Closed Bug 420705 Opened 16 years ago Closed 15 years ago

add Comsign CA certs

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: michald, Assigned: kwilson)

References

Details

(Whiteboard: Approved)

Attachments

(21 files, 1 obsolete file)

1.53 KB, application/x-x509-ca-cert
Details
919 bytes, application/x-x509-ca-cert
Details
943 bytes, application/x-x509-ca-cert
Details
106.50 KB, application/msword
Details
27.24 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
32.73 KB, application/pdf
Details
23.57 KB, application/vnd.openxmlformats-officedocument.wordprocessingml.document
Details
3.43 KB, text/plain
Details
3.43 KB, application/x-pkcs7-certificates
Details
32.17 KB, application/pdf
Details
75.78 KB, application/pdf
Details
26.16 KB, application/pdf
Details
51.74 KB, application/pdf
Details
61.41 KB, application/pdf
Details
434.09 KB, application/pdf
Details
20.87 KB, application/pdf
Details
567.74 KB, application/pdf
Details
1.50 KB, application/x-x509-ca-cert
Details
192.47 KB, application/pdf
Details
99.49 KB, application/x-download
Details
99.58 KB, application/x-download
Details
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 3.0.04506.30; .NET CLR 1.1.4322; .NET CLR 2.0.50727; InfoPath.2)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; he; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12

ComSign provides solutions which includes: Digital Certificates for servers (SSL), Digital Certificates for use on personal PCs, cellular phones and PKI systems for organizations that enable use of digital signatures in a wide range of Intranet and extranet applications in a minimum costs.

we ask you to add comsign to your certificate authorities in firefox.
we have three certificates:

ComSign CA
ComSign Secured CA
ComSign Advanced Security CA

 


Reproducible: Always

Steps to Reproduce:
1.
2.
3.
Actual Results:  
If you will enter  www.4x4.co.il/shop/shopping.aspx the error will pop up 

Expected Results:  
An error message appears and let you know that the ssl certificate is not approved .

Accept the ssl certificate  . and show no error.
Attached file comsign certificate
Attached file comsign certificate
Attached file comsign certificate
Severity: normal → enhancement
Summary: I would like you to add Comsign to your Certificate authorities in Firefox → add Comsign CA certs
Thanks for your interest in Mozilla, and for entering your request into our bug reporting system. As part of the evaluation we keep track of information about CAs on a web page at

 http://www.mozilla.org/projects/security/certs/pending/

Below I've attached a list of the information we'd like to have you provide:

CA Details
----------

CA Name:
Website:
One Paragraph Summary of CA, including the following:
 - General nature (e.g., commercial, government,
                  academic/research, nonprofit)
 - Primary geographical area(s) served
 - Number and type of subordinate CAs
Audit Type (WebTrust, ETSI etc.):
Auditor:
Auditor Website:
Audit Document URL(s):
URL of certificate hierarchy diagram:

Certificate Details
-------------------
(To be completed once for each certificate; note that we only include root
certificates in the store, not intermediates.)

Certificate Name:
Summary Paragraph, including the following:
 - End entity certificate issuance policy,
  i.e. what you plan to do with the root
Certificate HTTP URL (on CA website):
Version:
SHA1 Fingerprint:
Modulus Length (a.k.a. "key length"):
Valid From (YYYY-MM-DD):
Valid To (YYYY-MM-DD):
CRL HTTP URL:
CRL issuing frequency for end-entity certificates:
OCSP URL:
Class (domain-validated, identity/organisationally-validated or EV):
Certificate Policy URL:
CPS URL:
Requested Trust Indicators (email and/or SSL and/or code):
URL of website using certificate chained to this root (if applying for SSL):
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
OS: Windows XP → All
--- Comment #4 from Frank Hecker <hecker@hecker.org>  2008-03-06 07:20:14
PST --- Thanks for your interest in Mozilla, and for entering your request
into our bug reporting system. As part of the evaluation we keep track of
information about CAs on a web page at

 http://www.mozilla.org/projects/security/certs/pending/

Below I've attached a list of the information we'd like to have you provide:

CA Details
----------

CA Name:ComSign CA
Website:www.comsign.co.il
One Paragraph Summary of CA, including the following:
 - General nature (e.g., commercial, government,
                  academic/research, nonprofit) Commercial , Government
 - Primary geographical area(s) served Israel
 - Number and type of subordinate CAs 6, Intemediates
Audit Type (WebTrust, ETSI etc.):
Auditor:
Auditor Website:
Audit Document URL(s):
URL of certificate hierarchy diagram:

Certificate Details
-------------------
(To be completed once for each certificate; note that we only include root
certificates in the store, not intermediates.)

Certificate Name: ComSign CA
Summary Paragraph, including the following:
 - End entity certificate issuance policy,
  i.e. what you plan to do with the root Certificate HTTP URL (on CA
website):
Version:V3
SHA1 Fingerprint: e1 a4 5b 14 1a 21 da 1a 79 f4 1a 42 a9 61 d6 69 cd 06 34 c1
Modulus Length (a.k.a. "key length"):2048
Valid From (YYYY-MM-DD):3/24/2004
Valid To (YYYY-MM-DD):3/19/2029
CRL HTTP URL: http://fedir.comsign.co.il/crl/ComSignCA.crl
CRL issuing frequency for end-entity certificates: From 2Hours to 24Hours
OCSP URL:
Class (domain-validated, identity/organisationally-validated or EV):
Certificate Policy URL:
CPS URL:
Requested Trust Indicators (email and/or SSL and/or code):
URL of website using certificate chained to this root (if applying for SSL):


CA Details
----------

CA Name:ComSign Secured CA
Website:
One Paragraph Summary of CA, including the following:
 - General nature (e.g., commercial, government,
                  academic/research, nonprofit)
 - Primary geographical area(s) served Israel
 - Number and type of subordinate CAs 6, Intemediates
Audit Type (WebTrust, ETSI etc.):
Auditor:
Auditor Website:
Audit Document URL(s):
URL of certificate hierarchy diagram:


Certificate Details
-------------------
(To be completed once for each certificate; note that we only include root
certificates in the store, not intermediates.)

