Closed Bug 593805 Opened 14 years ago Closed 12 years ago

Add PROCERT AC Certificate as trust anchor

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: mozilla.psc.procert, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: In NSS 3.15, Firefox 23)

Attachments

(36 files, 3 obsolete files)

PROCERT Certificate Policy
1.30 MB, application/rar
Details
Third Party Validation Letter
58.99 KB, application/pdf
Details
Resume of Third Party Auditor
110.66 KB, application/pdf
Details
Initial Information Gathering Document
103.81 KB, application/pdf
Details
Answers for Kathleen´s Information Gathering Document
198.51 KB, application/pdf
Details
CPS WITH OUT SECURITY
1.23 MB, application/pdf
Details
CPS WITH OUT SECURITY
1.23 MB, application/rar
Details
PROCERT CPS
1.23 MB, application/octet-stream
Details
PROCERT CPS
1.34 MB, application/doc
Details
Complementary Information about Potentially Problematic CA Practices
98.11 KB, application/pdf
Details
Updated Information Gathering Document
105.95 KB, application/pdf
Details
Answers to attachment 485343
214.05 KB, application/pdf
Details
Register Authority email
136.44 KB, application/pdf
Details
Venezuelan Root Certificate and PROCERT Certificate
8.30 KB, application/x-zip-compressed
Details
PSCProcert Certificate
2.38 KB, application/x-x509-ca-cert
Details
Updated Information Gathering Document - new cert
122.35 KB, application/pdf
Details
Answer to Attachment 512261
358.43 KB, application/pdf
Details
Answers comments 46 and 47
274.62 KB, application/pdf
Details
CPS PROCERT
1.33 MB, application/msword
Details
Answers Comment 52
66.74 KB, application/pdf
Details
Answers Comments 55 and 56
380.21 KB, application/pdf
Details
Completed Information Gathering Document
127.56 KB, application/pdf
Details
Answers comments 59
184.44 KB, application/pdf
Details
Answer comments 62 and 63
154.54 KB, application/pdf
Details
ANSWER COMMENTS 66
278.56 KB, application/pdf
Details
PROCERT annual audit 2011
258.99 KB, application/pdf
Details
Answer Comment 69
236.49 KB, application/pdf
Details
Answers to Comment No. 72
220.16 KB, application/pdf
Details
Preliminary audit report
2.26 MB, application/pdf
Details
Completed Information Gathering Document
128.99 KB, application/pdf
Details
Audit 2012 final Report
1.78 MB, application/pdf
Details
ANSWERS COMMENT 86
270.71 KB, application/pdf
Details
PROCERT Audit Final Report 2013
3.66 MB, application/pdf
Details
PROCERT-AuditStatement-2014.pdf
538.33 KB, application/pdf
Details
2015-Audit-Statement.pdf
420.16 KB, application/pdf
Details
2016-AuditStatement.pdf
498.56 KB, application/pdf
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.2.8) Gecko/20100722 Firefox/3.6.8 ( .NET CLR 3.5.30729) This issue in related to bug 489240. Reproducible: Always Actual Results: The PROCERT AC Certificate is not include in the trust repository of Firefox to trusted Certification Authorities Expected Results: Error message in the process of recognition of the AC PROCERT Certificate, appear as un trusted certificate This issue in related to bug 489240.
Are you a representative of AC ProCert?
Assignee: nobody → kathleen95014
Component: General → CA Certificates
OS: Windows XP → All
Product: Firefox → mozilla.org
QA Contact: general → ca-certificates
Hardware: x86 → All
Version: unspecified → other
Assuming that you are please read through https://wiki.mozilla.org/CA:How_to_apply and prepare the required information.
