FNMT Root Inclusion Request

Wed, 21 Oct 2015 12:19:11 -0700

FNMT has applied to include the “AC RAIZ FNMT-RCM” root certificate and enable the Websites trust bit.
Fábrica Nacional de Moneda y Timbre (FNMT) is a government agency that provides services to Spain as a national CA. 

The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=435736

And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs

Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8677034

Noteworthy points:

* Documents are in Spanish, and some are translated into English.


Document Repository: 
https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
CP: 
https://www.sede.fnmt.gob.es/documents/11614/67070/dpc_componentes_english.pdf/ 


CPS: https://www.sede.fnmt.gob.es/documents/11614/137578/dpc_english.pdf/

* CA Hierarchy

** This root has internally-operated subordinate CAs

- “AC Componentes Informáticos” issues certificates for SSL Servers and 
code signing.
- "AC Administración Pública" is an updated version of the “APE CA” in 
order to meet new requirements from Spanish Government about 
certificates of Public Administrations.

- “APE CA” is no longer used.

* This request is to enable the Websites trust bit.

** From dpc_componentes_english.pdf…


*** Section 5.3.2.1, item 43: Checking the identity and particulars of 
the Certificate Applicant and the Subscriber and/or its Representative, 
and obtaining the representation that the Applicant is authorized by the 
Subscriber to file the application. ... Identification will be 
implemented through acceptable electronic signature certificates and the 
functionalities established in respect of the DNId [electronic ID 
document] for the above-mentioned purposes.



*** Section 5.3.2.2, item 48: As regards management of the lifecycle of 
Component Certificates, FNMT-RCM is the only authorized Registry Office, 
through its Registry Area. ... To check that the domain title holder's 
name matches the Subscriber's identity or, if appropriate, to obtain the 
Subscriber's authorization, which will be associated with the Component 
Certificate, using the means within its reach that, reasonably, make it 
possible to prove the title, according to the state of technology.



*** Section 6.1.3 item 66: The Registry Office will verify the 
Subscriber's personality and, if appropriate, the Representative's 
personality and capacity, through verification of the Electronic 
Signatures and Certificates used in the process and/or inquiry on the 
databases of the Companies Register or of trustworthy third parties.



*** Section 6.1.3, item 65: If the Certificate is associated with one or 
more Internet domains, the Registry Office will check, on the authorized 
domain registrars' databases, that the title holder of the domain and 
the Certificate Subscriber match, and will keep proof of the inquiry.


* EV Policy OID: Not applicable; not requesting EV treatment.

* Root Cert URL: http://www.cert.fnmt.es/certs/ACRAIZFNMTRCM.crt

* Test Website: https://www.sede.fnmt.gob.es/certificados

* CRL
ldap://ldapape.cert.fnmt.es/CN=CRL164,CN=AC%20Administraci%F3n%20P%FAblica,OU=CERES,O=FNMT-RCM,C=ES?certificateRevocationList
ldap://ldapfnmt.cert.fnmt.es/CN=CRL,OU=AC%20RAIZ%20FNMT-RCM,O=FNMT-RCM,C=ES?authorityRevocationList;

* OCSP
http://ocspape.cert.fnmt.es/ocspape/OcspResponder
http://ocspap.cert.fnmt.es/ocspap/OcspResponder


* Audit: FNMT is audited annually by PWC according to the WebTrust CA 
and WebTrust BR criteria. I exchanged email with the auditor to confirm 
the authenticity of the audit statement at this URL:

https://www.cert.fnmt.es/documents/11601/4379265/auditReport_en.pdf

* Potentially Problematic Practices  -- None noted
(http://wiki.mozilla.org/CA:Problematic_Practices)


This begins the discussion of the request from FNMT to include the “AC 
RAIZ FNMT-RCM” root certificate and enable the Websites trust bit.



At the conclusion of this discussion I will provide a summary of issues 
noted and action items. If there are outstanding issues, then an 
additional discussion may be needed as follow-up. If there are no 
outstanding issues, then I will recommend approval of this request in 
the bug.


Kathleen





_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to