Certificate Name: ComSign Secured CA
Summary Paragraph, including the following:
 - End entity certificate issuance policy,
  i.e. what you plan to do with the root Certificate HTTP URL (on CA
website):
Version:V3
SHA1 Fingerprint: f9 cd 0e 2c da 76 24 c1 8f bd f0 f0 ab b6 45 b8 f7 fe d5 7a
Modulus Length (a.k.a. "key length"):2048
Valid From (YYYY-MM-DD):3/24/2004
Valid To (YYYY-MM-DD):3/16/2029
CRL HTTP URL: http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl
CRL issuing frequency for end-entity certificates: 24Hours
OCSP URL:
Class (domain-validated, identity/organisationally-validated or EV):
Certificate Policy URL:
CPS URL:
Requested Trust Indicators (email and/or SSL and/or code):
URL of website using certificate chained to this root (if applying for SSL):

I don't see anything about an independent audit in the information above; that's a requirement for inclusion in Mozilla. Also, we count "ComSign" as one CA (i.e., the organization operating the CA(s)), and "ComSign Secure CA" and "ComSign CA" as root CAs under the overall CA. (We're conflating two uses of the term "CA", for which I apologize.)

In any case, we still need additional information from you. For an expanded description of what we'd like to know, see

 http://wiki.mozilla.org/CA:Information_checklist
We need you to approve Only 2 CA certificate 


CA Details
----------
CA Name:Comsign LTD  
Website:www.comsign.co.il
One Paragraph Summary of CA, including the following:
ComSign is the representative of Verisign in Israel.  
Verisign is the world's largest company in the field of Digital Certificates and PKI systems. 
ComSign has the exclusive rights to market Verisign digital authentication certificates and act as VeriSign's certificate authority in Israel, As part of the VeriSign Affiliate Program for trusted service providers. ComSign provides VeriSign solutions which includes: Digital Certificates for servers (SSL), Digital Certificates for use on personal PCs, cellular phones and PKI systems for organizations that enable use of digital signatures in a wide range of Intranet and extranet applications in a minimum costs. 
ComSign is a private company owned by  , Ltd., a leading Israeli information security system house. Comda is a large professional security systems integrator active in the Israeli market for more than 15 years. The company focus is on the support and marketing of security and communications systems and products, for large accounts. Comda has a wide customer base that exceeds 3,000 Israeli organizations and includes government institutions, large corporations, public and private firms, universities, hospitals and more. Comda's marketing and sales expertise in the Israeli market as well as its technical ability has made it the distributor of choice for many brands. 

Certificate Details
-------------------
Certificate Name : Comsign CA
Summary Paragraph, including the following:

Ensures the identity of a remote computer
Proves your identity to a remote computer
Protects e-mail messages
Ensures software came from software publisher
Protects software from alteration after publication
All issuance policies

Certificate HTTP URL : http://fedir.comsign.co.il/cacrt/ComSignCA.crt
Version:V3
SHA1 Fingerprint   14 13 96 83 14 55 8c ea 7b  63 e5 fc 34 87 77 44 
Modulus Length (a.k.a. "key length"):2048
Valid From (YYYY-MM-DD):2004/03/24
Valid To (YYYY-MM-DD):2029/03/19
CRL HTTP URL: http://fedir.comsign.co.il/crl/ComSignCA.crl
CRL issuing frequency for end-entity certificates:24 Hours
Class (domain-validated, identity/organisationally-validated or EV): class 3 
Requested Trust Indicators (email and/or SSL and/or code): all three
URL of website using certificate chained to this root (if applying for SSL): https://www.4x4.co.il
 
Certificate Details
-------------------
Certificate Name: Comsign Secured CA 
Summary Paragraph, including the following:

Ensures the identity of a remote computer
Proves your identity to a remote computer
Protects e-mail messages
Ensures software came from software publisher
Protects software from alteration after publication
All issuance policies

Certificate HTTP URL (on CA website): http://fedir.comsign.co.il/cacrt/ComSignSecuredCA.crt
Version:V3
SHA1 Fingerprint: 00 c7 28 47 09 b3 b8 6c 45 8c 1d fa 24 f5 36 4e e9
Modulus Length (a.k.a. "key length"):2048
Valid From (YYYY-MM-DD):2004/03/24
Valid To (YYYY-MM-DD):2029/03/16
CRL HTTP URL: http://fedir.comsign.co.il/crl/ComSignCA.crl
CRL issuing frequency for end-entity certificates: 24 Hours
Class (domain-validated, identity/organisationally-validated or EV): class3
Requested Trust Indicators (email and/or SSL and/or code): all three
URL of website using certificate chained to this root (if applying for SSL): https://www.4x4.co.il
Accepting this bug so I can proceed with the information gathering/verification phase.
Assignee: hecker → kathleen95014
Attached is the Initial Information Gathering Document which summarizes the data that has been gathered and verified for this request. Within the document the items highlighted in yellow indicate the information that is still needed.  I will summarize below:

1) Please see sections 8, 9, and 10 of http://www.mozilla.org/projects/security/certs/policy/
We need a publishable document or letter from an auditor (who meets the policy requirements) that states that they have reviewed the practices as outlined in the CP/CPS for these roots, and that the CA does indeed follow these practices and meets the requirements of one of:
ETSI TS 101 456
ETSI TS 102 042
WebTrust Principles and Criteria for Certification Authorities

2) Please provide updated links to your CP/CPS
The old link (http://www.comsign.co.il/repository/PDFs/English_CPS_final.pdf) doesn’t work.

