El lunes, 7 de diciembre de 2015, 22:13:52 (UTC+1), Kathleen Wilson escribió: > On 10/21/15 12:17 PM, Kathleen Wilson wrote: > > FNMT has applied to include the "AC RAIZ FNMT-RCM" root certificate and > > enable the Websites trust bit. > > > > Fábrica Nacional de Moneda y Timbre (FNMT) is a government agency that > > provides services to Spain as a national CA. > > > > The request is documented in the following bug: > > https://bugzilla.mozilla.org/show_bug.cgi?id=435736 > > > > And in the pending certificates list: > > https://wiki.mozilla.org/CA:PendingCAs > > > > Summary of Information Gathered and Verified: > > https://bugzilla.mozilla.org/attachment.cgi?id=8677034 > > > > Noteworthy points: > > > > * Documents are in Spanish, and some are translated into English. > > > > Document Repository: > > https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion > > > > CP: > > https://www.sede.fnmt.gob.es/documents/11614/67070/dpc_componentes_english.pdf/ > > > > CPS: https://www.sede.fnmt.gob.es/documents/11614/137578/dpc_english.pdf/ > > > > * CA Hierarchy > > > > ** This root has internally-operated subordinate CAs > > - "AC Componentes Informáticos" issues certificates for SSL Servers and > > code signing. > > - "AC Administración Pública" is an updated version of the "APE CA" in > > order to meet new requirements from Spanish Government about > > certificates of Public Administrations. > > - "APE CA" is no longer used. > > > > * This request is to enable the Websites trust bit. > > > > > > Thanks to all of you who have contributed to this discussion so far. I > believe that some of the concerns that were raised have been resolved, > and that the remaining open concerns are as follows. Please reply if I > missed any other items that still need to be resolved. > > 1) This root certificate has subordinate certificates that are not > technically constrained and not audited/disclosed according to sections > 8-10 of Mozilla's CA Certificate Policy. The noted subCAs are "AC FNMT > Usuarios" (doesn't issue server certificates) and "ISA CA" (server > certificates are issued exclusively to a very restricted (almost > private) environment). Unless there are technical constraints on the > intermediate CA certificates representing those subCAs which make it > impossible for them to issue TLS or S/MIME certificates, they are > in-scope for this inclusion request, because they are a potential source > of mis-issuance which puts users of the Mozilla trust store at risk. > References: > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ > https://wiki.mozilla.org/CA:CertificatePolicyV2.1#Frequently_Asked_Questions
Regarding this issues, we are working to develope an action plan to solve it. we hope to communicate our action plan soon in this thread. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