See bug 489240
see Bug 489240
see Bug 489240
Attachment #472379 - Attachment mime type: image/jpeg → application/rar
Attachment #472380 - Attachment mime type: image/jpeg → application/pdf
Attachment #472382 - Attachment mime type: image/jpeg → application/pdf
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: Recognition of PROCERT AC Certificate as a trust anchor → Add PROCERT AC Certificate as trust anchor
Attached file PSC Procert Certificate (obsolete) —
The attached document summarizes the information that has been gathered and verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Attached file CPS WITH OUT SECURITY
Attached file CPS WITH OUT SECURITY
Attachment #476889 - Attachment mime type: image/png → application/rar
Attachment #476890 - Attachment mime type: image/png → application/rar
I get an error when I try to download the document attached in Comment #8. Would you please try attaching it again? For the attachments in Comments #9 and #10 I get the same downloaded file. It is a .rar file, and I don't have an app that will decompress that format. Can you attach a .pdf of the file instead?
Whiteboard: Information incomplete
Attached file PROCERT CPS
By Government resolution from January 1th 2011 all PROCERT certicates will be issue with SHA.256 and 2.048 key length.
Please re-attach the documents (Comments #8, 9, and 10) as .pdf files. I cannot open .rar files. There are plenty of free PDF Converters available online. > By Government resolution from January 1th 2011 all PROCERT certicates > will be issue with SHA.256 and 2.048 key length. OK, please provide a link or attach the SHA256 root when it is available.
WILL BE AVAILABLE FROM JANUARY 1TH. 2011. WE SEND THE INFORMATION LINK ON DECEMBBER 15 2010.
Attached file PROCERT CPS
Dear Kathleen Wilson please find the CPS of PROCERT IN WORD.
The latest PROCERT CPS (Comment #16) was somehow attached as a text/html file. I believe that for a word doc, if you attach it with auto-detect, it should work. Also, the last attachment (Comment #18) was attached as image/png, and gives an error when I click on it.
Attachment #484401 - Attachment mime type: image/png → application/pdf
Attachment #484333 - Attachment mime type: text/html → application/doc
Procert has made this mistake when attaching anything to a bug https://bugzilla.mozilla.org/show_activity.cgi?id=593805 . Not sure if it is security through obscurity or just a mistake. Clicking on the details link for the attachment and edit link in the attachment view will allow you to manually correct mime types for attachments.
Thanks Kevin. I can now download and view those two documents. Procert, what format is the attachment of Comment #8 supposed to be?
Attachment #476885 - Attachment mime type: image/png → application/pdf
Re Comment #21, I changed the mime type as Kevin suggested to application/pdf, and it works now.
Attachment #476889 - Attachment mime type: application/rar → application/pdf
The items highlighted in yellow indicate where further information or clarification is needed.
Dear Kathleen Wilson, we made our comments to 485343. By Separate we provided the link to test the SSL certificate. Best regards.
Attachment #493711 - Attachment mime type: image/png → application/pdf
Thank you for the information. According to the PROCERT CPS page 33: "PROCERT’s Registration Authority (RA) will reschedule an appointment for just one (1) time and will notify the contracting user by electronic mail. If the contracting client does not notify his impossibility of attendance for a rescheduling appointment, and does not attend at the set appointment, PROCERT Registration Authority (RA) will proceed to cancel the requirement and impose a penalty established by the contracting process, to which the client accepted at the moment of purchasing an electronic certificate." Based on the information you provided, it sounds like this is the mechanism that the RA uses to check that the certificate subscriber owns/controls the domain name to be included in the certificate. Please describe the email addresses that the RA may use in this step. For instance, where does the email address come from? What are the possible email addresses that may be used?
Dear Katheleen Wilson, Please find attached the email model sending from PROCERT AR. Respecto the SSL certificates, we want to know the possibility to send you a SSL certificate to test it or if you need a test environment to your evaluation? Best Oscar Lovera
Attachment #497260 - Attachment mime type: image/png → application/pdf
> Please find attached the email model sending from PROCERT AR. Thanks. What email addresses are the RA allowed to use when they send this email? When doing an email-based challenge-response test to confirm that the cert subscriber owns/controls the domain to be included in the certificate, Mozilla recommends limiting the list of email address that may be used as described here: https://wiki.mozilla.org/CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs > Respecto the SSL certificates, we want to know the possibility to send > you a SSL certificate to test it or if you need a test environment > to your evaluation? For our evaluation, please provide a URL to a website whose SSL certificate chains up to PSC Procert. This can be a test website. From https://wiki.mozilla.org/CA:Recommended_Practices#OCSP To test in Firefox: * Go to Tools -> Options -> Advanced -> Encryption -> Validation * Check the box for "When an OCSP server connection fails, treat the certificate as invalid" * You may need to clear your cache * Browse to a website whose SSL certificate chains up to your root and has the corresponding OCSP URI in the AIA extension. While we expect the CA to perform this testing first, we also request that the CA provide a URL to a test website so that we may also test.
(In reply to comment #28) > > Please find attached the email model sending from PROCERT AR. > Thanks. > What email addresses are the RA allowed to use when they send this email? > When doing an email-based challenge-response test to confirm that the cert > subscriber owns/controls the domain to be included in the certificate, Mozilla > recommends limiting the list of email address that may be used as described > here: > https://wiki.mozilla.org/CA:Problematic_Practices#Email_Address_Prefixes_for_DV_Certs > > Respecto the SSL certificates, we want to know the possibility to send > > you a SSL certificate to test it or if you need a test environment > > to your evaluation? > For our evaluation, please provide a URL to a website whose SSL certificate > chains up to PSC Procert. This can be a test website. > From > https://wiki.mozilla.org/CA:Recommended_Practices#OCSP > To test in Firefox: > * Go to Tools -> Options -> Advanced -> Encryption -> Validation > * Check the box for "When an OCSP server connection fails, treat the > certificate as invalid" > * You may need to clear your cache > * Browse to a website whose SSL certificate chains up to your root and has the > corresponding OCSP URI in the AIA extension. > While we expect the CA to perform this testing first, we also request that the > CA provide a URL to a test website so that we may also test. Dear Kathleen, As requested, I derive the address must be accessed to validate the SSL certificate issued by PROCERT. The address is: https: / / mail.procert.net.ve / exchweb / bin / auth / owalogon.asp? url = https: / / mail.procert.net.ve / exchange & reason = 0 Important: • Motivated to non-publication in the browser PROCERT certificate, you must download the root certificate at the following address: https: / / ura.procert.net.ve/pscprocert/cadena.p7b Please contact us for any clarification or further consideration. Best regards. Oscar Lovera
Dear Katleen, I made a mistake. The correct link to tested SSL certificate is https://mail.procert.net.ve/exchange
Dear Katleen, I made a mistake. The correct link to tested SSL certificate is https://mail.procert.net.ve/exchange Oscar Lovera
Additionally, all email from PROCERT AR are signed with electronic signature. Oscar Lovera
I have imported (into my Firefox browser) the PSC Procert Certificate that is attached to this bug at https://bugzilla.mozilla.org/attachment.cgi?id=474826 Subject: CN = PSC Procert C = VE O = Sistema Nacional de Certificacion Electronica OU = Proveedor de Certificados PROCERT ST = Miranda L = Chacao E = contacto@procert.net.ve When I try to browse to https://mail.procert.net.ve/exchange I get: Error code: sec_error_unknown_issuer
Dear Kathleen, Please check PROCERT comment # 13 "By Government resolution from January 1th 2011 all PROCERT certicates will be issue with SHA.256 and 2.048 key length.". In order to execute the migration to SHA-256, PROCERT genenerated a new certificate. Please see this link https://ura.procert.net.ve/pscprocert/PSCProcert.cer Right now are ussing a no longer valid certificate (SHA-1). Best Regards, Oscar Lovera
Please attach the correct cert to this bug, and also the corresponding root cert that signed it.
Dear Kathleen, Please see our comment # 34. PROCERT was provided an explanation and link for the correct certificate. Please let us to know if the informations provided isn't enought for the evaluation. Best Regards. Oscar Lovera
The link in Comment #34 doesn't work as expected for me. Usually when I click on a .cer link in my Firefox browser one of two things happen: 1) Firefox pops up the window asking if I want to trust/import the certificate. 2) Firefox pops of the window to download the file, and then I can open the Certificate Manager and import that file.
Dear Kethleen, Please find attached SUSCERTE's and PROCERT certificate. Please fell free to validate. We wait for your comments. Best Oscar Lovera
Dear Kethleen, Please let us to know if you want additional information, in order to completed all the information that Mozilla needs to validate for approve the inclusion of PROCERT as trust anchor. Best Regards. Oscar Lovera
I just imported the new PSCProcert and tried to access the test website, https://mail.procert.net.ve/exchange I got the following error: An error occurred during a connection to mail.procert.net.ve. The OCSP response contains out-of-date information. (Error code: sec_error_ocsp_old_response)
Attached file PSCProcert Certificate
Attachment #474826 - Attachment is obsolete: true
Updating the Info Gathering Doc to give a clear picture of the status of this request. The items highlighted in yellow indicate where further information is needed from the CA.
Dear Kathleen, After several tested during last week, the technical staff from PROCERT can't recreated the error that showed in your last comment. Please try again the OCSP test. If the error happens again please let us to know. A image of the error could help us to a better comprehension. A similiar error appear when the computer clock has a diffrent time zone. Now we saw your last attachment. PROCERT will provide all the information as soon is possible. Best regards. Oscar Lovera
Dear Kathleen, Just to know if you already saw our comments. Best Oscar Lovera
I just browsef to https://mail.procert.net.ve/exchange from within my Firefox browser, and the following gets displayed: An error occurred during a connection to mail.procert.net.ve. Renegotiation is not allowed on this SSL socket. (Error code: ssl_error_renegotiation_not_allowed) I checked, and I do have the PSCProcert imported, and the websites trust bit turned on. I also have OCSP enforced.
OCSP > In this particular point, we referred to RFC2560 > see http://www.normesinternet.com/normes.php?rfc=rfc2560&lang=es. > The use of port 80 could increase the potential risk of denial attack services. > PROCERT established the port 8001 to OCSPconsultation, for improve the > security of operations, by recommendations of our AC software provider > (WISEKEY) and by interpretation of RFC 2560 and best practices. > Please let us to know Mozilla point of view in this particular topic. That's interesting. I wonder if that's the same WISeKey that has a root in NSS as per bug #467138. The test website provided was https://secure.certifyid.com/certifyid/accounts/. The AIA extension in the SSL cert has OCSP URI http://ocsp.wisekey.com/ which means they used a standard port for their OCSP service. As per https://wiki.mozilla.org/CA:Recommended_Practices#OCSP we have been requiring CAs to use a standard port for their OCSP service. DOMAIN NAME VALIDATION > To validated domain names PROCERT made the duly consult to > http://www.whois.net/ and http://www.nic.ve/ The client must need to provide > the information according to the same register at Whois.net or Nic.ve.The > information provided by the client, need to match with the registers of > Whois.net or Nic.ve. .Without the right documentation and register, PROCERT > will abstain of process any request. Great. This is what I need to find. Where is this documented in the CP or CPS? EMAIL ADDRESS VALIDATION > PROCERT AR sends an email to costumer requesting information. What email address does the RA use to send this? e.g. is it the email address that will be included in the certificate? > PROCERT AR shall execute telephone calls, in order to validated all > information from the costumer. Who does the RA call? Where does the RA find the phone number? e.g. from public records? Or does the RA just call the phone number provided by the certificate subscriber? > When a costumer request information to buy a certificate, receive an email > from PROCERT AR with full information. This offered the warranty to provide > in each time the full information that the client needs. > PROCERT CPS contains documents that are requested to client. These documents > may vary and clients are informed by e signed at every opportunity. Is thus > the purpose to prevent constant changes in the CPS PROCERT derived from > changes in requirements (inclusion or exclusion of any of them). The CPS's > integrity will be protected to unnecessary changes. There must be sufficient information in the CP/CPS for the Mozilla community to be able to determine if the requirements of section 7 of http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html are met.
