Closed
Bug 526181
Opened 15 years ago
Closed 14 years ago
Add Spanish government DNIe root certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: broiler.underscore, Assigned: kathleen.a.wilson)
Details
(Whiteboard: information incomplete)
Attachments
(4 files)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; es-ES; rv:1.9.0.14) Gecko/2009090216 Ubuntu/8.10 (intrepid) Firefox/3.0.14 Build Identifier: Once the DNIe project has definitely taken off (over 12000000x2 certificates issued), managers consider there're enough users affected so it's important for the project to have the root-CA included in Mozilla's products. As you can suppose, most of the Spanish citizens use the tamdem Mozilla/DNIe to identify themselves and interact against both, governmental and privates on-line services; here you have a big (but not full) list of e-services accepting DNIe certificates: http://www.dnie.es/servicios_disponibles/index.html The DNIe root-AC was included in the Windows Root Certificate Program but we *know* that it's not enough. We're sure that this inclusion will benefit a huge number of users, 'cause a root-CA that the user must to check and accept by oneself is a risk. Details: Organization: Direccion General de la Policia. Web-site: www.policia.es The organization is the National Police Force in Spain, responsible for issuing the national ID card, compulsory for every citizen over 14yo. The PKI includes three subordinates CA. The validation activity has been segregated in order to improve privacy. General standars applied: ETSI TS 102 042. ETSI TS 101 456. ETSI TS 101 862. CWA 14167. CWA 14172. CWA 14890. Certificate details: Root:CN= AC RAIZ DNIE, OU=DNIE, O=DIRECCION GENERAL DE LA POLICIA, C=ES Subord_1: CN= AC DNIE 001, OU=DNIE, O=DIRECCION GENERAL DE LA POLICIA, C=ES Subord_2: CN= AC DNIE 002, OU=DNIE, O=DIRECCION GENERAL DE LA POLICIA, C=ES Subord_3: CN= AC DNIE 003, OU=DNIE, O=DIRECCION GENERAL DE LA POLICIA, C=ES Notes: The number of subordinates CA will be increased if neccesary. There are no third-parties, no cross-signing and no cross-trusted certificates. Certificate HTTP download URL: http://www.dnie.es/ZIP/ACRAIZ-SHA2.zip Version: 1.0 SHA1 Fingerprint: b3 8f ec ec 0b 14 8a a6 86 c3 d0 0f 01 ec c8 84 8e 80 85 eb Modulus length: 4096 Valid From: 02/16/2006 Valid To: 02/08/2036 CRL HTTP URL: Not accesible externally. CRL issuing frequency: 24 hours or after every revocation; The second option is the most frequent, actually the only because of the number of users. OCSP URL: http://ocsp.dnie.es Certificate Policy URL: http://www.dnie.es/PDFs/politicas_de_certificacion.pdf Trust bits: SSL/TLS & code/document signing Hope I forgot anything. Reproducible: Always
Assignee | ||
Updated•15 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: Request for inclusion of the Spanish governmental DNIe root-CA certificate in Mozilla products. "AC RAIZ DNIE" → Add Spanish government DNIe root certificate
Assignee | ||
Comment 1•15 years ago
|
||
Assignee | ||
Comment 2•15 years ago
|
||
The attached document summarizes the information that has been gathered and verified for this request. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Reporter | ||
Comment 3•15 years ago
|
||
First of all, we appreciate that you include Spanish accented vowels in the text of the Bugzilla Summary. We never do it whilst writing in English because it usually generates "noise" in the client of the recipent if the right character set has not been selected. And now, you're rigth about a mismatch in the SHA-1 fingerprint we send. The reason is that there are two DNIe root certificates. Back in 2006, a number o products, almost all of them running under Windows and including Windows-XP itself, lacked of capabilities while managing with certificates generated using pkcs1-sha256WithRSAEncryption. We got in contact with Microsoft and they asked for a moratorium in order to actualize their system. Today there are no version of Windows showing this shortage (at least that's what we hope) so there's no reason to keep the root certificate generated with pkcs1-sha1WithRSAEncryption. So, the rigth SHA1 fingerprint of the root certificate is the one you say: 22 29 f0 56 d3 4d 1c b6 3e 98 6f 26 b2 d0 8a b9 4f f0 8e 4d If you need a redundant checking, please consult the BOE nr. 64 (03/16/006); The BOE is the Spanish Oficial State Gazette where Laws are published when they become affective. It's hard to find things there so, for your convenience, here you have a link to the document: www.boe.es/boe/dias/2006/03/16/pdfs/A10668-10717.pdf The item is numbered as 4841 and the legal name is "ORDEN INT/738/2006". If you need a translation, please let me know. The telephone number you gathered is the first point-of-contact if you want to talk with someone in the Corporation but it'll be faster to dial 00-34-91-8968425; you'll find us there more directly.
