Closed Bug 986854 Opened 7 years ago Closed 3 years ago

Add Renewed AC Camerfirma root certificate.

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: ramirom, Assigned: wthayer)

Details

(Whiteboard: [ca-denied] Comment #62 - submit new root)

Attachments

(16 files, 3 obsolete files)

87.79 KB, application/pdf
Details
776.22 KB, application/pdf
Details
292.20 KB, application/pdf
Details
290.73 KB, application/pdf
Details
220.17 KB, application/pdf
Details
220.87 KB, application/pdf
Details
220.51 KB, application/pdf
Details
221.13 KB, application/pdf
Details
221.76 KB, application/pdf
Details
104.65 KB, application/pdf
Details
33.74 KB, application/pdf
Details
1.27 MB, application/pdf
Details
1.13 MB, application/pdf
Details
1.23 MB, application/pdf
Details
117.20 KB, application/pdf
Details
269.66 KB, application/pdf
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:28.0) Gecko/20100101 Firefox/28.0 (Beta/Release)
Build ID: 20140314220517

Steps to reproduce:

Use a new roots certificates with sha256 (same keys, same name)
http://www.camerfirma.com/certs/root_chambers-2008_sha256.crt
http://www.camerfirma.com/certs/root_chambersign-2008_sha256.crt


Actual results:

browser doesn't recognize neither as a valid root CA nor a EV


Expected results:

A positive recognizement
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: EV - information incomplete
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness, and provide the necessary information in this bug.
Information about updated Root certificates from AC Camerfirma SA.
Aaron, Please do the Information Verification and enter the data into Salesforce.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Hi in the attachments section I place the Webtrust CA audit report for the renewed Root (2016)
GLOBAL CHAMBERSIGN ROOT - 2016
CHAMBERS OF COMMERCE ROOT - 2016

Best regards
(In reply to Ramiro Muñoz Muñoz from comment #5)
> Created attachment 8775118 [details]
> Audit Report and Management Assertions.pdf

Please also provide the WebTrust BR and EV audit statements for this year.
Ok Kathleen I will provide you the audit report for EV a BR in a couple of weeks.
Audit report for Webtrust EV for 
Chambers of Commerce Root :  base version - 2008 version and 2016 version
Global Chambersign Root :    base version - 2008 version and 2016 version
Audit Report for BR for:
Chambers of Commerce Root :   base version - 2008 version and 2016 version
Global Chambersign Root :     base version - 2008 version and 2016 version
Hi Ramiro,

Thanks to provide Audit report and management Assertions!

I have entered the information into Salesforce. Please review the attached document as two root cases to ensure it is complete and correct. Also, look for the word "NEED" to see what information still needs to be provided, and we also need your help to fix the error when using our test tool to run some testing.

Thank you!
Aaron
Hi Aaron.

The countryName is in both certificates a 2 digit PRINTABLESTRING with ES. I do not see any problem in this value.

In both certificates notbefore UTCTIME:160414073548Z notafter UTCTIME:400408073548Z, that means less than 24 years. 

We are reviewing our OCSP responses.

I do know why the audit report is not ok for GLOBAL CHAMBERSIGN ROOT 2016. Audit report cover both root certificates.

Best Regards
Ramiro
Hi Ramiro.

Thanks for your response!

I've verified the info. you provided and updated into Salesforce. The two things need you attention ..

1. All testing errors need to be solved.

Revocation Tested	
ERROR: 
- OCSP signing certificate does not contain the OCSP No Check extension 
- NextUpdate not set (RFC 5019, section 2.2.4)
Revocation Tested (Verified?)	
Need Response From CA

CA/Browser Forum Lint Test	
ERROR: 
- Invalid country in countryName 
WARNING: 
- CA certificates should not have a validity period greater than 25 years

2.  Please provide BR Audit Statement

Thanks,
Aaron
Hi Aaron.