I successfully browsed to the test website, without error. > Today PROCERT does the consult to SUSCERTE (Root Certificate / > Administrative Authority in Venezuela) in order to change the OCSP > port to 80. We waiting for SUSCERTE´s approval for execute the change. We can proceed, under the assumption that this will be addressed. > Domain Name Ownership/Control When I read section 8.3.1 of the CPS I see that the RA verifies the identity of the certificate subscriber. While that is good, the CP/CPS must also outline the minimum steps that the RA must take to confirm that the certificate subscriber owns or controls the domain name to be included in the certificate. > Email address ownership/control In addition to verifying the identity and authority of the certificate subscriber, the CP/CPS must also outline the minimum steps that the RA must take to confirm that the certificate subscriber owns or controls the email address to be included in the certificate.
Attached file CPS PROCERT
CPS PROCERT last version
Dear Kathleen, We attached last version of PROCERT CPS. We got the authorization from SUSCERTE to change the OCSP port. That document include your comments about: Domain Validation Email Validation OCSP service (we change port 8001 for port 80) If the documents and changes are ok, please let us to know the estimated date to finish your validation. Please do not hesitate in contact us for additional commentary or information request. Best Regards. Oscar Lovera
Thanks for the info. Will the same updates be made to the CPS on the website? https://www.procert.net.ve/eng/documentos/dpc.pdf Please also update the SSL cert for the test website, https://mail.procert.net.ve/exchange, to have the new OCSP URI in the AIA. When audit statements are provided by the company requesting CA inclusion rather than having an audit report posted on the website such as cert.webtrust.org, the Mozilla process requires doing an independent verification of the authenticity of audit statements that have been provided. Therefore, I looked up the auditor's contact information on the SUSCERTE website, http://www.suscerte.gob.ve/index.php/es/certificacion/registro-de-auditores, and I sent an email to the auditor.
Attached file Answers Comment 52
Dear kathleen, Please check our answer to comment 52 Best regards. Oscar Lovera
Thanks for the information. As per Comment #52, I sent email to the auditor on March 21. The auditor has not yet responded. In regards to the proposed text in the English version of the CPS... - The domain name validation information is a good start. Based on previous discussions, I expect that folks will request further details be added. For instance, does PROCERT do anything with the information obtained from whois.net and nic.ve other than comparing with the information provided by the certificate subscriber? What information must match? Is a phone call made or email sent to the technical or administrative contact field of the domain's WHOIS or NIC record? - For email address verification, the English CPS says: "To validate email address PROCERT AR sends an email to costumer requesting information." This should be more clear that the PROCERT AR sends email to the email address to be included in the certificate. The email should contain some non-predictable information that the subscriber must then use or respond with to confirm that the owner of the email address actually received the email and responded. Other: Based on current discussions in mozilla.dev.security.policy, it will be a problem that the "PSC Procert" CA directly signs end-entity certificates. Please check with SUSCERT about you creating intermediate CAs that you own and operate, and move to using your intermediate CAs to sign end-entity certs.
I have received the following in email from the auditor: We hereby confirm the authenticity of the Audit statement issued on July, 20th 2010. The SUSCERTE local standard # 040, (Guide of technology standards and security guidelines for the accreditation of Certification Service Providers) (www.suscerte.gob.ve) specifically indicate the use of ETSI TS 102 042 v 1.1.1 as a reference to guide the Audit process. Consequently we have used the updated version of the ETSI TS 102 042 v 1.4.3 standard.
Dear Kathleen, Please check our answers to comments 55 and 56. Best Regards. Oscar Lovera
The items highlighted in green indicate the updates that will be needed before public discussion starts.
This request has been added to the queue for public discussion: https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion Now that you have a request in the Queue for Public Discussion, you are directly impacted by the time it takes to work through the queue. The goal is to have each discussion take about two weeks. However, that time varies dramatically depending on the number of reviewers contributing to the discussion, and the types of concerns that are raised. If no one reviews and contributes to a discussion, then a request may be in the discussion for several weeks. When there are not enough people contributing to the discussions ahead of yours, then your request will sit in the queue longer. How can you help reduce the time that your request sits in the queue? You can help by reviewing and providing your feedback in the public discussions of root inclusion requests, or by asking a knowledgeable colleague to do so. Participating in other discussions is a great way to learn the expectations and be prepared for the discussion of your request. Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Please also make sure that the four items in green in the "Completed Information Gathering Document" are done before this request reaches the top of the queue.
