Closed Bug 811352 Opened 8 years ago Closed 6 years ago
Additional Root CA for ACCV
67.79 KB, application/pdf
94.79 KB, application/pdf
66.90 KB, application/pdf
100.92 KB, application/pdf
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:16.0) Gecko/20100101 Firefox/16.0 Build ID: 20121024073032 Steps to reproduce: Add additional Root for ACCV. The actual Root was included based on Bug 274100. https://bugzilla.mozilla.org/show_bug.cgi?id=274100 Attached initial information document. Thanks in advance
The attached document summarizes the information that has been verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Reply to questions that have been requested in the attached document. Refers https://bugzilla.mozilla.org/attachment.cgi?id=693653
Hello, Documentation is complete already? If it is necessary to provide some additional documentation or information let us know. Regards
Hello, Sorry for the insistence but is to advance if something is missing. Documentation is complete already? If it is necessary to provide some additional documentation or information let us know. Best regards
Sorry for the delay. I did receive notification about your response, and this bug is on my to-do list.
no problem. We know you're very busy. Best regards.
This request is now in my list of discussions that I need to start: https://wiki.mozilla.org/CA:Schedule#Need_to_start_discussions
Whiteboard: Information incomplete → Information confirmed complete
I am now opening the first public discussion period for this request from ACCV to add the “ACCVRAIZ1” root certificate and enable all three trust bits. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding email@example.com mailing list. The discussion thread is called “ACCV Request to include Renewed Root” Please actively review, respond, and contribute to the discussion. A representative of ACCV must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: Information confirmed complete → In public discussion
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Policy at http://www.mozilla.org/projects/security/certs/policy/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to add the “ACCVRAIZ1” root certificate and enable all three trust bits. Section 4 [Technical]. I am not aware of instances where ACCV has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. Section 6 [Relevance and Policy]. ACCV appears to provide a service relevant to Mozilla users. It is operated by a government agency of Spain, and focuses its activities mainly in Spain but is also collaborating in international recognition of certificates. ACCV issues certificates for citizens for their personal use and for its relations with the public administration and business. Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest CPS and CP for each type of certificate usage. The CP documents are in Spanish, and the CPS has been translated into English. Document Repository: http://www.accv.es/quienes-somos/practicas-y-politicas-de-certificacion/ CPS (EN): http://www.accv.es/fileadmin/Archivos/Practicas_de_certificacion/ACCV-CPS-V3.0-EN.pdf SSL CP: http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-03V3.0-c.pdf Code Signing CP: http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-04V3.0-c.pdf Qualified Certs CP for Public Employees: http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-13V4.0-c.pdf Qualified Certs CP for Citizens: http://www.accv.es/fileadmin/Archivos/Politicas_pdf/ACCV-CP-07V5.0-c.pdf Section 7 [Validation]. ACCV appears to meet the minimum requirements for subscriber verification, as follows: * SSL: According to sections 3.2.3 and 3.2.4 of the SSL CP, ACCV verifies the identity of the certificate subscriber and verifies that domains and addresses associated with the certificate belong to the applicant. The domain verification is done by consulting WHOIS or equivalent. In the verification process, the information obtained from WHOIS or equivalent records is compared with that provided by the applicant, and personalized emails are sent to technical and administrative contacts obtained from both sources to ensure that the data is correct and that domain ownership is confirmed. * Email: Verification procedures are described in sections 3.2.2 and 3.2.3 of the Qualified Certs CP for Public Employees and the Qualified Certs CP for Citizens. Public administration provides its employees with email accounts for his work as a civil servant. These email accounts are corporate and internally generated. ACCV accepts these mail accounts because they are imposed by the administration and not by the user. In all cases the final step involves sending email to the subscriber with a link that the subscriber must click on and use the unique code that was provided in the certification contract. * Code: According to section 3.2.3 of the Code Signing CP, ACCV verifies the identity of the certificate subscriber and the authority of the certificate subscriber to request the certificate on behalf of the organization. Section 18 [Certificate Hierarchy] The “ACCVRAIZ1” root certificate has signed two internally-operated subordinate CA certificates, ACCVCA-110 and ACCVCA-120. This root certificate will eventually replace the “Root CA Generalitat Valenciana” root certificate that was included via bug #274100. * EV Policy OID: Not requesting EV treatment. * CRL http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl http://www.accv.es/fileadmin/Archivos/certificados/accvca110_der.crl http://www.accv.es/fileadmin/Archivos/certificados/accvca120_der.crl (NextUpdate: 3 days) CPS section 4.9.9: ACCV shall publish a new CRL in its repository at maximum intervals of 3 hours, even if there have been no modifications to the CRL (changes to the status of certificates) during the aforementioned period. * OCSP http://ocsp.accv.es Sections 11-14 [Audit]. ACCV is audited according to the WebTust CA criteria, and audit statements are posted on the webtrust.org website. https://cert.webtrust.org/ViewSeal?id=1352 Based on this assessment I intend to approve this request to add the “ACCVRAIZ1” root certificate and enable all three trust bits.
Whiteboard: In public discussion → Pending Approval
As per the summary in Comment #10, and on behalf of Mozilla I approve this request from ACCV to include the following root certificate: ** "“ACCVRAIZ1" (websites, email, code signing) I will file the NSS bug for the approved changes.
Whiteboard: Pending Approval → Approved - awaiting NSS
I have filed bug #872279 against NSS for the actual changes.
Whiteboard: Approved - awaiting NSS → Approved - in FF 27
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.