Both root certificates to be included have a countryName PRINTABLESTRING with "ES". I can not see the problem.
Both root certificates to be included have a validity period less than 25 years, I can not see the problem neither. I don't know if we are talking about the same certificates : "CHAMBERS OF COMMERCE ROOT - 2016" and "GLOBAL CHAMBERSIGN ROOT - 2016".

I have provided with the audit report for both ROOTs "Audit Report and Management Assertions - SSL" that states to be in accordance with the WebTrust Principles and Criteria for Certification
Authorities – SSL Baseline with Network Security.

I only need to solve the ocsp issues. I hope it will be fixed next week.

Best Regards
Ramiro
Thanks Raniro!

Please fix OCSP issue, then we can ready to move to next stage.

Thanks!
Aaron
Thanks Aaron
OCSP is fixed already. You can check it out.
Best Regards
Ramiro
Hi Aaron

have you been able to check the OCSP service ? 

Best Regards
Ramiro
Thanks Ramiro!

Great! As tested, your OCSP service is verified.

i will update that and it is ready for public discussion.

Thank you!
Aaron
Assignee: kwilson → awu
Hi Ramiro,

Here is our information verification as attached in Comment#20, please check if information is correct and answer the column as "NEED CA RESPONSE"

Regarding CA/Browser Forum Lint Test, here is the step to verify:
- Browse to https://crt.sh/ and enter the SHA-1 Fingerprint for the root certificate. 
- Then click on the 'Search' button. 
- Then click on the 'Run cablint' link and ‘Run x509Lint’. 
All errors must be resolved/fixed.

Once these issues are solved, we can move to next stage as Public Discussion.

Thank you!
Aaron
Hi Aaron. Here my answers:

a) Network Security controls : CPS Section 6.9. 
http://docs.camerfirma.com/publico/DocumentosWeb/politicas/CPS_eidas_EN.pdf

b) Camerfirma issue DV certificates has a máximum duration of three years (36 months).
c) Currentlly this hierarchies do not have SubCAs operated by external entities.
d) SHA-1 Certificates NO.

e) The countryName is a 2 digit PRINTABLESTRING and the value is equal to ES.
notbefore UTCTIME:160414073548Z notafter UTCTIME:400408073548Z, that means less than 24 years.

f) URL with a list of publicly disclosed subordinate CA:
http://www.camerfirma.com/area-de-usuario/jerarquia-politicas-y-practicas-de-certificacion/

Please let me know further clarifications you need.

Regards
Ramiro
Hi Aaron.
Any news about this process. 
As Comment 19 said, I thought it was already in public discussion.
Regards
Hi Ramiro,

We are working on IV process and update onto Salesforce, thanks for your information and please stay tuned.

Thanks!,
Aaron
Hi Aaron.
Any news about this process?. 
Sorry for my insistence, but we need to resolve this issue urgenlly and need a date to be included.
Best Regards
Hi Ramiro,

Please see the final verified CA document as Comment#26 and see if all information are correct. 

We will take care Lint Test once repaired.

Once you have no problem with Final document, we are ready for public discussion.

Thank you!
Hi Aaron. 
Just a mistake. We've found a wrong certificate root fingerprint and this could be the source of the problems you have detected in the lint test. We started the bug with the 2008 root version but in the Comment#2 you can find the correct document about our 2016 root information.

GLOBAL CHAMBERSIGN ROOT - 2016 has the fingerprint
sha1: ‎11 39 a4 9e 84 84 aa f2 d9 0d 98 5e c4 74 1a 65 dd 5d 94 e2  
as you can see in the certificate we provide.

and

CN = CHAMBERS OF COMMERCE ROOT - 2016
sha-1: ‎2d e1 6a 56 77 ba ca 39 e1 d6 8c 30 dc b1 4a be 22 a6 17 9b
as you can see in the certificate we provide.

The fingerprint you have in the document belong to the 2008 root certificate versions.
This request has been added to the queue for public discussion.
https://wiki.mozilla.org/CA/Dashboard#CA_Dashboard_-_Ready_for_Public_Discussion

I will update this bug when I start the discussion.
Whiteboard: EV - information incomplete → Ready for Public Discussion
Hi,

For EV OID, there is only one EV OID will be added for each root, we recommend using 2.23.140.1.1 for both root certs due to 2.23.140.1.1 is the CA/Browser Forum's EV Policy OID.