Assignee | ||
Comment 4•15 years ago
|
||
Thank you for the clarifications. Please add the other information to this bug too, when ready.
Whiteboard: information incomplete
Assignee | ||
Comment 5•15 years ago
|
||
Please review this version of the document for accuracy and completeness. The items highlighted in yellow indicate where further information or clarification is needed.
Reporter | ||
Comment 6•14 years ago
|
||
Please, be patient. I've not forgotten this issue, just a huge amount of work. I'm on it.
Reporter | ||
Comment 7•14 years ago
|
||
Still on it; I hope insert the required staff during the next week. Thanks for your patience.
Reporter | ||
Comment 8•14 years ago
|
||
Still on it; I hope insert the required staff during the next week. Thanks for your patience.
Reporter | ||
Comment 9•14 years ago
|
||
Well. Thank you for your patience. Here's the outcome of *all* these days. When Katheleen told me, a few moths ago, that a realistic length of the first stage were 2 moths, I never thougth that she was being that optimistic :-) The attached document is the original one modified with some answers, remarks, translations and corrections. I've respected the initial content and added my staff after every question, in bold letters. Despite I only use Openoffice, the file format is .DOC. I double-checked the document but... if you see something wrong or misplaced, please let mi know. I think it's clear enough, but I don't bet at all. Kindly awaiting your comments.
Assignee | ||
Comment 10•14 years ago
|
||
Thank you for the information. I have a few follow-up items. 1) No public CRL or OCSP for SSL cert The primary website currently of interest in regards to enabling the websites trust bit for this root is https://www.citapreviadnie.es The SSL cert does not have a CRL Distribution Point Extension. The SSL cert also does not have an AIA extension pointing to the OCSP responder url. You have stated: Actually, that service has been secured with a certificate issued by an internal PKI, not the DNIe one, and (for the being time) not a candidate to be universally trusted. That, and no other, is the reason of this process: we would like to secure www.citapreviadnie.es with a server certificate issued by a subordinated CA of AC RAIZ DNIE. Besides, there's no public CRL Distribution Point for AC RAIZ DNIE and their subordinates because the validation service is offered through OCSP. CRL are considered sensitive information, only accessible by VA such as FNMT-RCM, the Spanish Royal Mint. And: There is no AIA (non-critical) extension in that certificate. This “lack” was assumed as a good option because of the documented risk of unbounded recursions when validating. That's why the only place where you can find the URI is in the CPD. The responder pointed by http://ocsp.dni.es only knows about citizen certificates. This raises questions about including this root and enabling the websites trust bit. If this root inclusion request is just for one public facing domain name, then there are probably better options than including this root in NSS. For instance, the sub-CA could be cross-signed by another root that is already included in NSS. I have not seen a root certificate get approved for inclusion in NSS for which both CRL and OCSP were not publicly supported. For all of the root certificates that I have seen get approved for inclusion in NSS the SSL certs have had an extension either for CRL or OCSP, or both. 2) SSL Domain Ownserhip/Control You have requested that the websites trust bit be enabled for this root. Therefore, we are particularly interested in your process for approving SSL certificates. As you indicated, and as we must assume, there is the possibility that you will issue SSL certificates to other organizations in the future. Section 7 of the Mozilla CA Policy, http://www.mozilla.org/projects/security/certs/policy, states: "for a certificate to be used for SSL-enabled servers, the CA takes reasonable measures to verify that the entity submitting the certificate signing request has registered the domain(s) referenced in the certificate or has been authorized by the domain registrant to act on the registrant's behalf;" Please also see https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Domain_Name_Ownership There needs to be clear documentation in a public and audited document, such as the CP, which explains the verification procedures for confirming that the certificate subscriber owns/controls the domain to be included in the certificate. 3) Audit The audit criteria that Mozilla accepts are ETSI TS 101 456 ETSI TS 102 042 WebTrust Principles and Criteria for Certification Authorities There needs to be an auditor's statement that one of these audit criteria were used in the evaluation. Or perhaps that the criteria that was used is equivalent.
Reporter | ||
Comment 11•14 years ago
|
||
Thanks for such a long wait, Kathleen. After a number of considerations and high-level decisions, the conclusion is not to include this certificate in your project. There's an Governmental initiative, involving the Spanish Ministry of Science and Innovation, aimed to deploy a CA which is specialized in the issuing of Spanish electronic "seats". Maybe this is a more suitable root certificate to include in your products. Once again, thanks. If you don't have any question, you can close this bug.
Assignee | ||
Comment 12•14 years ago
|
||
Thank you for your careful consideration and response. I will close this bug.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•