Status

task
RESOLVED FIXED
7 years ago
2 years ago

People

(Reporter: peter.miskovic, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: In NSS 3.15, Firefox 23)

Attachments

(3 attachments)

CA Name: Disig
Website URL (English version):http://www.disig.eu
Website URL (Slovak version): http://www.disig.sk
Organizational type: Private Corporation
Primary market / customer base.:
Disig is a public Certification Service Provider, located in Slovakia.  Disig focus its certification service mainly for Slovakian market for the customer from general public, private companies, governmental organization.

CA Email Alias: caoperator@disig.sk
CA Phone Number:+421 2 20850140
Title / Department: Senior consultant at Information Security department
	
Rest of required information is in the "InfoGathering_20120918.doc" file in attachment
Group: mozilla-confidential
Status: UNCONFIRMED → ASSIGNED
CC list accessible: false
Ever confirmed: true
Not accessible to reporter
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
I reviewed document "Initial CA Information Document" and here are my clarification of missing part and part mark with "?" and some correction of your findings. 

Verification Policies and Practices
-----------------------------------
Baseline Requirements (SSL):
Requirement from CAB Forum Baseline Requirements were implemented to CA Disig procedures, documents (CP, CPS, subscriber agreement etc.), SSL certificate content and profiles, third party services (OCSP) to the effective date e.g. July 1st, 2012 . See CP – 1.3.3 last paragraph.


Response to Mozilla's CA Recommended Practices
-----------------------------------------------
Document Handling of IDNs in CP/CPS: CA Disig does not issue IDNs certificates
DNS names go in SAN: All DNS names go into the SAN including DNS name from CN field


Domain owned by a Natural Person: CA Disig didn’t issue such type of SSL certificate till today. If there be such application CA Disig will require proposed information (O and OU fields)  in the SSL certificate request. During the next revision of current CP and CPS this part will be add to procedures for SSL certificate issuing.


Response to Mozilla's list of Potentially Problematic Practices 
---------------------------------------------------------------
Wildcard DV SSL certificates: CA Disig does not issue wildcard DV SSL certificates

Delegation of Domain / Email validation to third parties: Domain validation is performed by CA Disig staff only. Email validation is performed by CA Disig staff or external RA staff according written procedures “MP_ERA_2009_06
Overenie e-mailu v žiadostiach (E-mail validation)”.

Certificates referencing hostnames or private IP addresses:
Due my mistake there is misleading information in English version of CP in paragraph 3.1.9. CA Disig never issued SSL certificates for registered IP address and part: "In the case of registered IP addresses RA will not investigate whether the body- the applicant for a certificate for the server uses the registered IP address legitimately e.g. whether the registered IP address is the address segment,which is registered in the RIPE organization for the entity - the applicant for a certificate for the server. In this case, is automatically assumed that that subject -­ the applicant for a certificate for the server use in the application for the certificate registered IP address and applicant gave to CA Disig a solemn declaration that the IP address used lawfully and that he is aware of all the consequences and responsibility for any unauthorized use of the IP address." is not more in the current Slovak version of CP (V4.5 ). My mistake was that I forgot deleted above part from current (4.5) English CP version during the revision process. I will update English version within a few days.

Issuing SSL Certificates for Internal Domains:
See above.
(In reply to Peter Miskovic from comment #2)
> is not more in the current Slovak version of CP (V4.5 ). My mistake was that
> I forgot deleted above part from current (4.5) English CP version during the
> revision process. I will update English version within a few days.

Thank you for your prompt response.

Please post another comment in this bug when the updated version of the English CP is available.
Updated English version of CP CA Disig is available on the Disig web site:
http://www.disig.eu/_pdf/cp-cadisig-eng.pdf
There was no CP version number changed due the fact that we only removing obsolete text from the translated version while the Slovak version is primary.
I'll try to start the discussion soon.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: Information confirmed complete
I am now opening the first public discussion period for this request from Disig to add the “CA Disig Root R1” root certificate that will eventually replace the “CA Disig” root certificate that is currently included in Mozilla products (Bugzilla #455878). This request is to also include the “CA Disig Root R2” SHA-256 root certificate. All three trust bits are requested for both certs, and EV is not requested at this time.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “Disig Request to include Renewed Roots”

Please actively review, respond, and contribute to the discussion.

A representative of Disig must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Information confirmed complete → In public discussion
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request add the “CA Disig Root R1” and “CA Disig Root R2” root certificates and enable all three trust bits.