3) If you are unable to provide the complete CP and/or CPS in English, then please translate the relevant text from the latest CP or CPS that demonstrates that reasonable measures are taken to verify the following information for end-entity certificates as per section 7 of http://www.mozilla.org/projects/security/certs/policy/ 
a) for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf;
b) for a certificate to be used for digitally signing and/or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf; 
c) for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf;

4) Please provide a description and diagram of the certificate hierarchy for each of these roots.
a) Are there any internally operated subordinate CAs for these roots? For internally-operated subordinate CAs the key is to confirm that their operation is addressed by the relevant CP/CPS, and that any audit covers them as well as the root.
b) Are there any subordinate CAs operated by third parties? For the subordinate CAs that are operated by third parties, please provide a general description and explain how the CP/CPS and audits ensure the third parties are in compliance.
c) List any other root CAs that have issued cross-signing certificates for this root CA

5) Please identify if all SSL certs issued from these roots are OV, meaning that both the domain name referenced in the certificate is verified to be owned/controlled by the subscriber, and the value of the Organization attribute is verified to be that associated with the certificate subscriber.
Are there any SSL certs issued from these roots that are only DV? Eg the Organization attribute is not verified, only the domain name is verified?

6) Please provide an example website whose cert chains up to ComSign CA root.

7) I’m supposed to review the CP/CPS for potentially problematic practices, as per http://wiki.mozilla.org/CA:Problematic_Practices. Would you please comment as to whether any of these are relevant? If relevant, please provide further info.

8) When I try to import these CRLs into Firefox, I get the error:
“The application cannot import the Certificate Revocation List (CRL).
Error Importing CRL to local Database. Error Code:ffffe009"
This corresponds to error -8043, SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, as per http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html
Do you happen to have the CIDP (CRL Issuing Distribution Point) extension flagged as "critical" for these CRLs? Firefox does not currently support this, though a future version of Firefox will.

Thanks,
Kathleen
1) Please see sections 8, 9, and 10 of- 
http://www.mozilla.org/projects/security/certs/policy/
We need a publishable document or letter from an auditor (who meets the policy
requirements) that states that they have reviewed the practices as outlined in the CP/CPS for these roots, and that the CA does indeed follow these practices and meets the requirements of one of:
ETSI TS 101 456
ETSI TS 102 042
WebTrust Principles and Criteria for Certification Authorities

Please read this letter and let me know if OK
For Microsoft it was acceptable
ComSign is a trusted CA in the Microsoft certificate store world wide CA's since Win2000 SP2	 

2) Please provide updated links to your CP/CPS The old link (http://www.comsign.co.il/repository/PDFs/English_CPS_final.pdf)
doesn’t work.
THIS IS THE CORRECT LINK- http://www.comsign.co.il/CPS/English_CPS_final.pdf

3) If you are unable to provide the complete CP and/or CPS in English, then please translate the relevant text from the latest CP or CPS that demonstrates that reasonable measures are taken to verify the following information for end-entity certificates as per section 7 of http://www.mozilla.org/projects/security/certs/policy/to
THIS IS THE CORRECT LINK- http://www.comsign.co.il/CPS/English_CPS_final.pdf

a) for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf; WE DO TAKE REASONABLE MEASURES AS REQUIRED
b) for a certificate to be used for digitally signing and/or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf;
 WE DO TAKE REASONABLE MEASURES AS REQUIRED
c) for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf; 
WE DO TAKE REASONABLE MEASURES AS REQUIRED

4) Please provide a description and diagram of the certificate hierarchy for each of these roots. ENCLOSED PLEASE FIND
 
a) Are there any internally operated subordinate CAs for these roots? YES For internally-operated subordinate CAs the key is to confirm that their operation is addressed by the relevant CP/CPS, and that any audit covers them as well as the root.YES
b) Are there any subordinate CAs operated by third parties? For the subordinate CAs that are operated by third parties, please provide a general description and explain how the CP/CPS and audits ensure the third parties are in compliance.NO
c) List any other root CAs that have issued cross-signing certificates for this root CA NO

5) Please identify if all SSL certs issued from these roots are OV, meaning that both the domain name referenced in the certificate is verified to be owned/controlled by the subscriber, and the value of the Organization attribute is verified to be that associated with the certificate subscriber.
Are there any SSL certs issued from these roots that are only DV? Eg the Organization attribute is not verified, only the domain name is verified?  Organisation Verified

6) Please provide an example website whose cert chains up to ComSign CA root. https://www.benezer.co.il/

7) I’m supposed to review the CP/CPS for potentially problematic practices, as per http://wiki.mozilla.org/CA:Problematic_Practices. Would you please comment as to whether any of these are relevant? If relevant, please provide further info.
We reviewed it carefully according to ETSI requirements and there is no problem 

8) When I try to import these CRLs into Firefox, I get the error: 
“The application cannot import the Certificate Revocation List (CRL).
Error Importing CRL to local Database. Error Code:ffffe009"
This corresponds to error -8043, SEC_ERROR_CRL_UNKNOWN_CRITICAL_EXTENSION, as per http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html

We removed the critical flag from the CRL .
Thank you for the information.  I have updated the information on the pending list at:
http://www.mozilla.org/projects/security/certs/pending/#ComSign
Please verify, and let me know if I should change anything.

