LuxTrust has applied to include the "LuxTrust Global Root" root
certificate, turn on the Websites and Code Signing trust bits, and
enable EV treatment.
LuxTrust S.A. provides PKI services for the whole economic marketplace
in Luxembourg, for both private and public organisations. LuxTrust S.A.
provides PKI services to the Financial Sector, and therefore is under
regulation of the Luxembourg's financial regulator: CSSF (Commission de
Surveillance du Secteur Financier). LuxTrust aims to provide its
subscribers with certificates for HTTP over SSL, code signing, and
communications within banking systems. End-entity certificates are
issued to:
- Natural persons, in compliance with EU directive 1999/93/EC
- Organisations (incl. SSL and code signing).
LuxTrust's previous Root CA was cross signed by Baltimore CyberTrust
Root CA.
In order for LuxTrust to provide a National Certification Authority
service and in accordance with the Grand Duchy of Luxembourg's strategy,
LuxTrust decided to generate and deploy its own trusted Root CA
(LuxTrust Global Root CA).
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=944783
And in the pending certificates list:
http://www.mozilla.org/projects/security/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8559339
Noteworthy points:
* The primary documents are in French and English.
Document Repository: https://repository.luxtrust.lu
CP:
https://www.luxtrust.lu/upload/data/repository/LuxTrust%20Global%20Root%20CA%20-%20Certificate%20Profiles%20v1.20.pdf
CPS:
https://www.luxtrust.lu/upload/data/repository/LuxTrust_Global_Root%20CA_Certification_Practice_Statements_v1_08.pdf
Qualified Certs CPS:
https://www.luxtrust.lu/upload/data/repository/LuxTrust_Global_Qualified_CA_Certification_Practice_Statements_v1_06.pdf
SSL CPS:
https://www.luxtrust.lu/upload/data/repository/LuxTrust%20SSL%20CA%20CPS%20v1.2.pdf
* CA Hierarchy: LuxTrust Global Root CA signs internally-operated
intermediate certificates which sign end-entity certificates. The
current subCAs are: LuxTrust Global Qualified CA, LuxTrust SSL CA, and
LuxTrust TSA CA.
* This request is to turn on the Websites and Code Signing trust bits
and enable EV treatment.
** SSL CPS section 3.2.2:
The rules concerning the identification of the Subscriber's organisation
shall be compliant with the legal rules applied to naming and
identification of organisation in the Grand-Duchy of Luxembourg.
RAs operating under the LuxTrust SSL CA shall perform a verification of
any organizational identities that are submitted by an Applicant or
Subscriber.
The following documents are required for the identification of
Subscriber’s organisation (legal person) and/or to validate the
relationship of a physical person with a legal person:
1. Recent constitutive act, or recent extract of the commercial register
(or the foreign equivalent for foreign companies registered under
foreign law;
2. A recent official document or a recent original and certified mandate
stating the split of responsibilities or disposition powers within the
organs of the legal person (board of directors, delegated administrator,
CEO, manager, etc.);
3. When the legal person runs financial sector activities involving
third party funds management, the copy of the required authorisation or
the mention that such authorisation is not required;
4. A copy of the identity evidence (identity card, passport or
Luxembourg residency card) of one of the physical persons who is a legal
representative of the legal person
5. The information about their legal address, civil state, and profession;
6. In case a company established in a non-Luxembourg jurisdiction is
found as founder or administrator or signatory in the LuxTrust
registration process, LuxTrust S.A. reserves right to ask for
constitutive documents of this company (points 1 & 2 above), the
declaration of the commercial beneficiary and the origin of the funds of
the company, as well as an explanatory description of structure of the
proposed company;
7. In case the relationship of a physical person with a legal person is
to be validated and certified in the Certificate, the person identified
in (4) shall sign the appropriate guarantee as provided in the
applicable Certificate application form (Purchase Order).
In the particular case of Object signing Certificates, RAs operating
under the LuxTrust SSL CA shall verify the subscriber's identity and
authority, and the organization’s identity and existence.
In the particular case of SSL, RAs operating under the LuxTrust SSL CA
shall determine whether the domain referenced in the SSL Certificate
application is owned and controlled by the subscriber.
LuxTrust validates that the Subscriber has the right to control the
domain names using the following verification procedures:
[1] Communicating with the technical contact information provided by the
Subscriber in the order form.
[2] Communicating directly with the Domain Name Registrant using the
contact information listed in the WHOIS record’s “registrant”,
“technical”, or “administrative” field;
[3] Relying upon a Domain Authorization Document which contains the
signature of an authorized representative of the domain holder, a date
that is on or after the certificate request and a statement confirming
the Subscriber’s control over the domain names in the certificate.
LuxTrust also relies on a reliable third-party, the Chamber of Commerce
of Luxembourg, to confirm the authenticity of the Domain Authorization
Document.
In the particular case of EV SSL Certificates, RAs operating under the
LuxTrust SSL CA shall determine whether the organizational identity,
legal existence, physical existence, operational existence, and domain
name provided with a LuxTrust EV SSL Certificate Application are
consistent with the requirements set forth in the EV Guidelines [10]
published by the CA/Browser Forum. The information and sources used for
the verification of LuxTrust EV SSL Certificate Applications may vary
depending on the jurisdiction of the Applicant or Subscriber.
In addition, for EV SSL Certificates, for organisations registered for
less than 3 years, a document from a regulated financial institution
proving the existence of a current account is also required for the
identification of the organisation.
Moreover, LuxTrust does not issue certificates for private IP addresses
or internal domains.
* EV Policy OID: 1.3.171.1.1.10.5.2
* Root Cert URL: https://www.luxtrust.lu/downloads/root/LTGRCA_der.cer
* Test Site: https://www.trustme.lu/
* CRL
http://crl.luxtrust.lu
http://crl.luxtrust.lu/LTSSLCA4.crl
http://crl.luxtrust.lu/LTGRCA.crl
SSL CPS section 4.9.7: A CRL is issued each 4 hours, at an agreed time.
* OCSP
http://ssl.ocsp.luxtrust.lu
http://ltgroot.ocsp.luxtrust.lu
* Audit: Annual audits are performed by LSTI, according to the ETSI TS
102 042 v2.4.1 criteria.
http://www.lsti-certification.fr/images/fichiers/11085.pdf
* Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices)
** None Noted.
This begins the discussion of the request from LuxTrust to include the
"LuxTrust Global Root" root certificate, turn on the Websites and Code
Signing trust bits, and enable EV treatment. At the conclusion of this
discussion I will provide a summary of issues noted and action items. If
there are outstanding issues, then an additional discussion may be
needed as follow-up. If there are no outstanding issues, then I will
recommend approval of this request in the bug.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
