Closed Bug 811352 Opened 8 years ago Closed 6 years ago

Additional Root CA for ACCV

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: jamador, Assigned: kwilson)

References

Details

(Whiteboard: Approved - in FF 27)

Attachments

(4 files)

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121024073032

Steps to reproduce:

Add additional Root for ACCV. The actual Root was included based on Bug 274100.
https://bugzilla.mozilla.org/show_bug.cgi?id=274100

Attached initial information document.

Thanks in advance
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
Whiteboard: Information incomplete
Reply to questions that have been requested in the attached document. Refers https://bugzilla.mozilla.org/attachment.cgi?id=693653
Hello,

Documentation is complete already?

If it is necessary to provide some additional documentation or information let us know.

Regards
Hello,

Sorry for the insistence but is to advance if something is missing. Documentation is complete already?

If it is necessary to provide some additional documentation or information let us know.

Best regards
Sorry for the delay. I did receive notification about your response, and this bug is on my to-do list.
no problem. We know you're very busy.

Best regards.
This request is now in my list of discussions that I need to start:
https://wiki.mozilla.org/CA:Schedule#Need_to_start_discussions
Whiteboard: Information incomplete → Information confirmed complete
I am now opening the first public discussion period for this request from ACCV to add the “ACCVRAIZ1” root certificate and enable all three trust bits. 

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “ACCV Request to include Renewed Root”

Please actively review, respond, and contribute to the discussion.

A representative of ACCV must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Information confirmed complete → In public discussion
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to add the “ACCVRAIZ1” root certificate and enable all three trust bits.

Section 4 [Technical]. I am not aware of instances where ACCV has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Section 6 [Relevance and Policy]. ACCV appears to provide a service relevant to Mozilla users. It is operated by a government agency of Spain, and focuses its activities mainly in Spain but is also collaborating in international recognition of certificates. ACCV issues certificates for citizens for their personal use and for its relations with the public administration and business.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest CPS and CP for each type of certificate usage. The CP documents are in Spanish, and the CPS has been translated into English.

Document Repository: http://www.accv.es/quienes-somos/practicas-y-politicas-de-certificacion/
CPS (EN): http://www.accv.es/fileadmin/Archivos/Practicas_de_certificacion/ACCV-CPS-V3.0-EN.pdf

SSL CP: http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-03V3.0-c.pdf

Code Signing CP:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-04V3.0-c.pdf

Qualified Certs CP for Public Employees:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-13V4.0-c.pdf

Qualified Certs CP for Citizens:
http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-07V5.0-c.pdf

Section 7 [Validation]. ACCV appears to meet the minimum requirements for subscriber verification, as follows:

* SSL: According to sections 3.2.3 and 3.2.4 of the SSL CP, ACCV verifies the identity of the certificate subscriber and verifies that domains and addresses associated with the certificate belong to the applicant. The domain verification is done by consulting WHOIS or equivalent. In the verification process, the information obtained from WHOIS or equivalent records is compared with that provided by the applicant, and personalized emails are sent to technical and administrative contacts obtained from both sources to ensure that the data is correct and that domain ownership is confirmed.

* Email: Verification procedures are described in sections 3.2.2 and 3.2.3 of the Qualified Certs CP for Public Employees and the Qualified Certs CP for Citizens. Public administration provides its employees with email accounts for his work as a civil servant. These email accounts are corporate and internally generated. ACCV accepts these mail accounts because they are imposed by the administration and not by the user. In all cases the final step involves sending email to the subscriber with a link that the subscriber must click on and use the unique code that was provided in the certification contract.

* Code: According to section 3.2.3 of the Code Signing CP, ACCV verifies the identity of the certificate subscriber and the authority of the certificate subscriber to request the certificate on behalf of the organization.

Section 18 [Certificate Hierarchy]
The “ACCVRAIZ1” root certificate has signed two internally-operated subordinate CA certificates, ACCVCA-110 and ACCVCA-120. This root certificate will eventually replace the “Root CA Generalitat Valenciana” root certificate that was included via bug #274100.

* EV Policy OID: Not requesting EV treatment.

* CRL 
http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl
http://www.accv.es/fileadmin/Archivos/certificados/accvca110_der.crl 
http://www.accv.es/fileadmin/Archivos/certificados/accvca120_der.crl (NextUpdate: 3 days)
CPS section 4.9.9: ACCV shall publish a new CRL in its repository at maximum intervals of 3 hours, even if there have been no modifications to the CRL (changes to the status of certificates) during the aforementioned period.

* OCSP
http://ocsp.accv.es

Sections 11-14 [Audit]. 
ACCV is audited according to the WebTust CA criteria, and audit statements are posted on the webtrust.org website.
 https://cert.webtrust.org/ViewSeal?id=1352

Based on this assessment I intend to approve this request to add the “ACCVRAIZ1” root certificate and enable all three trust bits.
Whiteboard: In public discussion → Pending Approval
As per the summary in Comment #10, and on behalf of Mozilla I approve this request from ACCV to include the following root certificate:

** "“ACCVRAIZ1" (websites, email, code signing)

I will file the NSS bug for the approved changes.
Whiteboard: Pending Approval → Approved - awaiting NSS
Depends on: 872279
I have filed bug #872279 against NSS for the actual changes.
Whiteboard: Approved - awaiting NSS → Approved - in FF 27
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.