1) Audit

The letter that is attached is addressed to Microsoft. Is this the letter that you want us to use?

The auditor website, http://srsfcpa.co.il, has very limited information. Is there a better website to use for this auditor?

2) Thanks for the updated CPS link

3) …reasonable measures taken to verify the following information for  end-entity certificates as per section 7 of http://www.mozilla.org/projects/security/certs/policy/

Re: “WE DO TAKE REASONABLE MEASURES AS REQUIRED”

I’m sure you do, but I still need to find the corresponding text in the CP/CPS or other relevant document that provides information about such procedures. In the CPS I found where it stated that the information was required, but I could not find any text stating how the domain name and email address are verified to be under the control of the subscriber.

4) Thanks for the cert hierarchy diagram and clarifications.

5) To make sure I understood correctly, for the ComSign CA root we should only enable the Email trust bit, and for the ComSign Secured CA root we should enable the website and code-signing trust bits, not email. Correct?

6) Please attach the example cert that chains up to the ComSign CA root.

7) Problematic practices – Based on reviewing the CPS, I did not find any of these to be relevant. 

8) Re: “We removed the critical flag from the CRL.”
I still see the problem in Firefox. Perhaps this is because the CRLs were generated in October with the critical flag, and are next due to be generated in April?

Thanks,
Kathleen
1) Audit

The letter that is attached is addressed to Microsoft. Is this the letter that
you want us to use?  we will send you new doc. from our Audit.

2) …reasonable measures taken to verify the following information for 
end-entity certificates as per section 7 of
http://www.mozilla.org/projects/security/certs/policy/

Re: “WE DO TAKE REASONABLE MEASURES AS REQUIRED”

I’m sure you do, but I still need to find the corresponding text in the CP/CPS
or other relevant document that provides information about such procedures. In
the CPS I found where it stated that the information was required, but I could
not find any text stating how the domain name and email address are verified to
be under the control of the subscriber. we will add this issue to our CPS in english, u will find it in our CPS web site.

3) To make sure I understood correctly, for the ComSign CA root we should only
enable the Email trust bit, and for the ComSign Secured CA root we should
enable the website and code-signing trust bits, not email. Correct? yes

6) Please attach the that chains up to the ComSign CA root.  - attached

8) Re: “We removed the critical flag from the CRL.”
I still see the problem in Firefox. Perhaps this is because the CRLs were
generated in October with the critical flag, and are next due to be generated
in April? YES. by the law og the sate of Israel we need to cr8 new CRL every 6 month. we can not change the date.
next CRL will publish at April 2009.




Thanks,
Kathleen
Attached file Sample cer.
plz remove the .txt
Attached file Audit letter
As per Mozilla policy, I will need to do an independent verification of the authenticity of the audit statement. I will also need to find public information about how this auditor meets section 9 of the Mozilla CA Certificate Policy.  I have sent email to the auditor requesting this information. 

In regards to: "...text stating how the domain name and email address are verified to be under the control of the subscriber. we will add this issue to our CPS in english, u will find it in our CPS web site."

Please let me know when this has been completed. Also, will it be added to the Hebrew version of the CPS?

Thanks,
Kathleen
Erez Sheflere - C.P.A.
Please find some deals about my qualifications:
1.       I am a C.P.A. in Israel since 1998.
2.       I have formal knowledge in information systems and controls audit.
3.       I passed the CISA exam at 1998.
4.       Since 1996 I perform financial, operational and information system audits.
5.       Since 2004 I perform systems information audit at Comsign Ltd.. Comsign Ltd. is a qualified licensed CA operating under charter of the government of the State of Israel ("Government CA") as per the Israeli Electronic Signature Law. 
6.       As part of the regulatory process, I perform audits of Government CA'a according to the Law and the Israeli government's CA Registrar's instructions. My audits are recognized and accepted by the Israeli government and the government's CA Registrar.
Attached file Auditor Qualifications
The auditor has verified the authenticity of the audit statement at
https://bugzilla.mozilla.org/attachment.cgi?id=347141

The only remaining item for this phase is to find text in the CP/CPS satisfying section 7 of the CA Policy
http://www.mozilla.org/projects/security/certs/policy/ 

Please let me know when this has been completed. Also, when will it be added to the Hebrew version of the CPS?
This completes the information gathering and verification phase of this request as per 
https://wiki.mozilla.org/CA:How_to_apply

This request is ready to be prioritized and scheduled for public discussion as per
https://wiki.mozilla.org/CA:Schedule
Assignee: kathleen95014 → hecker
Whiteboard: Information confirmed complete
Attachment #353483 - Attachment is obsolete: true
I am now opening the first public discussion period for this request from ComSign to add the ComSign CA and the ComSign Secured CA root certificates to Mozilla.

Public discussion will be in the mozilla.dev.tech.crypto newsgroup and the corresponding dev-tech-crypto@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-tech-crypto

Please actively review, respond, and contribute to the discussion.
Kathleen, the audit was not performed by the State of Israel nor is there a published audit criteria. The State of Israel has an Electronic Signature Law and ComSign conforms to that law, however this is not an audit criteria. Could you please update the Pending page and remove this line. 

An audit was performed by Erez Shefler (CPA) Sharony-Shefler & Co. However the claim to have performed the audit according to the ETSI criteria is vague and should be removed for now from the pending page as well. I will follow up at m.d.t.c. concerning the above points in more detail.
FYI, ComSign are the issuer for some of the Israeli government websites (For example - https://nesach.justice.gov.il/mashkonot/forms/fmashindex.aspx). Until this issue is resolved, some of the secured websites are inaccessible for Firefox users in Israel.
This concludes the first public discussion about ComSign’s request to add two new root CA certificates to the Mozilla root store. The summary of the action items resulting from this first public discussion is as follows. 

