Add PSC-FII AC Certificate as trust anchor

ASSIGNED
Assigned to

Status

ASSIGNED
7 years ago
8 months ago

People

(Reporter: mosorio, Assigned: kwilson)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-verifying] - Need BR Self Assessment)

Attachments

(22 attachments, 1 obsolete attachment)

89.60 KB, image/png
Details
2.34 MB, application/octet-stream
Details
192.47 KB, application/pdf
Details
67.76 KB, application/pdf
Details
78.19 KB, application/pdf
Details
636.43 KB, application/pdf
Details
621.42 KB, application/pdf
Details
176.67 KB, application/pdf
Details
629.54 KB, application/pdf
Details
632.25 KB, application/pdf
Details
3.39 KB, application/x-x509-ca-cert
Details
144.80 KB, application/pdf
Details
504.59 KB, application/pdf
Details
493.09 KB, application/pdf
Details
72.69 KB, image/png
Details
491.70 KB, application/pdf
Details
493.92 KB, application/pdf
Details
154.89 KB, application/pdf
Details
159.63 KB, application/pdf
Details
274.18 KB, application/pdf
Details
216.16 KB, application/pdf
Details
176.23 KB, application/pdf
Details
(Reporter)

Description

7 years ago
Created attachment 542160 [details]
Pantallazo.png

User Agent: Mozilla/5.0 (X11; Linux i686; rv:2.0.1) Gecko/20100101 Firefox/4.0.1
Build ID: 20110504060048

Steps to reproduce:

Our certificates are being used by major Venezuelan entities belonging to the Government on the security of your data. The users who have certificates we provide the requirement that certificates are supported by the Mozilla browser. By presidential decree, the public administration of the Venezuelan State must use all the tools on Free Software.
URL   ar.fii.gob.ve
1.when trying to connect to web servers with CA certificates generated by the PSC-FII indiccando An exception appears that the connection is unreliable
2.To enter the server exception must be confirmed
3.Another case is when users import the certificate to the browser fails to validate the chain of trust



Actual results:

Distrust of CA
Dissatisfied users.


Expected results:

Not display the exception, allowing the connection with the certificates of the PSC-FII CA is trusted
Group: core-security
(Reporter)

Comment 1

7 years ago
Created attachment 542166 [details]
PSC_FII Certificate Policy
(Reporter)

Comment 2

7 years ago
Created attachment 542167 [details]
Third Party Validation Letter
(Reporter)

Comment 3

7 years ago
Created attachment 542169 [details]
Resume of Third Party Auditor

Comment 4

7 years ago
Is this your application for inclusion per our certificate policy: http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html ?
(Reporter)

Comment 5

7 years ago
(In reply to comment #4)
> Is this your application for inclusion per our certificate policy:
> http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html ?


if this is a request for inclusion in their certificate policy
(Assignee)

Comment 6

7 years ago
Accepting this bug to begin processing as per:

https://wiki.mozilla.org/CA:How_to_apply
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
(Assignee)

Comment 7

7 years ago
Created attachment 542275 [details]
PSC-FII Certificate
(Assignee)

Comment 8

7 years ago
Please see https://wiki.mozilla.org/CA:Recommended_Practices#OCSP

I imported the “PSC Público del MCT para el Estado Venezolano” cert and tried to access https://ar.fii.gob.ve using my Firefox browser (with OCSP enforced), and I got the following error: 

An error occurred during a connection to ar.fii.gob.ve.
Invalid OCSP signing certificate in OCSP response.
(Error code: sec_error_ocsp_invalid_signing_cert)
(Assignee)

Comment 9

7 years ago
Also, please provide all of the information listed in items #3, #4, and #5 of

https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

I did not find sufficient information regarding the verification procedures in DPC_English.doc.
(Reporter)

Comment 10

7 years ago
Greetings, I would like to know if we can resume the process for inclusion in this certificate. and verify the information missing

thanks
(Assignee)

Comment 11

7 years ago
(In reply to Marianella from comment #10)
> Greetings, I would like to know if we can resume the process for inclusion
> in this certificate. and verify the information missing

We can proceed after a representative of this CA provides responses to Comment #8 (need test website whose SSL cert chains up to this root), and Comment #9.
(Reporter)

Comment 12

7 years ago
Please rerun test comment # 8

regards

Marianella
(Assignee)

Comment 13

7 years ago
(In reply to Marianella from comment #12)
> Please rerun test comment # 8

I looked into this further, and I see that the SSL cert for https://ar.fii.gob.ve chains up to a different cert than the one currently in this request. 
Please provide the current information for:
http://www.mozilla.org/projects/security/certs/pending/#PSC-FII
(Reporter)

Comment 14

7 years ago
(In reply to Kathleen Wilson from comment #13)

To download the certificate from our CA please go to this link:

https://ar.fii.gob.ve/cgi-bin/openca/pub/pki?cmd=getStaticPage&name=index

There are certificates for both the Sha1 algorithm as Sha256.

Thanks
(Reporter)

Comment 15

7 years ago
greetings;

We would like to know how the process of verification of the requirements for inclusion.


Thank you ..
(Assignee)

Comment 16

7 years ago
(In reply to Marianella from comment #14)
> To download the certificate from our CA please go to this link:
> https://ar.fii.gob.ve/cgi-bin/openca/pub/pki?cmd=getStaticPage&name=index
> There are certificates for both the Sha1 algorithm as Sha256.

I don't know Spanish, so you will have to provide the exact URL to the certificates. Are you requesting inclusion for both the Sha1 and Sha256 certs?

(In reply to Marianella from comment #15)
> We would like to know how the process of verification of the requirements
> for inclusion.

Please see Comment #9.
(Assignee)

Updated

7 years ago
Whiteboard: Information incomplete
(Assignee)

Comment 17

7 years ago
Created attachment 620393 [details]
Initial CA Information Document

The attached document shows the current status of this request.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
(Reporter)

Comment 18

7 years ago
(In reply to Kathleen Wilson from comment #16)

We're just going to include the certificate Sha256, I was gathering the information requested to send.

thanks
(Reporter)

Comment 19

6 years ago
Good afternoon, Kathleen.

I write to let you know that from now on I will be responsible for inclusion request of CA certificate PSC-FIIDT.

In this sense, I would like to know how the Audit Report from PSC-FIIIDT will be delivered to you, taking into consideration that it is a confidential document, and we do NOT want this information to be shown.

We are presently revieving all Mozilla requirements.

Regards.
(Assignee)

Comment 20

6 years ago
(In reply to Mildred Osorio from comment #19)
> In this sense, I would like to know how the Audit Report from PSC-FIIIDT
> will be delivered to you, taking into consideration that it is a
> confidential document, and we do NOT want this information to be shown.


According to Mozilla policy and practices, audit statements (which are typically high-level summaries) are expected to be made publicly available.

http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html
"17. We rely on publicly disclosed documentation ... and publicly disclosed audit statements"

https://wiki.mozilla.org/CA:Recommended_Practices#Audit_Criteria
"All documents supplied as evidence should be publicly available."

You may find examples of public audit statements here:
http://www.mozilla.org/projects/security/certs/pending/
(Assignee)

Comment 21

3 years ago
Maria, Please add a comments and attachments to this bug to provide the information listed here:
https://wiki.mozilla.org/CA:Information_checklist

Comment 22

3 years ago
(In reply to Kathleen Wilson from comment #21)
> Maria, Please add a comments and attachments to this bug to provide the
> information listed here:
> https://wiki.mozilla.org/CA:Information_checklist

Hi Hi Kathleen Wilson change the user account normalizacion.pscfii@gmail.com, to continue the process we are sending the file with the overview of the CA.

Comment 23

3 years ago
Created attachment 8664452 [details]
Aprobar-General_Information_CA.pdf

General Information CA PSC-FII

Comment 24

3 years ago
Created attachment 8665599 [details]
Aprobar-080-IPT-F091-POC-Mozilla1.pdf

CA PRIMARY POINT OF CONTACT (POC)

Comment 25

3 years ago
Created attachment 8665614 [details]
comm pub FII 2015f.pdf

CA Audit Report

Comment 26

3 years ago
PSC Publico del MppCTII para el Estado Venezolano (PSC-FII)  is a subCA under the venezuelan root of certification ("Sistema Nacional de Certificacion Electronica")

Comment 27

3 years ago
Created attachment 8666170 [details]
Aprobar-080-IPT-F091-Technical-Mozilla1.pdf

TECHNICAL INFORMATION OF  PSC PUBLICO DEL MPPCTII PARA EL ESTADO VENEZOLANO (PSC-FII)

Comment 28

3 years ago
Created attachment 8666928 [details]
Aprobar-080-IPT-F091-Technical-Mozilla2.pdf

TECHNICAL INFORMATION ABOUT EACH ROOT CERTIFICATE
(Assignee)

Comment 29

3 years ago
Created attachment 8670003 [details]
PSCPublicodelMppCTIIparaelEstadoVenezolano.cert
Attachment #542275 - Attachment is obsolete: true
(Assignee)

Comment 30

3 years ago
Created attachment 8670019 [details]
667466-CAInformation.pdf

I have entered the information for this request into Salesforce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to provide corrections and the additional requested information.

Comment 31

3 years ago
Hi Kathleen,

Sorry, I will upload the information again. The Attachments were to electronic signatures will try only to pdf.Thanks for the help.

Regards,
María Liendo

Comment 32

3 years ago
Created attachment 8670831 [details]
General_Information_CA.pdf

correct information by replacing obsolete attachments

Comment 33

3 years ago
Created attachment 8670834 [details]
080-IPT-F091-POC-Mozilla1.pdf

Comment 34

3 years ago
correct information by replacing obsolete attachments

Comment 35

3 years ago
Created attachment 8670835 [details]
Auditor_Report.PNG

Image Report of auditor

Comment 36

3 years ago
Created attachment 8670836 [details]
080-IPT-F091-Technical-Mozilla1.pdf

correct information by replacing obsolete attachments

Comment 37

3 years ago
Created attachment 8670837 [details]
080-IPT-F091-Technical-Mozilla2.pdf

correct information by replacing obsolete attachments

Comment 38

3 years ago
SUSCERTE certificate link: https://acraiz.suscerte.gob.ve/sites/default/files/certificados/CERTIFICADO-RAIZ-SHA384.crt

PSC-FII certificate link: https://ar.fii.gob.ve/pub/cacert/cacert.crt

PSC-FII is signaed by SUSCERTE ROOT.
(Assignee)

Comment 39

3 years ago
(In reply to Kathleen Wilson from comment #30)
> Created attachment 8670019 [details]
> 667466-CAInformation.pdf
> 
> I have entered the information for this request into Salesforce.
> 
> Please review the attached document to make sure it is accurate and
> complete, and comment in this bug to provide corrections and the additional
> requested information.

I'm still not finding the information I need, so I'll list here what the CA needs to provide:

1) CA's response to each of the items listed in https://wiki.mozilla.org/CA:Recommended_Practices#CA_Recommended_Practices

2) CA's response to each of the items listed in https://wiki.mozilla.org/CA:Problematic_Practices#Potentially_problematic_CA_practices

3) resolve all errors returned by https://certificate.revocationcheck.com/publicador-psc.fii.gob.ve


4) Mozilla has the ability to name constrain root certs; e.g. to *.gov or *.mil. CA should consider if such constraints may be applied to their root cert

5) Can this certificate sign externally-operated subCA certificates?

6) Can any 3rd party directly cause the issuance of a certificate chaining up to this "PSC Publico del MppCTII para el Estado Venezolano" cert?

7) Need a BR audit as described here: https://wiki.mozilla.org/CA:BaselineRequirements

8) NEED section in the CP/CPS that has the commitment to comply with the BRs as described in section 2.2 of version 1.3 of the CA/Browser Forum's Baseline Requirements.

