear Leonardo,
Currently, a review of the information in the CCADB (and here) indicates that I need:
1 - the intermediate/subordinate CA certificates of the root CA certificates need to be uploaded to the CCADB
2 - for each root, the CCADB has to be populated for "Application Information"

  • Explain why this root cert needs to be included in the root store, rather than being signed by another CA’s root certificate that is already included.
  • Explain the unique function of this root, especially if requesting inclusion of multiple roots.
  • Root Certificate Download URL - A public URL through which the CA certificate can be directly downloaded.
    See https://ccadb.force.com/a004o00000FsKpEAAV and https://ccadb.force.com/a004o00000FsL0JAAV
    3 - Complete the "PKI Hierarchy" section for each root in the application (at these ^ URLs)
    Let me know if you have any questions.
    Thanks,
    Ben
Flags: needinfo?(leonardo.maldonado)

Dear Ben,
Thanks for your prompt reply, I take each point to answer
1 - the intermediate/subordinate CA certificates of the root CA certificates need to be uploaded to the CCADB
The intermediates/subordinates CAs were uploaded to
https://ccadb.force.com/s/account/0014o00001oAWzAAAW/gse-ecdsa-raiz?tabset-e9496=2
https://ccadb.force.com/s/account/0014o00001oAWasAAG/autoridad-raiz-gse?tabset-e9496=2

2 - for each root, the CCADB has to be populated for "Application Information"
I filled Application Information section in CCADB site for cases R00001830 and R00001831
I Explained why both root certs needs to be included in the root store, esentially because each root use a different signature algorithm (RSA & ECDSA), and users from each root needs to sign S/MIME, but only acquiring one certificate.
Each root have functions related with signature algorithm, but both need to sign S/MIME

3 - Complete the "PKI Hierarchy" : I uploaded the correspondant subCAs, but none of the check boxes of cross-signed or external related actions apply for the root certificates that we want to include.

Thanks in advance for your help, please let me know if you need additional information.
Regards,
Leonardo

Flags: needinfo?(leonardo.maldonado)
Priority: P3 → P2

In the CCADB, below "Mozilla Additional Requirements" there are two places needing responses:

Please read these two wiki pages above and provide a response where it says, "CA's Response to Required Practices" and "CA's Response to Forbidden Practices". Also, please pay special attention to these two sections:

Product: NSS → CA Program

Dear Ben, taking into account the CCADB Update: "Root Inclusion Request" Type of case, could you give me feedback on the process to follow in order to continue the Root Inclusion Request case?

Flags: needinfo?(bwilson)

A review of https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000814 indicates missing information for your company and root certificates. Under our new process, some of this information will need to be provided in a new "Add/Update Root Case" - https://www.ccadb.org/cas/updates (which I have created for you as case #1192 - https://ccadb.force.com/5008Z000026GS25QAG), while other information can be provided in the existing Root Inclusion Case #814.
In Case #1192, go to the "Root Information" tab and submit all requested information for both root CAs. Also, provide your document repository information and any new certificate policies or certification practice statements under the "Policy Documents" tab.
In Case #814, it looks like you need to provide a value statement, which can be uploaded as an attachment to this Bug #1707136. See https://wiki.mozilla.org/CA/Quantifying_Value for more information.
Feel free to reach out if you have further questions.

Flags: needinfo?(bwilson)

(In reply to Ben Wilson from comment #25)

A review of https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000814 indicates missing information for your company and root certificates. Under our new process, some of this information will need to be provided in a new "Add/Update Root Case" - https://www.ccadb.org/cas/updates (which I have created for you as case #1192 - https://ccadb.force.com/5008Z000026GS25QAG), while other information can be provided in the existing Root Inclusion Case #814.
In Case #1192, go to the "Root Information" tab and submit all requested information for both root CAs. Also, provide your document repository information and any new certificate policies or certification practice statements under the "Policy Documents" tab.
In Case #814, it looks like you need to provide a value statement, which can be uploaded as an attachment to this Bug #1707136. See https://wiki.mozilla.org/CA/Quantifying_Value for more information.
Feel free to reach out if you have further questions.

Hi Ben,
The case #1192 new was updated and we are work on case # 814.

We have some questions it is possible to have a call? leonardo.maldonado@gse.com.co

JUSTIFICATION CASE n° 814

Dear Ben,

Continuing with the case No. 814 attached file that contains the declaration of value complying with the quantifying value https://wiki.mozilla.org/CA/Quantifying_Value , We remain attentive to continue with the case.

Whiteboard: [ca-verifying] BW 2021-12-01 → [ca-ready-for-discussion 2023-02-16]

Note: The CP and CPS need to be organized according to RFC 3647.

Priority: P2 → P4
Whiteboard: [ca-ready-for-discussion 2023-02-16] → [ca-verifying] 2023-04-07

(In reply to Ben Wilson from comment #30)

Note: The CP and CPS need to be organized according to RFC 3647.

Dear ben,
I share the CP and CPS documentation updated to RFC 3647 to be reviewed and give continuity to the case 00001192, can you say if the documents comply with the expected and tell us what is next step.

Attached documents in Bugzilla:

  • Certificate_Policies_for_Digital_Certificates_V14.pdf
  • Certification_Practice_Statement_V15.pdf

We will remain attentive to the comments identified on your part.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: