Certum Root Renewal Request

Thu, 01 Oct 2015 15:45:21 -0700

Unizeto Certum has applied to include the “Certum Trusted Network CA 2” root certificate, turn on all three trust bits, and enable EV treatment. This is the next generation of the “Certum Trusted Network CA” root cert that was included via bug #532377.
Certum is an organizational unit of Unizeto Technologies SA, providing certification services related to electronic signatures. It is the oldest public, commercial certification authority in Poland; operating on a global scale - serving customers in over 50 countries worldwide. 

The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=999378

And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs

Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8644683

Noteworthy points:

* Documents are provided in Russian and English.

Document Repository: http://www.certum.eu/certum/179898.xml

CP: 
http://www.certum.eu/upload_module/wysiwyg/certum/cert_doc/pc_nuc/CCP-DK02-ZK01_Certification_Policy_of_CERTUM_Certification_Services_v3_4_1.pdf
CPS: 
http://www.certum.eu/upload_module/wysiwyg/certum/eu/documents/CCP-DK02-ZK02_Certification_Practice_Statement_v3_9.pdf


* CA Hierarchy
CPS section 1.3.1: authorities subordinate to Certum Trusted Network CA:
- Certum Class 1 CA, -- TEST CERTS
- Certum Class 1 CA SHA2, -- TEST CERTS
- Certum Code Signing CA,
- Certum Code Signing CA SHA2,
- Certum Domain Validation CA SHA2,
- Certum Organization Validation CA SHA2,
- Certum Extended Validation CA,
- Certum Extended Validation CA SHA2,
- Certum Global Services CA SHA2.


* This request is to turn on all three trust bits, and to enable EV 
treatment.



** CP section 2.1: DV certificates are issued for two separate groups. 
As a free test certificates for shorter period of validity and the 
standard certificates with a full usage. Certificates of the first group 
are issued by intermediate authorities Certum Level I CA, Certum Class 1 
CA and Certum Class 1 CA SHA2. The second group of standard certificates 
are issued by Certum Level II CA and Certum Domain Validation CA SHA2 
authorities.
Test certificates are intended mainly for the application or device test 
performance prior to purchasing final certificate. DV certificates are 
issued for all types of applications: securing electronic 
correspondence, encrypting binary objects and protecting data transmission.
CERTUM verifies all data provided by subscriber in the certification 
process. The verification covers: a domain name, an email address, 
contact details and the name of private person or representative of the 
legal entity. Detailed information on identity verification requirements 
are described in [the CPS]



** CPS section 3.2.2:  CERTUM must confirms that the organization whose 
name is in the content of the certificate actually existed at the time 
of issuing the certificate.
The verification is performed based on the Qualified 
Independent/Government Information Sources e.g.. publicly available 
records of companies/organizations registries.

There are two basic ways of legal entity’s identity authentication. The 
first one requires the legal entity’s authorized representative’s 
personal attendance in the registration authority, or the registration 
authority representative’s presence in person in the legal entity’s seat 
(specified in the application). In the second case, the identity can be 
authenticated on-line by means of messages exchanged directly with the 
certification authority or its agent.

The registration authority is committed to verify the correctness and 
truthfulness of all data provided in an application. In the case of EV 
SSL certificates additional procedure shall be applied according to 
Guidelines for the Issuance and Management of Extended Validation 
Certificates requirements.

In the case of email certificates, the registration authority verifies 
an email address. The aim of this action is to receive by the subscriber 
an authentication data sent to the address which has previous placed in 
the certification request.



** CPS section 3.2.5: In the case where a certificate request contains 
the name of the organization (O), then this should be interpreted as the 
person who requests for a certificate is affiliated or authorized to act 
on behalf of the organization. This means that CERTUM verifies that the 
individual who requests for a certificate was an employee organization 
or its subcontractor at the time of issuance of the certificate and has 
the right to act on behalf of the organization; the scope of 
authorization and the period of validity may be regulated by separate 
legislation or the relying party in the course of verification a digital 
signature or decryption the received document and is outside the scope 
of liability of CERTUM; individual’s identity and authorization may be 
checked by CERTUM on the basis of available records or database, contact 
by phone or e-mail to the organization.



** CPS section 3.2.6: For all SSL certificates, authentication of the 
Applicant’s ownership or control of all requested Domain Name(s) is done 
using one of the following methods:
- by uploading file with the specified name to the root directory of the 
domain;

- by uploading specific metadata to the main page on the domain;
- by uploading specific metadata to the DNS text record of the domain;

- by direct confirmation with the contact listed by the Domain Name 
Registrar in the WHOIS record or provided to CERTUM by the Domain Name 
Registrar directly;
- by successfully replying to a challenge response email sent to one or 
more of the following email addresses: [email protected], 
postmaster@domain, [email protected], [email protected], 
[email protected].
CERTUM only uses the WHOIS records linked to on the IANA root database 
and the ICANN approved registrars.


* EV Policy OID: 2 1.2.616.1.113527.2.5.1.1

* Root Cert URL: https://bugzilla.mozilla.org/attachment.cgi?id=8614648

* Test Website: https://valid-certum-ctncav2.certificates.certum.pl/

* CRL: http://crl.certum.pl/evca2.crl
http://crl.certum.pl/ctnca2.crl

* OCSP: http://evca2.ocsp.certum.pl/
http://subca.ocsp-certum.com/
OCSP response is valid for 7 days.


* Audit: Certum is audited annually by Ernst & Young according to the 
Webtrust audit criteria.

https://cert.webtrust.org/SealFile?seal=1901&file=pdf
https://cert.webtrust.org/SealFile?seal=1903&file=pdf
https://cert.webtrust.org/SealFile?seal=1902&file=pdf

* Potentially Problematic Practices – none noted
(http://wiki.mozilla.org/CA:Problematic_Practices)


This begins the discussion of the request from Certum to include the 
“Certum Trusted Network CA 2” root certificate, turn on all three trust 
bits, and enable EV treatment.



At the conclusion of this discussion I will provide a summary of issues 
noted and action items. If there are outstanding issues, then an 
additional discussion may be needed as follow-up. If there are no 
outstanding issues, then I will recommend approval of this request in 
the bug.


Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to