9) Sections of CP/CPS that sufficiently describe the verification steps that are taken to confirm the ownership/control of the domain name to be included in the SSL/TLS cert. (in English)
As per section 3 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

10) CP/CPS sections that describe identity and organization verification procedures for cert issuance. (in English)

11) Sections of CP/CPS that sufficiently describe the verification steps that are taken to confirm the ownership/control of the email address to be included in the cert. (in English)
As per section 4 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices
https://wiki.mozilla.org/CA:Recommended_Practices#Verifying_Email_Address_Control

12) CA response (and corresponding CP/CPS sections/text) to section 6 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

13) CA response (and corresponding CP/CPS sections/text) to section 7 of https://wiki.mozilla.org/CA:Information_checklist#Verification_Policies_and_Practices

Comment 40

2 years ago
Hi Kathleen Wilson 
Giving Continuity to the process of inclusion of the PSC-FII CA, we ask for the exclusion of following accounts:
mosorio@fii.gob.ve 
cperez@fii.gob.ve 
jpayne@fii.gob.ve 
karog@fii.gob.ve 
pcastillo@suscerte.gob.ve 
ycova@fii.gob.ve 
zorellyg@fii.gob.ve 
This request is due to this staff is no longer part of the PSC-FII. They must not receive notification about this process. 

Please include the following accounts:
kpichardo@fii.gob.ve (Karen Pichardo)
mliendo@fii.gob.ve (Maria Liendo)
dsandoval@fii.gob.ve (Daniel Sandoval)

The current responsible of the BUG 667466 is normalizacion.pscfii@gmail.com.
We are waiting for your prompt response.
Thanks a lot
(Assignee)

Comment 41

2 years ago
(In reply to PSCFII from comment #40)
> Hi Kathleen Wilson 
> Giving Continuity to the process of inclusion of the PSC-FII CA, we ask for
> the exclusion of following accounts:
> mosorio@fii.gob.ve 
> cperez@fii.gob.ve 
> jpayne@fii.gob.ve 
> karog@fii.gob.ve 
> pcastillo@suscerte.gob.ve 
> ycova@fii.gob.ve 
> zorellyg@fii.gob.ve 
> This request is due to this staff is no longer part of the PSC-FII. They
> must not receive notification about this process. 

I removed them from the CC list in this bug.

> 
> Please include the following accounts:
> kpichardo@fii.gob.ve (Karen Pichardo)
> mliendo@fii.gob.ve (Maria Liendo)
> dsandoval@fii.gob.ve (Daniel Sandoval)

They will need to sign up for a Bugzilla account: https://bugzilla.mozilla.org/createaccount.cgi
Then add themselves to the CC list in this bug.

> 
> The current responsible of the BUG 667466 is normalizacion.pscfii@gmail.com.
> We are waiting for your prompt response.

I'm not sure what response you are waiting for from me.

A representative of the CA needs to provide the requested information, as listed in Comment #39.
Whiteboard: Information incomplete → Information incomplete -- See Comment #39
(Assignee)

Updated

2 years ago
Blocks: 1302431

Comment 42

2 years ago
Created attachment 8794293 [details]
Response listed in Comment #39

thanks for the recommendation to create accounts for dsandoval@fii.gob.ve, kpichardo@fii.gob.ve and mliendo@fii.gob.ve

At the same time we are sending the rsepuesta comment # 39 in the Attachment.

regards

Comment 43

2 years ago
Dear Katheleen Wilson

We are interested in knowing the answer to Mozilla about the file (667466-CAInformation - PSCFII.pdf) sent  to answer the information AC PSC-FII.

Regards.

Comment 44

2 years ago
(In reply to PSCFII from comment #42)
> Created attachment 8794293 [details]
> Response listed in Comment #39
> 
> thanks for the recommendation to create accounts for dsandoval@fii.gob.ve,
> kpichardo@fii.gob.ve and mliendo@fii.gob.ve
> 
> At the same time we are sending the --------- comment # 39 in the Attachment.
> 
> regards

thanks for the recommendation to create accounts for dsandoval@fii.gob.ve, kpichardo@fii.gob.ve and mliendo@fii.gob.ve

At the same time we are sending the response comment # 39 in the Attachment.

regards
(Assignee)

Comment 45

2 years ago
Aaron and Francis, 
Please proceed with Information Verification for the document attached to Comment #42.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Thanks!

Comment 46

2 years ago
(In reply to Kathleen Wilson from comment #45)
> Aaron and Francis, 
> Please proceed with Information Verification for the document attached to
> Comment #42.
> https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
> Thanks!

Dear Kathleen, Aaron and Francis

On the File sent "667466-CAInformation - PSCFII" responses are edited using the comment published in PDF and highlighted in yellow.

We appreciate your attention, we welcome your comments..

Thank you very much Kathleen

Regards
hi PSCFII,

although you have provided updates, most of them still refer to CP/CPS in your original language.
i have tried to search on your website: https://publicador-psc.fii.gob.ve/pc/
in the English version of CP: https://publicador-psc.fii.gob.ve/docs/DPC_PC2016/PC/pc%20natural/080-PCN-F015-INGLES.pdf, section 4, 5, 11, 13 and more all refer to CPS (080-CPS-F014) which is not found.

in order to accelerate the process, please provide direct link for both CP and CPS in English version.

thank you very much

Comment 48

2 years ago
Hi Francis

As you say the CP make references to the CPS and the link to the English version it is:
https://publicador-psc.fii.gob.ve/docs/DPC_PC2016/DPC/080-DPC-F014-INGLES.pdf.

In the document or file will be able to observe all referenced sessions.

Grateful for the attention.

PSC-FII.

Comment 49

2 years ago
Hi Francis

Waiting're right, if they have questions of our DPC and PC inform us to respond.

Regards.

PSC-FII

Comment 50

2 years ago
Hi Francis

We reiterate our availability to let them get any document or answer any questions that a well considered in reference to our request.

Regards.

PSC-FII

Comment 51

2 years ago
Hi Francis 

If you need more information please warn us. 

Regards.


PSC-FII
Created attachment 8807069 [details]
667466_CAInformation_PSCFII.pdf

hi PSCFII,

please refer to the attachment for the latest information verification status.
as Mozilla has added some new cases in the verification process, i would like to invite you to pay attention on following items:

1. in PSC-FII case:
there are '????' requires your feedback in both recommended practice and problematic practice. some of them may be partially answered in your CPS, but it is important that you read through our policy as acknowledgement and provide the exact section number. 
2. in Root case:
please check 'Need response from CA' item. Some of them were answered previously, but it requires further information.

thank you very much

Comment 53

2 years ago
Hi Francis


The PSC-FII case is as follows:

The PSC-FII is a Sub -CA of the “ Autoridad de Certificacion Raiz del Estado Venezolano” root certificate owned by SUSCERTE (Superintendencia de Servicios de Certificación Electrónica ), which is part of the Ministry of People's Power for Higher Education, Science and Technology  in the Bolivarian Republic of Venezuela. 
SUSCERTE is a national government CA that provides electronic certification services to the Bolivarian Republic of the Government of Venezuela.

We accept mozilla policies and we will send back the document for review. 

Thank you very much.
PSC-FII
hi PSCFII,

here it's a good example of CP/CPS, it may be helpful for you.

https://wiki.mozilla.org/CA:Recommended_Practices#CP.2FCPS_Documents_will_be_Reviewed.21

thank you very much

Updated

2 years ago
Assignee: kwilson → frlee
hi PSCFII,

besides the pdf file which i provided in comment 52, i have re-tested the revocation part and please find the result here: https://pageshot.net/u4BtbuuQxmRKUzG9/certificate.revocationcheck.com

all errors should be fixed except the last one 'We could not identify the issuer for this certificate'.

for your reference, please find the test instructions below:

In the Root Case for " PSC Publico del MppCTII para el Estado Venezolano"...
- Root Certificate Download URL -- https://bugzilla.mozilla.org/attachment.cgi?id=8670003
- 'View' button to Examine the CA certificate
- 'Details'
- 'Export...' button
- Save in Format "X.509 Certificate (PEM)". (e.g. PSCPublicodelMppCTIIparaelEstadoVenezolano.crt)
-  'Close' button
- 'Trust this CA to identify websites' checkbox, then 'OK'