Attached file in Comment#31 is the final update information verification, we added Camerfirma to the queue for discussion:
https://wiki.mozilla.org/CA:Schedule#Requests_from_Already_Included_CAs_that_are_in_or_Ready_for_Discussion

Thanks,
Aaron
Hi Aaron

OK we will use the CA/Browser Forum's EV Policy OID. Nevertheless, we will include other Policy OID as well due to local normative.

"But information about GLOBAL CHAMBERSIGN ROOT - 2016 is still wrong in the Mozilla Pending CA Certificate List". Information in the excel cells like fingerprint doesnt correpond to the content in the Root Certificate Download URL field. This is something I remark in "Comment 28"

Please correct this information in the Mozilla Pending CA Certificate List. It easy, get information from the the Root Certificate Download URL field.

Thanks a lot.
Ramiro

Best regards
Ramiro
Hi Ramiro,

PEM file of "GLOBAL CHAMBERSIGN ROOT - 2016" has been updated, the data is the same as Comment #28. Attached file in Comment #34 is the final update information verification.

Thanks,
Aaron
Ok Aaron, it is OK.

Thank you.
Ramiro
Whiteboard: Ready for Public Discussion → [ca-ready-for-discussion 2017-01-23]
Ramiro,
Please perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing

Phase-in plan is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ
In particular, note:
+ For the CAs currently in the queue for discussion, I would ask them to perform this BR Self Assessment before I would start their discussion.
Whiteboard: [ca-ready-for-discussion 2017-01-23] → [ca-ready-for-discussion 2017-01-23] - Need BR Self Assessment
Product: mozilla.org → NSS
Whiteboard: [ca-ready-for-discussion 2017-01-23] - Need BR Self Assessment → [ca-ready-for-discussion 2017-01-23] - BR Self Assessment Completed
Hi Ramiro,

I'm verifying the BR Self Assessment you provided, there are two things still need your input/update

1. Since your root requests Website trust bit, please provide the 3 URLs to the test websites as described in Section 2.2 of the BRs: "The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired

2. I found the effective date of your audit statement is during the period from the 14th of April 2015 to the 13th of April 2016. Could you please update your audit statement accordingly?


Thanks,
Aaron
AC Camerfirma's certificate ETSI EN 319 401 - ETSI EN 319 411-1 - ETSI EN 319 411-2 - ETSI EN 319 421
(In reply to Juan Angel Martin from comment #40)
> Created attachment 8888659 [details]
> Certificate ETSI EN 319 401 - ETSI EN 319 411-1 - ETSI EN 319 411-2 - ETSI
> EN 319 421
> 
> AC Camerfirma's certificate ETSI EN 319 401 - ETSI EN 319 411-1 - ETSI EN
> 319 411-2 - ETSI EN 319 421


Please see section 3.1.4 of Mozilla's Root Store policy for the list of information that must be included in audit statements.

https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/

In the audit statement attached in Comment #40, I do not find:
- Distinguished Name and SHA256 fingerprint of each root and intermediate certificate that was in scope;
- a list of the CA policy documents (with version numbers) referenced during the audit;
- whether the audit is for a period of time or a point in time;
- the start date and end date of the period, for those that cover a period of time;
- For ETSI, a statement to indicate if the audit was a full audit, and which parts of the criteria were applied, e.g. DVCP, OVCP, NCP, NCP+, LCP, EVCP, EVCP+, QCP-w, Part1 (General Requirements), and/or Part 2 (Requirements for trust service providers).
Hi Kathleen we have the webtrust CA BR and EV report ready. If you want I could include the draft vesion. We can provide you with the final report in a few days. I think it would be better instead the ETSI ones.
(In reply to Ramiro Muñoz Muñoz from comment #42)
> Hi Kathleen we have the webtrust CA BR and EV report ready. If you want I
> could include the draft vesion. We can provide you with the final report in
> a few days

