add Serasa root CA certificates

RESOLVED INCOMPLETE

Status

NSS
CA Certificate Root Program
--
enhancement
RESOLVED INCOMPLETE
10 years ago
a year ago

People

(Reporter: Frank Hecker, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: information incomplete)

Attachments

(4 attachments)

(Reporter)

Description

10 years ago
I recieved the following request; note that this request is independent of the ICP-Brasil request (bug 438825), as it involves Serasa's own root CAs, *not* subordinate CAs under the ICP-Brasil root:

Serasa is an Certificate Authority under ICP-Brasil, Brazilian government PKI. We also have some CAs not under ICP-Brasil. These CAs are already in Microsoft Browser (since feb'2005).

We would appreciate to submit our CAs under Mozilla CA Program.

* Company name and address information:
Serasa S.A.
Alameda dos Quinimuras, 187
CEP 04068-900
São Paulo
SP – Brazil

* Company Web page address (that is, URL):
www.certificadodigital.com.br ; www.serasa.com.br

* Number of roots you would like to submit: 4

* What is the business purpose of the certificates issued from this root certificate? What business is this root enabling?

Serasa is one of the biggest Certificate Authority in Brazil. With these CAs available in Mozilla, Serasa will create broad value for clients that use this Platform. Serasa's CA roots included in Mozilla platforms will facilitate the access of Serasa and Mozilla clients to programs that uses Serasa´s digital certificates.

Serasa CA I provides and sells digital certificates for general public that need to sign any kind of electronic documents or be authenticated in a website. In the 1st moment, Serasa will provide personal digital certificates for their information suppliers that use EDI over internet to send digital documents to Serasa. A huge number of this public works with Mozilla Platform and it will be easier if they can use a digital certificate that is signed by a root that is already part of Mozilla programs. Otherwise, all these suppliers will have to install manually by themselves Serasa's root.

Serasa CA II provides and sells server and code signing certificates for companies that needs to authenticate their servers (websites) or sign downloadable executable codes. Recognizing Serasa's root, Mozilla Platform will permit the users of these sites to easily identify and trust in the website or downloaded code. Users won’t  have to download by themselves the roots that sign the server certificate and it will make access easier and more trustful for all involved. Additionally, Serasa will certificate all its websites with Serasa CA II server certificates.  

Serasa CA III provides CA certificates for Serasa and their clients in CA business. It permits any company to support its internal process with a PKI that is already recognized by Mozilla Programs. This will permit companies to bases the uses of digital certificates in Mozilla platforms.

Serasa CA IV provides and sells digital certificates for general public that need to sign  any kind of electronic documents or be authenticated in a website with winlogon characteristics.

* To whom will you issue certificates? For example, the general public, members of a certain organization, and so on.
1st CA: issue client certificates to general public
2nd CA: issue server and code signing certificates to general public
3rd CA: issue CA certificates to general public
4th CA: issue client certificates to general public

* What Extended Key Usages does the root require? For example, SSL server authority, secure e-mail, code signing, and so on.
1st CA: issue client certificates:  E-mail protection, client authentication, timestamping
2nd CA: issue server certificates: server authentication, Signing of downloadable executable code, timestamping
3rd CA: issue CA certificates: E-mail protection, server authentication, Signing of downloadable executable code, client authentication
4th CA: issue client certificates:  E-mail protection, client authentication, timestamping, winlogin

* Pointers to Certificate Practice Statement
http://www.certificadodigital.com.br/repositorio/serasaca/pc/Serasa CA-PC.doc
http://www.certificadodigital.com.br/repositorio/serasaca/dpc/Serasa CA-DPC.doc
(Assignee)

Comment 1

10 years ago
Patricia,

You have been identified as the technical contact for this CA request, so I added you to the cc-list for this bug.

The next step in processing this request is to have you or another representative of Serasa provide certificate information for each of the 4 roots as outlined in https://wiki.mozilla.org/CA:Information_template.

Thanks,
Kathleen
Created attachment 347518 [details]
Information about 4 Serasa CAs roots

Information about 4 Serasa CAs roots
Created attachment 347519 [details]
Auditor letter

Auditor letter related to 4 CAs root request from Serasa
(Assignee)

Comment 4

10 years ago
While I am able to download and open the zip file for the attachment in Comment #2, I am unable to open anything but xml files.  Is there a particular way this attachment should be opened?

The Auditor letter is from 2004. Do you have an auditor letter from this year?
Created attachment 349739 [details]
Comment 2 em rtf version

I´ve attached the same document in RFT format.
About the audit report, it´s the last one related to this CAs.
(Assignee)

Comment 6

10 years ago
Created attachment 349867 [details]
Initial Information Gathering Document

Attached is the initial information gathering document which summarizes the data that has been gathered and verified. Within the document the items highlighted in yellow indicate where more information or further clarification is needed.  I will summarize here.

1) We will need a recent (within one year) audit report or statement that meets the requirements of sections 8, 9, and 10 of http://www.mozilla.org/projects/security/certs/policy/

2) Please translate sections 3.1.8 and 3.1.9 of the CP/CPS into English.  Do these procedures apply to all end-entity certificates issued from all 4 of these roots? Are there any SSL Certificates issued from any of these roots in which the Identity and/or Organization is not verified?

3) As per section 7 of http://www.mozilla.org/projects/security/certs/policy/ please provide the section numbers and translate the relevant text from the CP or CPS into English that demonstrates that reasonable measures are taken to verify the following information for end-entity certificates:

a) for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf;

Note: This might be in section 3.1.10 of the CP and CPS.  Need proper translation into English.

b) for a certificate to be used for digitally signing and/or encrypting email messages, the CA takes reasonable measures to verify that the entity submitting the request controls the email account associated with the email address referenced in the certificate or has been authorized by the email account holder to act on the account holder's behalf; 

Note: It is possible that this is covered in the CPS in sections 2.3.2, 4.1, and 4.2. Need proper translation into English.

c) for certificates to be used for digitally signing code objects, the CA takes reasonable measures to verify that the entity submitting the certificate signing request is the same entity referenced in the certificate or has been authorized by the entity referenced in the certificate to act on that entity's behalf;

Note: I believe this is in CP/CPS section 3.1.9.

4) Please review the potentially problematic practices, as per http://wiki.mozilla.org/CA:Problematic_Practices. 
And provide further information for the items that are relevant.

5) For testing purposes, please provide
a) Certificate chaining up to Serasa Certificate Authority I
b) URL to a website whose SSL certificate chains up to Serasa Certificate Authority II
c) URL to a website whose SSL certificate chains up to Serasa Certificate Authority III
d) Certificate chaining up to Serasa Certificate Authority IV
good evening,
I´ll take about a month to provide all your requests.

Best Regards
Patricia Leite
normalize subject
Summary: Request to add Serasa root CA certificates → add Serasa root CA certificates
(Assignee)

Updated

9 years ago
Whiteboard: information incomplete
(Assignee)

Comment 9

8 years ago
There has been no activity in this bug for over a year.

Is this request obsolete?
(Assignee)

Comment 10

8 years ago
Closing bug due to no recent response from CA.
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INCOMPLETE

Updated

a year ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.