Go back to the Root Case for "PSC Publico del MppCTII para el Estado Venezolano"...
- Test Website URL -- https://publicador-psc.fii.gob.ve/
-  green lock icon at the left of the URL entry area at the top of the window.
- ">"
- 'More Information'
- 'View Certificate'
- 'Details'
- Select which cert you want to save, then 'Export...' (e.g. publicador-pscfiigobve.crt)

View the certs
- https://people-mozilla.org/~dkeeler/certsplainer/
- 'Browse...'
- Select one of the .crt files, view the cert info.

in the revocation test website: https://certificate.revocationcheck.com/
- 'Certificate Upload'
- In 'Certificate' field copy/paste the data in the text box of certsplainer for the publicador-pscfiigobve.crt file, from "----BEGIN..." to "END CERTIFICATE-----".
- In 'Issuer Certificate' field copy/paste the data in the text box of certsplainer for the PSCPublicodelMppCTIIparaelEstadoVenezolano.crt file.
- 'Check Revocation Status'

Note: Be careful not to have extra spaces or line feeds before and after  "----BEGIN..." and "END CERTIFICATE-----".

thank you very much

Comment 56

2 years ago
Created attachment 8814777 [details]
Response listed in Comment #52.pdf

 Hi Francis

 Response listed in Comment #39

 Regards and thank

Comment 57

2 years ago
Created attachment 8814779 [details]
Response listed in Comment #56.pdf

 Hi Francis

 Response listed in Comment #56

 Regards and thank
hi PSCFII,

based on the responses you provided, there are still some items required clarification (ex. need to be mentioned in your CP/CPS) and testing errors need to be fixed. please refer to following items:

in the attachment 8814777 [details]

1. Response to Mozilla's list of Potentially Problematic Practices:

-Item #2:
your response regarding Wildcard DV SSL certificates was "not defined in the CPS nor the CP".  Since you are requesting that the Websites trust bit be enabled for this certificate, the CP or CPS must indicate your CA's policies in regards to wildcard SSL certificates. Can Wildcard SSL certificates be issued? If yes, what verification must be done regarding the domains to be included in the wildcard SSL certificates? There must be enough information in the CP or CPS for us to determine if the CA's publicly documented policies comply with the CA/Browser Forum's Baseline Requirements.

-Item #3 only applies if the CA's CP/CPS says that they can validate ownership of the domain name by exchanging email with the Domain’s administrator using an email address created by pre‐pending ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part, followed by the at‐sign (“@”), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN.
If CA can validate domain ownership/control in this way, then CA has to specify which of the above list may be used. If the CA verifies domain name ownership/control in a different way, then item #3 is not applicable.

-Item #9 does need to be addressed in the CA's CP/CPS, and must show compliance with the BRs. Either the CP/CPS needs to say that internal domain names are not allowed, or there needs to be proper authentication according to the BRs.

2. Test Results (When Requesting the SSL/TLS Trust Bit)

-We recommend CA to try the following test website so that errors can be fixed and verified. only mentioning 'The certificate of the CA of the PSC-FII, has as critical the extension keyUsage in CPS' is not enough to prove existing errors are fixed. Also, there are 2 others errors as listed below:

test website: https://crt.sh/
in CA/Browser Forum lint:
ERROR: CA certificates must set keyUsage extension as critical
in X.509 lint:
ERROR: Invalid type in SAN entry
ERROR: IP address in dns name

3. CA Hierarchy Information

-it is not enough to say 'No restriction in the CPS nor the CP' for cross singing. Moz needs to know if the CA is allowed to cross-sign with other entities or not. It is possible that SUSCERTE forbids that in their CP/CPS. But Moz needs to know if PSCFII allows it or not.

4. Verification Policies and Practices

-BR audit: Please provide BR statement file link for verification purpose.
in your CPS section 17.1, 17.2 and 17.4, it doesn't mention the actual audit result/details which proves that your certificate comply with BRs.

-BR Commitment to Comply: in CPS section 4, its hard to confirm that PSC-FII committed to comply with BR.
NEED section in the CP/CPS that has the commitment to comply with the BRs as described in section 2.2 of the CA/Browser Forum's Baseline Requirements (https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf). in CPS section 4, RFC 3647 was mentioned, but there's no statement such as whether PSCFII reviews CAA records? if so, any policy or practice on processing CAA Records for Fully Qualified Domain Names, etc.

thank you very much

Updated

2 years ago
Assignee: frlee → awu

Updated

2 years ago
Whiteboard: Information incomplete -- See Comment #39 → [ca-verification] -- See Comment #39

Updated

2 years ago
Whiteboard: [ca-verification] -- See Comment #39 → [ca-verifying] -- See Comment #39

Comment 59

a year ago
Hi PSCFII,

Please also perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing

Phase-in plan is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ

Please let me know if you have any question, thank you!


Kind regards,
Aaron

Updated

a year ago
Whiteboard: [ca-verifying] -- See Comment #39 → [ca-verifying] - Need BR Self Assessment

Comment 60

a year ago
Mr. Aaron Wu

We are currently updating the identity authentication methods for issuing SSL certificates.

To proceed to the publication on our website https://ar.fii.gob.ve of the documents of the Certification Practice Statement (CPS) and Certificate Policy (CP). Execution of the annual technical audit to PSC-FII, by an external auditor.

At the end of the application, you will be asked to include the certificate of the PSC-FII in the Mozilla browser.

Thank you very much for the attention, we will be informing to reotmar the request and validation of the fulfillment of the requirements of Mozilla.

Regards and thank

Updated

a year ago
Product: mozilla.org → NSS

Comment 61

a year ago
Dear Mr. Aaron Wu
As for the special requirement of the issuance of the Audit Charter in English language, and its publication on the external auditor's website, you can access through the following links:

1. Indirect:

Http://www.penscric.com.ve/Principal/index.php/auditorias  

2. Direct:

Http://www.penscric.com.ve/Principal/images/6%20PSC%20FII%20Audit%20Chart.pdf 

Regards and thanks
Flags: needinfo?(awu)

Comment 62

a year ago
Created attachment 8884879 [details]
1 PLAN DE AUDITORÍA TÉCNICA AL PSC FII 2017 Firmado.pdf

External audit report to PSC-FII, June 05, 2017.

Comment 63

a year ago
(In reply to PSCFII from comment #61)
> Dear Mr. Aaron Wu
> As for the special requirement of the issuance of the Audit Charter in
> English language, and its publication on the external auditor's website, you
> can access through the following links:
> 
> 1. Indirect:
> 
> Http://www.penscric.com.ve/Principal/index.php/auditorias  
> 
> 2. Direct:
> 
> Http://www.penscric.com.ve/Principal/images/6%20PSC%20FII%20Audit%20Chart.
> pdf 
> 
> Regards and thanks

Thanks for providing the document above, it seems I cannot access the link as Server not Found. Could you double check the url? Thank you!

Kind regards,
Aaron
Flags: needinfo?(awu)

Comment 64

a year ago
(In reply to Aaron Wu from comment #63)
> (In reply to PSCFII from comment #61)
> > Dear Mr. Aaron Wu
> > As for the special requirement of the issuance of the Audit Charter in
> > English language, and its publication on the external auditor's website, you
> > can access through the following links:
> > 
> > 1. Indirect:
> > 
> > Http://www.penscric.com.ve/Principal/index.php/auditorias  
> > 
> > 2. Direct:
> > 
> > Http://www.penscric.com.ve/Principal/images/6%20PSC%20FII%20Audit%20Chart.
> > pdf 
> > 
> > Regards and thanks
> 
> Thanks for providing the document above, it seems I cannot access the link
> as Server not Found. Could you double check the url? Thank you!
> 
> Kind regards,
> Aaron

For the links above, I tried different browsers, location and computers, even asked two engineers to test but still cannot access. There may be an IP issue, please help to figure out the way to access. Thank you!

Kind regards,
Aaron
You need to log in before you can comment on or make changes to this bug.