The criteria by which the CA was audited needs to be clarified. ComSign is requested to provide information about the audit criteria or the CA certificate practice requirements as published by the Ministry of Justice.  If there is published audit criteria of the Israeli Electronic Signature Law, then provide a mapping between that criteria and that of ETSI ETSI TS 101 456, ETSI TS 102 042, or WebTrust Principles and Criteria for Certification Authorities.
Hi
Regarding you questions
Comsign operate under the Israeli Electronic Signature Law.
Here is link for all the regulation that derivative from the law.
Unfortunately this link in in hebrew (I hope you can translate it) http://www.justice.gov.il/MOJHeb/RashamGormimMashrim/HokVetakanot

Comsign is VeriSign Affiliate here in Israel.
Which mean we work according to their procedures and regulation.

Comsign is the only Israeli company who's certificate been approve by Microsoft.

Comsign also achieved authorization by standard ISO 9000 & ISO 27001.

In Addition Comsign is being criticize by accountant that specialize in Information Security.
And operate according the European Telecommunications Standards Institute (ETSI).
I can offer to give some better estimates about eventual published audit criteria and their compliance or similarity to the various ETSI standards. If a mapping to ETSI is possible I could advice on it, however Comsign would have to provide the mapping and relevant translations. But first we have to know about such a criteria since I'm not aware of one existing, second it still requires the approval of Mozilla.
Re-assigning this bug to Kathleen Wilson, since she's the person actively working on it.
Assignee: hecker → kathleen95014
Attachment 369495 [details] was obtained from http://www.justice.gov.il/MOJHeb/RashamGormimMashrim/NewHanhayot/ (הנחיה מס' 06/04 לגורמים המאשרים). Translation will follow.
Attached file Audit Rules
This is the translation of the relevant content of the previous attachment in Hebrew. This forms the basis for the auditing according the CPA. Mr. Shefler. No other criteria or audit guidelines exist apparently.
Attached is a statement from the auditor, Mr. Shefler, that an audit for Comsign was completed on February 26, 2009, to qualify Comsign as a Government CA, according to the Israeli  Electronic Signature Law.

The statement is dated April 7, 2009, and also says:
“In addition, we audited the operation of Comsign according to the Assessment Checklist – TS 101456 v1.1.2 (2006-12). The audit included the new Certification Practice Statement (CPS) V.3 that is scheduled to be published shortly.”
“In our opinion, based on our audit described above, Comsign Ltd. Operates as a CA, in all material aspects in accordance to ETSI TS 101 456.”

I believe that this satisfies the request for clarification of the audit criteria to ensure that the audit meets the requirements of the Mozilla CA Policy.
The audit states that it is based on CPS v.3. Comsign has confirmed that there are no significant changes in the CPS v.3 as compared to the version of the CPS that was translated into English:
http://www.comsign.co.il/Images/Doc/English_CPS_final.doc
I am now opening the second public discussion period for this request from ComSign to add the ComSign CA and the ComSign Secured CA root certificates to Mozilla.

The discussion will take place in the new mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion topic is: ComSign Root Inclusion Request Round 2

Please actively review, respond, and contribute to the discussion.
Whiteboard: Information confirmed complete → In Public Discussion
we replay for Eddy's question in the discussion.
good day
This request has been evaluated as per sections 1, 5 and 15 of the official CA policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to add the ComSign CA and the ComSign Secured CA root certificates to Mozilla.

Section 4 [Technical]. I am not aware of any technical issues with certificates issued by ComSign, or of instances where they have knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. ComSign appears to provide a service relevant to Mozilla users: It is a private company owned by Comda, Ltd., and has issued electronic signatures to thousands of business people in Israel.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the Certification Practice Statement and the Security Certificate Approval Regulations For SSL Websites. The documents are provided in both Hebrew and English.

http://www.comsign.co.il/Images/Doc/English_CPS_final.doc
http://www.comsign.co.il/Images/Doc/CPS__SSL_EN.pdf

Section 7 [Validation]. ComSign appears to meet the minimum requirements for subscriber verification, as follows:

* Email: ComSign and/or its representatives will verify that the E-mail address is valid by sending mail to the customer and ask him to reply.

* SSL: For SSL certificate applications, an investigation will be performed to confirm that the domain for which the certificate is requested is registered in the organization’s name. 

* Code: ComSign’s CPS describes reasonable measures to verify the identity and authorization of the certificate requester. 

Section 8-10 [Audit]. Section 8-10 [Audit].  ComSign recently underwent an audit using the ETSI TS 101 456 criteria. The audit statement has been attached to this bug, and the authenticity of the statement has been verified. 

Section 13 [Certificate Hierarchy]. 
* The ComSign CA root has six internally-operated subordinate CAs that are used for issuing digital ID's to individuals and corporations in accordance with the Israeli Electronic Signature Law. The request is to only enable the email trust bit for this root.
* The ComSign Secured CA has two internally-operated subordinate CAs that are used for issuing certificates for SSL and for code-signing. The request is to enable the websites and code signing trust bits for this root.

Other: ComSign issues its CRL every 24 hours. OCSP is not provided.

Potentially problematic practices: There are no known potentially problematic practices for these two roots.

Based on this assessment I recommend that Mozilla approve this request to add the ComSign CA and the ComSign Secured CA root certificates to Mozilla; and enable the Email trust bit for the ComSign CA root, and enable the Websites and Code Signing trust bits for the ComSign Secured CA root.
To Kathleen: Thank you for your work on this request.

To Micah Dor and other representatives of ComSign: Thank you for your cooperation and your patience.

To all others who have commented on this bug: Thank you for volunteering your time to assist in reviewing this CA request.

I have reviewed the summary and recommendation in comment #41, and on behalf of the Mozilla project I approve this request from ComSign to add the following root certificates to NSS, with trust bits set as indicated:

* ComSign CA (email use only)
* ComSign Secured CA (SSL and object signing)

Kathleen, please do the following:

1. File the necessary bug against NSS.
2. Mark this bug as dependent on the NSS bug.
3. When the NSS bug is complete, change the status of this bug to RESOLVED
FIXED.

Thanks in advance!
Whiteboard: In Public Discussion → Approved
Depends on: 490487
I have filed bug 490487 against NSS for the actual changes.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
good day 
we have new Root Ca for Comsign.
Comsign Global Root CA.
Hash algorithm Sha256 with public key 4096.
Attached file Comsign Global Root CA
thi is our new Root CA
Attachment #548377 - Attachment mime type: text/plain → application/x-x509-ca-cert
 (In reply to comment #46)
> Created attachment 548377 [details]
> Comsign Global Root CA
> 
> thi is our new Root CA


I have created bug #675060 to open the request to include this new root certificate.
ComSign - a legitimate electronic signature certifier, or a large-scale con by the government of the State of Israel?

ComSign is a private corporation, which was established through a dubious process as the only certifying authority for electronic signatures, which is recognized by the State of Israel.  ComSign issues certificates of authenticity.  However, to this date, after reviewing thousands of judicial records and other legal public records of the State of Israel, a single visible certificate is yet to be discovered. At least one browser (Mozilla) is documented refusing to recognize SomSign certificates, for failure to produce audit records.  The evidence discovered to this date, does not enable one to discern: Is ComSign a legitimate electronic signature certifier, or a large-scale con on the People by the government of the State of Israel?  In effort to resolve the dilemma, sample digital certificates were requested from both ComSign and the Ministry of Justice of the State of Israel. The responses hold particular significance to Human Rights and banking regulation in the State of Israel.

[][]

As part of efforts to discern the nature of ComSign, LTD, and its conduct as sole certifying authority for the State of Israel, Joseph Zernik, PhD, of Human Rights Alert (NGO), has filed requests with the Ministry of Justice of the State of Israel [1] and ComSign, LTD, [2] for sample certificates of electronic signatures, pursuant to the Electronic Signature Act (2001).

Little noticed, unannounced regime change took place in Israel in the early 2000s with the passage and implementation of the Electronic Signature Act (2001), the new Regulations of the Courts -  Office of the Clerk (2004), and the concurrent implementation of new electronic record systems in the courts of the State of Israel: [3] 
The Electronic Signature Act (2001) established certified digital signatures for State officers and attorneys appearing in courts, and prescribed that a Magistrate Judge be appointed by the Minister of Justice, holding the office of "Registrar of Certifying Authorities", to oversee the implementation of the database of certified digital signatures.  However, Freedom of Information response by the Ministry of Justice states that no individual was appointed for a full decade, until 2011, to hold that office.  Regardless, individuals falsely appeared in the intervening years as "Registrar of Certifying Authorities" and conducted business on behalf of that office, promulgated guidelines, filed annual reports with the legislature (Knesset) and engaged in enforcement, all with no lawful authority. Through such conduct, ComSign, LTD, was established as the sole certifying authority of electronic signatures for the State of Israel.  With it, the digital seal of the State of Israel was effectively hijacked. [4] 
New electronic record systems were concurrently implemented in the courts of the State of Israel.  The 2010 State Ombudsman's Report 60b [5] documents that the systems were developed and implemented in violation of State law and regulations: 
The systems were developed with no specifications 
Development of the systems was delegated to corporations with no bidding (US-based corporations, IBM and EDS, were involved in this project) 
Development was conducted with no core supervision by State employees 
The systems were received with no independent testing by the State client. 
The servers, holding the records of the courts of the State of Israel were removed to corporate grounds, and are not under State control.  
The Regulations of the Court - Office of the Clerk (2004) were amended in 2005, in conjunction with implementation of the new electronic record systems in the courts. The amendment permitted the Director of Administration of Courts to modify the Regulations as necessary in the process of implementing the systems. [5]  The Director of the Administration of Courts has never published the modification that were introduced in the Regulations under such authority, and the Administration of Courts refuses to answer on any Freedom of Information requests, pertaining to the electronic record systems. [3] 
During the relevant period (2001-2012), seven (7) different individuals, affiliated with various political parties, served as Justice Ministers of the State of Israel: Meir Shitrit, Yosef Lapid, Tzipi Livni, Haim Ramon, Ehud Olmert, Daniel Friedman, and Yaakov Neeman. [14]

One of the notable features of the new electronic record systems is neither a single visible certified digital signature, pursuant to the Electronic Signature Act (2001), nor a single certified server has been discovered in recent review of thousands of public legal records.  [4]  All decisions of the Supreme Court are now published as electronic record, unsigned and uncertified, subject to "editing and phrasing changes", and the Supreme Court refuses to duly serve its decisions on parties to litigation. [3]

In parallel, the Human Rights Alert (NGO) 2012 report [3] documents the proliferation of simulated records in the Supreme Court of the State of Israel, conduct of simulated review of cases before the court, [6] and fraud in certification of decisions of Supreme Court by the Chief Clerk of the Supreme Court. [9] Falsification of records in the District Court in Tel Aviv was documented by the Israel Bar Association [8], and falsification of records in the Detainees Courts was reported by Haaretz daily. [10]

Separately, the Administration of Courts denied a Freedom of Information request for the appointment records of the Chief Clerk of the Supreme Court, claiming that is was a "record of internal deliberation." [9]

Several individuals, appearing under various titles,  were central to the fraud in implementation of the Electronic Signature Act (2001): 
1) Meir Shitrit 
2001-3 - Minister of Justice,  signed Electronic Signature Act (2001) and oversaw the first couple of years of its implementation; 
2) Yoram HaCohen 
- Head of the Justice, Information, Technology Authority; 
- Registrar of Databases in the Ministry of Justice; 
- Registrar of Certifying Authorities" pursuant to the Electronic Signature Act (2001). 
3) Amit Ashkenazi 
- Legal Counsel of the Justice, Information, Technology Authority; 
- Registrar of Certifying Authorities" pursuant to the Electronic Signature Act (2001). 
Of particular concern is in this context is the nature of ComSign, LTD, and its conduct as sole certifying authority for the State of Israel.

The ComSign Certification Practice Statement opens with the following: [11] 
1.1.1. ComSign’s electronic certificate issuing services have been created to 
support secured E-commerce and additional electronic services to 
provide a solution to the technical, business and personal needs of 
electronic signature technology users. ComSign is registered as a CA at 
the CA registrar as defined by the Law[Electronic Signature Act (2001)of the 
State of Israel - jz]and is acting as a reliable third party that issues, 
manages, and revokes electronic certificates according to these procedures. 
The English web site of Comsign states under "Solutions", "Electronic Signatures": [11] 
Electronic signatures 
In the last decade, the ability to transfer data electronically has developed enormously. One of the key problems in developing transfer technology is authenticating the web surfer - the identity of the specific person who has performed an action on the internet cannot be known. This inability to identify prevents innumerable entities from providing services via information transfer technology and thus many procedures are still "stuck", cumbersome and bureaucratic. 
Electronic signatures have existed for many years already, and in 2001 the Knesset even passed the Electronic Signature Law, which reduced the gap between the authorities from the legal aspect and the existing technology. 
An electronic signature is an encrypted file attached to a message or document which allows identifying its sender and guarantees that the original content of the message or document has not been changed since being signed, and if it has been changed, the reader will receive a warning that the document is not complete compared to the original document that was signed. 
Digital signatures are based on methodical theory and by using complex algorhythms they prevent break-ins and/or changes to a document without the knowledge of the document signatory/reader. 
How can we recognize a digitally signed file/message? 
One must ensure that the [] sign appears, which confirms that the message was signed electronically. 
However, the space, designated for the image of the "sign", was left blank.  Review of thousands of judicial records and other legal public records of the State of Israel failed to discover a single visible certified digital signature.

The English web site of Comsign state, under "Solutions", "SSL": [11] 
SSL 
Secure Sockets Layer (SSL) is a method of encrypting and protecting secure web pages. Secure pages are those where the communication between them and the browser is encrypted and the identity of the company or person representing the pages can be clarified. 
When a web surfer reaches a secure page, the lock symbol ( [] ) appears at the top and bottom of the browser, and sometimes it even makes a locking sound. 
These indicate to the web surfer that the page is secure. Double-licking the lock symbol while visiting a secure page will display the identity of the company that owns the secure pages. (When clicking on the lock, it is recommended to check the name of the company responsible for the encryption and not be tempted to give your details to just any ephemeral company which has fabricated an opportunity for themselves). 
In this case, the symbol of SSL is shown. However, review of the web pages of ComSign itself, of the courts of the State of Israel, and other Israeli government web pages failed to discover any web page showing the SSL sign.

Some light is shed on this case in correspondence from 2003-2012 between ComSign, LTD, COO, and Mozilla, the non profit browser maker, asking to have ComSign added to the Mozillas root CA store: [11] 
Comment 1Gervase Markham [:gerv] 2007-06-01 08:29:49 PDT 
- Do you offer OCSP service? 

- Can you confirm you are, as you say, planning to issue EV certificates (http://www.cabforum.org)?

- Please also tell us how you comply with sections 8, 9 and 10 of our CA policy: http://www.mozilla.org/projects/security/certs/policy/ (the sections relating to audits). You say you are audited by the Israeli Ministry of Justice, but we would need to know to which of our accepted standards the audit was conducted, and to have published evidence of the occurrence of the audit. (The Verisign affiliation and the fact that you are in the Microsoft store are not relevant to this question.)

Thanks,

Gerv

Comment 2Gervase Markham [:gerv] 2007-06-27 08:04:02 PDT 

Mr Harei: Are you able to answer my questions? If not, the bug will be closed.

Gerv

Comment 3Ran Harel 2007-06-27 08:09:37 PDT 

Hi Gerv, sorry for the delay

1. We do not currently offer OCSP service.

2. We are not currently planning on issuing EV certificates.

3. Since all audits were/are conducted for the Israeli Ministry of Justice, they are in Hebrew, and so we are in the process of translating and notarizing them for this purpose. If there is any other way to get this approval please tell me.

Thank you,

Ran

Comment 4Gervase Markham [:gerv] 2007-06-27 08:41:09 PDT 

Ran,

It may well be useful to have your audit documents translated - but the key questions are:

- Who did the audit?

- To what standard (e.g. WebTrust, ETSI) was the audit done?

Are you able to answer these two questions?

Gerv

Comment 5 Gervase Markham [:gerv] 2007-08-15 08:08:47 PDT 

Resolving INCOMPLETE due to lack of input from reporter.

Gerv 
As of this date, ComSign is still listed on the Pending Requests List, although on April 8, 2012, the accountants office Sharoni, Shefler et al (CPAs) issued an audit statement. [11]  In contrast, Comsign does appear on the approved list of IBM and Microsoft corporations. [11]

It should also be noted, that when trying to open the root certificates of ComSign, Microsoft Windows issues a security warning: "Unknown Publisher".