Section 4 [Technical]. I am not aware of instances where Disig has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Section 6 [Relevance and Policy]. Disig appears to provide a service relevant to Mozilla users. It is a private corporation located in Slovakia, which provides certification service mainly for Slovakian market, issuing certificates to general public, private companies, and governmental organizations.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CP and CPS, which have been translated into English.

CP (Slovak): http://www.disig.sk/_pdf/cp-disig.pdf 
CP (English): http://www.disig.eu/_pdf/cp-cadisig-eng.pdf 
CPS (Slovak): http://www.disig.sk/_pdf/cps_ra_cadisig.pdf 
CPS (English): http://www.disig.eu/_pdf/cps_ra_cadisig_eng.pdf 

Section 7 [Validation]. Disig appears to meet the minimum requirements for subscriber verification, as follows:

* Email: According to section 4.1 in of both the CP and CPS the Disig RA confirms that the certificate subscriber controls the email address to be included in the certificate by sending email to that address, and the applicant must respond appropriately.

* SSL: According to section 3.1 of both the CP and CPS the existence of a domain and its owner are verified through WHOIS services provided by the web top level domain sponsoring organization (e.g. for domain ".sk" is the sponsoring organization SK-NIC - www.sk-nic.sk; for domain ".eu" is the sponsoring organization EURid vzw/asbl established in Belgium for the domain ".com" is sponsoring organization VeriSign Global Registry Services based in the U.S.). Full domain name will be verified by sending an e-mail which will contain secret information to some unforeseeable e-mail accounts for the domain listed in the record obtained from the WHOIS service respectively on the e-mail from that domain for these possible accounts: admin, administrator, webmaster, hostmaster or postmaster.
An applicant for a certificate for the domain shall send back verification information as proof of ownership of the domain within specified period of time.

* Code: CP Section 3.1.9 states that for code signing certs the component has to be assigned to a specific person or to a person that is authorized to deal on behalf of a company that is administrating the component.  The RA has to verify the identity of the person and organization in accordance with the requirements of CP sections 3.1.7 and 3.1.8.

* Not requesting EV treatment

Section 15 [Certificate Hierarchy]. 
Both the “CA Disig Root R1” and “CA Disig Root R2” root certificates will sign internally-operated intermediate certificates that will sign entity certificates for SSL, digital signature, sending/receiving e-mail, and code signing.

* CRL 
http://www.disig.sk/rootcar1/crl/rootcar1.crl
http://www.disig.sk/subcar1i1/crl/subcar1i1.crl
http://www.disig.sk/rootcar2/crl/rootcar2.crl
http://www.disig.sk/subcar2i1/crl/subcar2i1.crl
CP section 4.4.3: immediate upon revocation, otherwise every 24 hours

* OCSP
http://rootcar1-ocsp.disig.sk/ocsp/rootcar1
http://subcar1i1-ocsp.disig.sk/ocsp/subcar1i1
http://rootcar2-ocsp.disig.sk/ocsp/rootcar2
http://subcar2i1-ocsp.disig.sk/ocsp/subcar2i1

Sections 9-11 [Audit]. 
Disig is audited according to the ETSI 102 042 criteria, and the audit conclusion and ETSI certificate are provided on Disig’s website.
http://www.disig.sk/_pdf/Audit_Statement_2011_CA_Disig.pdf  
I confirmed the authenticity of the document by exchanging email with the auditor who is listed on the ISACA website, 
http://www.isaca.sk/priprava-na-certifikaty/zoznam-drzitelov-certifikatov/ 

Based on this assessment I intend to approve this request to add the “CA Disig Root R1” and “CA Disig Root R2” root certificates and enable all three trust bits.
Whiteboard: In public discussion → Pending Approval
To the representatives of Disig: Thank you for your cooperation and your patience.

To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request.

As per the summary in Comment #8, and on behalf of Mozilla I approve this request from Disig to include the following root certificates in Mozilla products:

** "CA Disig Root R1" (websites, email, code signing)
** "CA Disig Root R2" (websites, email, code signing)

I will file the NSS bug to include these root certs.
Whiteboard: Pending Approval → Approved - awaiting NSS
Depends on: 823753
I have filed bug #823753 against NSS for the actual changes.
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: Approved - awaiting NSS → In NSS 3.15, Firefox 23
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.