Whiteboard: Information incomplete → Information confirmed complete
Attached file Answers comments 59
When I try to browse to https://mail.procert.net.ve/exchange in Firefox 4.0 with OCSP enforced, I get the following error: The OCSP server found the request to be corrupted or improperly formed. (Error code: sec_error_ocsp_malformed_request) See https://wiki.mozilla.org/CA:Recommended_Practices#OCSP for information about how to enforce OCSP in Firefox (e.g. show the error when OCSP fails).
For the clarifications about domain and email validations, please provide the url and section numbers where I may find the updated text.
I have successfully browsed to the test website via Firefox with OCSP enforced. I have also reviewed both the Spanish and the English versions of the CPS documents that are published on the PROCERT website, and confirm that they have the updated information. This request is still in the queue for discussion: https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Please review the CA Communication that was recently sent, and is available here: https://wiki.mozilla.org/CA:Communications Please add a comment to this bug to provide your response to the action items listed in the CA Communication. For more information about action items #1 and #3, please see items #6 and #7 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices
Attached file ANSWER COMMENTS 66
Dear kathleen, Please check our answer to comment 66. Best regards. Oscar Lovera
Thank you for your prompt response to Comment #66. I am glad to hear that the annual audit for PROCERT was completed in August. When it is available, please attach the public-facing audit statement to this bug. In regards to the CA Communication, in addition to the annual audit, please confirm that you have done the following, and will do the following on a regular basis: -- Check for mis-issuance of certificates, especially high-value domains. -- Review network infrastructure, monitoring, passwords, etc. for signs of intrusion or weakness. -- Ensure Intrusion Detection Systems (IDS) and other monitoring software is up-to-date -- Confirm that you will be able to shut down certificate issuance quickly if you are alerted of intrusion. In regards to your question about section 8 of Mozilla's CA Certificate Inclusion Policy http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html "When the CA uses an email challenge-response mechanism to validate that the certificate subscriber has control of the requested domain, the CA must either use a mail system address from the technical or administrative contact information in the domain's WHOIS record, or one formed by prefacing the registered domain with one of the following local parts: admin, administrator, webmaster, hostmaster, or postmaster." The intent of this requirement is to limit the types of email addresses that may be used for performing email challenge-response to confirm that the certificate subscriber owns/controls the domain. In other words, the CA should use one of the listed email addresses; the CA does not need to use all of them. If the CA sends email to the technical or administrative contact listed in WHOIS, then the CA does not need to send email to the other listed addresses. PROCERT (according to the CPS) already satisfies this requirement because PROCERT sends email to the technical or administrative contact as listed in the domain's WHOIS record.
Attached file Answer Comment 69
This request is at the top of the queue for public discussion. https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion I have a few more questions before I start the discussion... Are the following statements still accurate? "PSC Procert is signed by the SUSCERT root. PSC Procert signs end-entity certificates directly. PSC Procert has not signed any intermediate certificates." Has your 2012 annual audit been completed? What is your status in regards to complying with the CAB Forum Baseline Requirements? (https://www.cabforum.org/Baseline_Requirements_V1.pdf)
Please find attached our answers to yours questions.
PSC PROCERT annual audit it's almost completed. Actually we have the preliminary report. We attached the preliminary report. Under the scope of audit, the final report presentation will be on October 5th, 2012. The preliminary report show full complying by PSC PROCERT of the all regulations under Venezuelan law and internationals technical requirements.
Attachment #529851 - Attachment is obsolete: true
I am now opening the first public discussion period for this request from PROCERT to add the “PSCProcert” certificate and enable all three trust bits. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. http://www.mozilla.org/community/developer-forums.html https://lists.mozilla.org/listinfo/dev-security-policy news://news.mozilla.org/mozilla.dev.security.policy The discussion thread is called “PROCERT Trust Anchor Inclusion Request” Please actively review, respond, and contribute to the discussion. A representative of PROCERT must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Information confirmed complete → In public discussion
public discussion: Test Website: https://mail.procert.net.ve/exchange In this certificate, the certificatePolicies extension uses 2.5.29.32 as the declared policyId, which is not valid. PROCERT Answer: PROCERT team is working on it. PROCERT asking for an authotization from SUSCERTE in order to proceed to change OID`s and adjust to the correct OID. PROCERT need waiting for SUSCERTE authorization. We will inform you when the change it's done. We hope complete all the process in a period of time no longer than 4 bussiness days. public discussion comment: * OCSP http://ura.procert.net.ve/ocsp The OCSP responder certificate also has a bad certificatePolicies extension. The OCSP responder certificate doesn't have the ocspNoCheck extension, mandatory for CABForum Basic Requirements. PROCERT answer: Tomorrow in our platform, PROCERT operational team, will proceed to check ocspNoCheck extension in order to validate the Mozilla observation and resolving any issue. We will inform you when the change it's done.
PROCERT team completed the changes. To validate, please access the link https://mail.procert.net.ve/exchange. You will notice the change of OID and changes related to the activation of extension ocspNoCheck Best Regards. Oscar Lovera
Please find attached the final report corresponding to audit process 2012. Best Regards. Oscar Lovera
(In reply to Procert from comment #79) > Created attachment 672757 [details] > Audit 2012 final Report I have exchanged email with the auditor to confirm the authenticity of the attached audit statement. This auditor is a SUSCERTE accredited auditor as per http://www.suscerte.gob.ve/index.php/es/certificacion/registro-de-auditores.
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to add the “PSCProcert” certificate and enable all three trust bits. Section 4 [Technical]. I am not aware of instances where PROCERT has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. Section 6 [Relevance and Policy]. PROCERT appears to provide a service relevant to Mozilla users. It is a private entity within the Venezuelan Bolivarian Republic, which issues certificates to public and private users in Venezuela. Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CP and CPS documents. The CPS has been translated into English. The CP documents are in Spanish. PROCERT CA Information: https://www.procert.net.ve/eng/procertca.asp Document Repository: https://www.procert.net.ve/eng/declaration.asp CPS (English): https://www.procert.net.ve/eng/documentos/dpc.pdf SSL CP: https://www.procert.net.ve/eng/documentos/pc7.pdf Email CP: https://www.procert.net.ve/eng/documentos/pc10.pdf Code Signing CP: https://www.procert.net.ve/eng/documentos/pc9.pdf Since this cert is signed by the SUSCERT root, PROCERT must also comply with the SUSCERT DPC/PC documents listed here: http://acraiz.suscerte.gob.ve/?q=node/2 Section 7 [Validation]. PROCERT appears to meet the minimum requirements for subscriber verification, as follows: * Email: According to CPS section 8.3.2.2, PROCERT confirms ownership/control of the email address to be included in the certificate via a challenge-response email process. * SSL: According to CPS section 8.3.2.2, PROCERT confirms ownership/control of the domain name to be included in the certificate by consulting www.whois.net and www.nic.ve. Additionally PROCERT sends emails to all the email addresses appearing in the whois or nic records, and those emails messages request authorization from the email account holder. * Code: According to CPS section 8, 14, and 16, PROCERT confirms the organization, the identity of the certificate subscriber, and their authority to request the certificate on behalf of the organization. * Not requesting EV treatment Section 15 [Certificate Hierarchy]. ** PSC Procert is signed by the SUSCERT root. ** PSC Procert signs end-entity certificates directly. ** PSC Procert has not signed any intermediate certificates. The “PSCProcert” certificate is signed by the “Autoridad de Certificacion Raiz del Estado Venezolano” root certificate owned by SUSCERTE (Superintendencia de Servicios de Certificación Electrónica), a national government CA that is part of the Ministry of People's Power for Telecommunications and Informatics in the Bolivarian Republic of Venezuela. In Bug #489240 it was determined that SUSCERTE’s sub-CAs should apply for inclusion themselves as separate trust anchors. * CRL http://ura.procert.net.ve/lcr/procertca.crl CPS section 22.8: The CRL is published every twenty four (24) hours * OCSP http://ura.procert.net.ve/ocsp Sections 9-11 [Audit]. Annual audits are performed by SUSCERTE accredited auditors (http://www.suscerte.gob.ve/index.php/es/certificacion/registro-de-auditores) according to ETSI TS 102 042 criteria. Audit statements have been attached to this bug, so I have exchanged email with the auditors to confirm authenticity of the statements. 2012: https://bugzilla.mozilla.org/attachment.cgi?id=672757 2011: https://bugzilla.mozilla.org/attachment.cgi?id=577346 2010: https://bugzilla.mozilla.org/attachment.cgi?id=472380 Based on this assessment I intend to approve this request to add the “PSCProcert” certificate and enable all three trust bits.
