Closed Bug 484171 Opened 11 years ago Closed 8 years ago

Add I.CA Root Certificate

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

RESOLVED INCOMPLETE

People

(Reporter: stuna, Assigned: kwilson)

References

Details

(Whiteboard: information incomplete)

Attachments

(2 files)

User-Agent:       Opera/9.64 (Windows NT 6.0; U; cs) Presto/2.1.1
Build Identifier: 

CA Details
----------

CA Name:     [  První certifikační autorita, a.s.            ]

Website URL: [http://www.ica.cz/gb/                         ]

CA Summary: 
  [ 	První certifikační autorita, a.s. (First certification authority - I.CA), 
	was established using the combination of both top worldwide 
	and domestic know-how, and teams of top professionals 
	in the field of safety technologies and certification authorities. 
	At present I.CA is the largest provider in the field of issuing 
	and administrating the certificates in the Czech republic. 
	It renders its services in the Slovak republic as well. 
	There have been already more than million of issued certificates registered till today.
	- General nature - commercial,                		   
	- Primary geographical areas served: Czech Republic, Slovak Republic            
	- Number and type of subordinate CAs: none                ]     


Audit Type (WebTrust, ETSI etc.):  [    ETSI                       ]

Auditor:  [ RNDr. Jozef Vyskoč, Ph.D. ( CISA 9616941)                                                       ]

Auditor Website URL: [ N/A                                	    ]

Audit Document URL(s): 
  [       N/A                                          		    ]


URL of certificate hierarchy diagram (if available):
  [	N/A                                                    	    ]



Certificate Details - 1
--------------------
  
Certificate Name:  [  I.CA - Qualified root certificate		   ]

Summary Paragraph: []

Root certificate download URL (on CA website):
  [http://www.ica.cz/gb/menu/23/manage-certificates/i-ca-root-certificates/          ]
  [http://www.ica.cz/userdata/pages/4/qica_root_20080311.pem  ]

Certificate SHA1 Fingerprint (in hexadecimal):
  [ 64 90 2a d7 27 7a f3 e3 2c d8 cc 1d c7 9d e1 fd 7f 80 69 ea    ]

Key size (for RSA, modulus length) in bits: [    2048              ]

Valid From (YYYY-MM-DD): [      2008-04-01                                   ]
Valid To (YYYY-MM-DD):   [      2018-04-01                                   ]

CRL HTTP URL (if any):
  [http://qcrldp1.ica.cz/qica08.crl			]
  [http://qcrldp2.ica.cz/qica08.crl			]
  [http://qcrldp3.ica.cz/qica08.crl			]

CRL issuing frequency for subordinate CA certificates: [      N/A	]
CRL issuing frequency for subordinate EE certificates: [ every 24 hours ]

OCSP responder URL (if any):
  [	N/A                                                    ]

Class: [ N/A	]

Certificate Policy URL:
  [http://www.ica.cz/userdata/pages/2/CP_QCv2.5.pdf                                           ]

CPS URL:
  [	N/A                                                     ]

Requested Trust Indicators: [ N/A ]

URL of a sample website using a certificate chained to this root 
(if applying for SSL): [N/A]



Certificate Details - 2
-------------------
  
Certificate Name:  [ I.CA - Standard root certificate		 ]

Summary Paragraph: [ ]


Root certificate download URL (on CA website):
  [http://www.ica.cz/gb/menu/23/manage-certificates/i-ca-root-certificates/  ]
  [http://www.ica.cz/userdata/pages/4/sica_root_20080311.pem	]

Certificate SHA1 Fingerprint (in hexadecimal):
  [ ab 16 dd 14 4e cd c0 fc 4b aa b6 2e cf 04 08 89 6f de 52 b7    ]

Key size (for RSA, modulus length) in bits: [     2048             ]

Valid From (YYYY-MM-DD): [        2008-04-01                                   ]
Valid To (YYYY-MM-DD):   [        2018-04-01                       ]

CRL HTTP URL (if any):
  [http://scrldp1.ica.cz/sica08.crl                                ]
  [http://scrldp2.ica.cz/sica08.crl                                ]

CRL issuing frequency for subordinate CA certificates: [  N/A   ]
CRL issuing frequency for subordinate EE certificates: [ every 25 hours  ]

OCSP responder URL (if any):
  [N/A ]

Class: [N/A ]

Certificate Policy URL:
  [http://www.ica.cz/userdata/pages/2/CP_KC_21.pdf                  ]

CPS URL:
  [               N/A                                          ]

Requested Trust Indicators: [ N/A ]

URL of a sample website using a certificate chained to this root 
(if applying for SSL):
  [ https://www.portalzp.cz/czspa00.phtml                           ]


Reproducible: Always
Accepting this bug.

I will begin the Information Gathering and Verification phase soon as described
in https://wiki.mozilla.org/CA:How_to_apply
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attached is the Initial Information Gathering document, which summarizes the information that has been gathered and verified. Within the document the items highlighted in yellow indicate where further information is needed. I will also summarize below.

1) For each root, Please provide a diagram and/or description of the CA hierarchy. Including all of the intermediate CAs that chain up to the root, and indicating with roots/sub-CAs issue end-entity certs. Indicate which of the sub-CAs are operated internally and which are operated by third parties.
Have either of these roots been involved in cross-signing with another root?

2) Which trust bits do you want to enable for each root? The choices are Websites (SSL/TLS), Email (S/MIME), and/or Code Signing.

3) Do you perform identity/organization verification for all SSL certificates?
Is it ever the case for SSL certs that the domain name is verified, but the identity/organization of the subscriber is not verified?

4) For each root, Please provide translations into English of the sections of the CP/CPS documents pertaining to:
a) Verification of Identity and Organization
b) Verification of ownership/control of domain name
c) Verification of ownership/control of email address
d) Section 7 of http://www.mozilla.org/projects/security/certs/policy/
e) Potentially Problematic Practices, http://wiki.mozilla.org/CA:Problematic_Practices

5) Please provide a test cert for the Qualified root.

6) Please see sections 8, 9, and 10 of http://www.mozilla.org/projects/security/certs/policy/
We need a publishable statement or letter from an auditor (who meets the policy requirements) that states that they have reviewed the practices as outlined in the CP/CPS for these roots, and that the CA does indeed follow these practices and meets the requirements of one of:
ETSI TS 101 456
ETSI TS 102 042
WebTrust Principles and Criteria for Certification Authorities
Attached file Audit document
Thank you for attaching the audit report. I am not aware of this auditor’s qualifications, so I will have to do some extra verification.

Does this auditor have a website showing his qualifications? If so, please provide the url. If not, please attach his qualifications to this bug.
I have received email from my contact at ISACA stating the following: “I have found that Jozef Vyskoc is CISA certified.  He was certified on 30 October 1996 and is active and in good standing.”

Please send me the url to this auditor’s website showing his qualifications. If he does not have a website, then please attach his qualifications to this bug.
Whiteboard: information incomplete
Duplicate of this bug: 239408
I am still waiting for the information that I requested in Comment #2.
Closing this bug because the CA has not supplied the information listed in Comment #2, and it has been over two years. 

If the CA decides to proceed with requesting root inclusion, the CA may create a new bug and provide all the information listed here:
https://wiki.mozilla.org/CA:Information_checklist
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.