When you get the final WebTrust CA and BR audits, please be sure to provide the information for your currently-included root certs by creating an Audit Case as described here:
http://ccadb.org/cas/updates
In the meantime, please see the "Information Required" section of that page, because Mozilla is now requiring additional information annually, such as updated CP/CPS documents and test websites.
Attachment #8787137 - Attachment is obsolete: true
Attachment #8787138 - Attachment is obsolete: true
Attachment #8775118 - Attachment is obsolete: true
Here I send the final Webtrust audit report. The audit is writen taken into account the new requirements.
Best Regards
Ramiro
Hi Ramiro,

Thank you to provide updated audit reports.

I'm verifying the BR Self Assessment you provided, there are two things still need your input/update
 
1. Since your root requests Website trust bit, please provide the 3 URLs to the test websites as described in Section 2.2 of the BRs: "The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates that are (i) valid, (ii) revoked, and (iii) expired 

2. Please make your CP and CPS up-tp-date, and provide the URLs as PDF file.
 
Thanks,
Aaron
Hi Ramiro,

Based on your BR Self Assessment, most of information are referring to CPS_v_3_2_7 [1], and now we have updated CPS_v_1_2_1 [2] you provided. Should we regard [2] as the latest version? if so, please help to update BR Self Assessment accordingly. Thank you!

[1]
http://docs.camerfirma.com/publico/DocumentosWeb/politicas/CPS_V_3_2_7_EN.pdf

[2]
http://docs.camerfirma.com/publico/DocumentosWeb/politicas/CPS_eidas_v_1_2_1_EN.pdf


Kind regards,
Aaron
Hello Aaron,

I've updated our BR Self Assessment.

Best regards
Juan Angel
Thanks Juan to update BR Self Assessment, I will work on it and feedback soon.

Best Regards,
Aaron
Hi Juan,

I've verified your BR Self Assessment, thanks!

As we know, you are providing updated Audit Statements and corresponding root certs in Audit Case #157. As checked with CCADB engineer, you should have permission to update "CA Audit Update Request" type of Cases/Root Cases related to "AC Camerfirma, S.A". Could you please try again?

https://ccadb.force.com/5001J00000TMe8W


Thanks,
Aaron
Sorry, but does anyone sure that Camerfirma is not a StartCom? I think so, because the Camerfirma website (https//www.camerfirma.com/) uses Camerfirma 2008 Root Certificate under which StartCom before was issued revoked certificates for other domains.
Hi Andrew
 
Camerfirma is not Startcom.
Startcom has been issuing some Camerfirma certificates for their customers as a RA under this root.

Regards
Ramiro
Hello Ramiro,
If this is true, you seems reasonable to provide your main (or 1 from 2) root certificate of Camerfirma for StartCom?
Hello Andrew

I do not understand clearly what are you asking for. Startcom, in this case is just a RA for issuing some ac camerfirma certificates for their customers. This CA also issue certificates from other different RAs and organizations.

On the other hand, I think this in not the bug for this topic. In this bug we are trying to incorporate new AC Camerfirma Roots. None of them are related with starcom.
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
I've reviewed this request and opened discussion at https://groups.google.com/d/msg/mozilla.dev.security.policy/skev4gp_bY4/snIuP2JLAgAJ
Assignee: kwilson → wthayer
Whiteboard: [ca-ready-for-discussion 2017-01-23] - BR Self Assessment Completed → [ca-in-discussion] - ends on 24-March 2018
Auditor correction AC Camerfirma Attestation letter Webtrust BR Camerfirma 2016-2017 period. Adding CN=AC CAMERFIRMA GLOBAL FOR WEBSITES - 2016.
The discussion referenced in comment #60 has concluded that this request should be denied. Changing status to WONTFIX.
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
Whiteboard: [ca-in-discussion] - ends on 24-March 2018 → [ca-denied] Comment #62 - submit new root
You need to log in before you can comment on or make changes to this bug.