Whiteboard: In public discussion → Pending Approval
To the representatives of PROCERT: Thank you for your cooperation and your patience. To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request. As per the summary in Comment #81, and on behalf of Mozilla I approve this request from PROCERT to include the following root certificate in Mozilla products: ** "PSCProcert" (websites, email, code signing) I will file the NSS bug to include this root cert.
Whiteboard: Pending Approval → Approved - awaiting NSS
Depends on: 810010
I have filed bug #810010 to include the "PSCProcert" certificate as a trust anchor in NSS.
Dear Kathleen, we don't receive email with information about the inclusión. How much longer will be the process? We will appreciate any information about the batch publication. Best Regards and a happy new year.
Dear Kathleen, Dear Kathleen, we don't receive email with information about the inclusión. How much longer will be the process? We check the last update from Mozilla and PROCERT certificate didn´t be showed.http://www.mozilla.org/en-US/firefox/18.0/releasenotes/ We will appreciate any information about the batch publication. Best Regards and a happy new year. Oscar Lovera
Please add a comment to this bug to provide your response to the action items listed in the CA Communication that was sent today, and is available here: https://wiki.mozilla.org/CA:Communications#January_10.2C_2013
Attached file ANSWERS COMMENT 86
Dear Kathleen, Please find our answer to comment 86. Please do not hesitate in contact us for additional information. Best Regards. Oscar Lovera
Dear Kathleen, We appreciate any information about the inclusion of PROCERT certificate into Mozilla trusted anchor list. Best Regards. Oscar Lovera
Dear Kathleen, Please let us to know when the root group will proceed with the inclusion of PROCERT's certificate. The original date for inclusion was December of 2012. Now, Q1 of 2013 is finished and still isn't into the browser the PROCERT's certificate. Please understand the delay affect our business plan and PROCERT's products commercialization (certificates). We really appreciate your best effort in order to complete as soon as possible this issue. Best Regards, Oscar Lovera
Dear Kathleen, Thanks for you answer. When do you think the NSS bug it’s ready? Best Regards. Oscar Lovera
Dear Kathleen Wilson, As representative of PROCERT's, I, Oscar Lovera under affidavit, confirmed that the root including in the NSS root CA test list, correspond with the venezuelan root of certification. Please remember, PROCERT's is a subCA under the venezuelan root of certification ("Sistema Nacional de Certificacion Electronica"). Best Regards, Oscar Lovera
Please find attached the final report from the audit of PROCERT corresponding to 2013
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Whiteboard: Approved - awaiting NSS → In NSS 3.15, Firefox 23
Would someone from PROCERT please contact me or respond in this bug? All of my emails to addresses at @procert.net.ve keep bouncing with errors that look like: Final-Recipient: rfc822; contacto@procert.net.ve Original-Recipient: rfc822;contacto@procert.net.ve Action: failed Status: 4.4.2 Diagnostic-Code: X-Postfix; lost connection with mail.procert.net.ve[201.234.237.116] while sending MAIL FROM
Attached file 2016-AuditStatement.pdf (obsolete) —
Attachment #8783627 - Attachment is obsolete: true
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: