On 10/23/15 08:10, [email protected] wrote:
> El miércoles, 21 de octubre de 2015, 22:43:15 (UTC+2), Charles Reiss
> escribió:
>> On 10/21/15 19:17, Kathleen Wilson wrote:
>>> FNMT has applied to include the "AC RAIZ FNMT-RCM" root certificate and
>>> enable
>>> the Websites trust bit.
>>
>> [snip]
>>
>>> * CA Hierarchy
>>>
>>> ** This root has internally-operated subordinate CAs
>>
>>> - "AC Componentes Informáticos" issues certificates for SSL Servers and code
>>> signing.
>>> - "AC Administración Pública" is an updated version of the "APE CA" in
>>> order to
>>> meet new requirements from Spanish Government about certificates of Public
>>> Administrations.
>>> - "APE CA" is no longer used.
>>
>>
>> What are the apparent subCAs with CNs 'AC FNMT Usuarios'
>> [https://crt.sh/?caid=6664 ] and 'ISA CA' [https://crt.sh/?caid=947 (example
>> EE
>> cert: https://crt.sh/?id=8983568 )]?
>
> 'AC FNMT Usuarios' are for individuals.
>
> 'ISA CA' are for staff working for the European Commission or any institution
> or Agency of the European Union.
>
I notice that the audit report Kathleen linked to explicitly mentions the other
CAs ("the Delegated Certification Authorities; 'CA Administración Pública' y 'CA
Componentes Informáticos'" [sic]) but not these CAs. Is there a reason for that?
https://www.sede.fnmt.gob.es/documents/11614/67070/dpcec_english.pdf appears to
be translated CPS for the ISA CA sub-CA. For server certificates, this document
says:
12.2.2.1.3.381:
FNMT – RCM shall check, through the information systems that the Local
Registration Authority Officer (LRA Officer) authorised for each case have
available to them, that the domain name or IP address to include in the Web
Server Certificate is owned by the applicant Organization or Competent Body. In
the event that that such a check is not possible, __the FNMT-RCM shall accept
the Organization or Competent Body’s ownership over said names or addresses on
the basis of the corresponding application__.
[emphasis added]
I don't think that last option ("accept [...] on the basis of the corresponding
application") is acceptable for verifying domain name or IP address ownership
under the BRs.
(It's also not clear to me what the other option ("check, through the
information systems [...], that the domain name or IP address [..] is owned")
actually entails. I'd hope it means checking the registrar's databases...)
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