The experience gained in Israel, relative to implementation of the Electronic Signature Act (2001) and the new electronic records systems of the courts, demonstrates: 
The Executive had no intention of complying with the Electronic Signature Act (2001); 
The Judiciary were intimately involved in the conduct related to undermining the integrity of court record in the State of Israel; 
The Legislative is not ready, willing, able to exert oversight - individuals fraudulently appeared and filed annual reports with the Knesset as "Registrars of Certifying Authorities", pursuant to the Act. 
"Given the involvement in recent years of senior officers of all three branches of government in undermining the integrity of the justice system of the State of Israel, the only conceivable solution is in the establishment of a Truth and Reconciliation Commission," says Joseph Zernik, PhD, of Human Rights Alert.

Events that have taken place in Israel over the past decade also demonstrate that the biggest hacking risk to government data systems is from 'inside jobs' by government officials, and that no government should be trusted with constructing such systems, absent adequate transparency and public oversight.  

The electronic record systems of the courts in the United States were compromised a couple of decades earlier. Today, fraud in the electronic record systems of the many of the states (SUSTAIN) and the federal (PACER, CM/ECF) courts is rampant. [12] 

Corruption of the courts in the United States is most notably seen in abuse of Human Rights and failing banking regulation. [13] 

Conditions that have been established in the State of Israel pose similar risks to Human Rights and banking regulation in the State of Israel.  Israeli computing and encryption experts, some of the best in the world, should hold a particular civic duty in the safeguard of Human Rights and banking regulation in the State of Israel in the digital era.

LINKS:
[1] 12-06-27 Freedom of Information Request on the Ministry of Justice in re: Certified Digital Signatures of Officers of the Ministry of Justice s
http://www.scribd.com/doc/98529841/
[2] 12-07-06 Request filed with ComSign, LTD, for sample certified electronic signatures of the State of Israel s
http://www.scribd.com/doc/99331565/
[3] 12-06-04 Human Right Alert's Appendix to Submission; 15th UPR Working Group Session (Jan-Feb 2013) - State of Israel: Integrity, or lack thereof, of the electronic record systems of the courts of the State of Israel 
http://www.scribd.com/doc/82927700/ 
[4] 12-06-25 PRESS RELEASE: Hijacking of the Digital Seal of the State of Israel
http://www.scribd.com/doc/98120110/ 
[5] 10-00-00 State of Israel - Ombudsman's Report 60b, Ministry of Justice Computerization (2010) p 693 Et Seq
http://www.scribd.com/doc/50624862/ 
[6] 04-11-25 Takanot Batey Hamishpat - Mazkirut (2004) // Regulations of the Courts - Offices of the Clerks (2004) (Heb + Eng)
http://www.scribd.com/doc/48770720/ 
[7] 11-12-19 Simulated Records, Simulated Litigation Enabled by the Electronic Record Systems of the Supreme Court of the State of Israel (English) s
http://www.scribd.com/doc/73239491/ 
[8] 12-04-16 PRESS RELEASE: Criminal Fraud Complaint Against SARAH LIFSCHITZ, Chief Clerk of the Supreme Court of the State of Israel, Filed Today With Israel Policehttp://www.scribd.com/doc/89681591/ 
[9] 12-04-10 The Judge Alsheikh Affair – “Reconstructed Transcript” in the Tel-Aviv District Court _ Globe
http://www.scribd.com/doc/90686541/ 
[10] 11-02-08 Dana Weiler: Court issues ruling, with quotes, from a nonexistent hearing - Haaretz
http://www.scribd.com/doc/48769638/ 
[11] 12-07-06 ComSign, LTD - sole certifying authority of electronic signatures for the State of Israel - compilation of corporate records
http://www.scribd.com/doc/99350885
[12] 11-07-06 Request filed by Windsor and Zernik with US Attorney General Eric Holder for Review of Integrity of Public Access and Case Management Systems of the US Courts
http://www.scribd.com/doc/59480718/ 
[13] 12-06-08 Courts and Judges as racketeering enterprises under RICO (the Racketeer Influenced and Corrupt Organizations Act) - key element in the current financial 
http://www.scribd.com/doc/96504009/ 
[14] 12-07-06 List of Justice Ministers of the State of Israel 2001-2012 _ Wikipedia 
http://www.scribd.com/doc/99346540/
(In reply to jz12345 from comment #48)
I am sorry, I don't understand lawerish, and it is very difficult for me to distinguish between legal letters and spam messages. Can you please summarize your message so we could understand faster what's the problem and what should be fixed? Thanks.

(I have recommendation for a good local lawyer who could help us solve such issues in case it is required)
(In reply to jz12345 from comment #48)

Please concisely state the problem that you are trying to report. I was not able to figure it out by reading this comment and the email that you sent.
Hi,

We changed our verification steps, please let us know if those matched with all your requirements.


1)	While Comsign coordinator agent speaking with the applicant on the phone, the agent will send an email to the Applicant with a unique code that's dedicated to his email address. The applicant will read the unique code, the agent will check if the code matches.
  

2)	Comsign coordinator will forward the information to the validation team.


3)	The applicant arrives to Comsign offices, to complete a full authentication & verification process. The validation team will check again the email address if it matches the previous email address.
The applicant will than SIGN the forms and approve again the email address for the certificate.

4)	If the applicant arrived without an appointment Comsign will send to the applicant the unique code. We will provide to the applicant the necessary documents and an access to the internet. The applicant will have to confirm the unique password he received from Comsign to his email address.
Attached file Comsign-2014-Audit.pdf
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.