SECOM Request for EV Treatment

Wed, 05 Aug 2015 14:53:32 -0700

SECOM has applied to enable EV treatment for the "Security Communication RootCA2" root certificate that was included in NSS via Bugzilla Bug #527419.
SECOM is a Japanese commercial CA that provides SSL and client certificates for e-Government and participates in several projects for financial institutions to ensure the secured on-line transactions. 

The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1096205

And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs

Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8641274

Noteworthy points:


* Documents are in Japanese. Translations of some sections are attached 
to the bug.


Document Repository: https://repository.secomtrust.net/SC-Root2/index.html
CP: https://repo1.secomtrust.net/spcpp/pfw/pfwevca/PfWEVCA-CP.pdf
CPS: https://repository.secomtrust.net/SC-Root/SCRootCPS.pdf
SubCA CP: https://repository.secomtrust.net/SC-Root/SCRootCP1.pdf

non-EV SSL CP: 
https://repo1.secomtrust.net/spcpp/pfw/pfwsr2ca/PfWSR2CA-CP.pdf
SSL Verification Procedures: 
https://www.secomtrust.net/service/pfw/apply/ev/1_3.html



English Translations: 
https://bug1096205.bugzilla.mozilla.org/attachment.cgi?id=8573613


* CA Hierarchy

This root certificate has subordinate CAs which sign end-entity 
certificates for SSL, EV SSL, email (S/MIME), and code signing.

Intermediate CAs are available here:
https://www.secomtrust.net/service/pfw/apply/sr/3_2.html
https://www.secomtrust.net/service/pfw/apply/ev/3_2.html

There is only one (internally-operated) subordinate CA that can issue EV 
certs, namely "SECOM Passport for Web EV 2.0 CA".

Externally-operated subCAs are not allowed to issue EV certs.

There is currently one externally-operated subCA, Fuji Xerox. SECOM is 
migrating this subCA to be internally-operated by SECOM and be included 
in SECOM's policy documentation and audit.



* All three trust bits are already enabled for this root certificate. 
The request is to enable EV treatment.



** The procedure that SECOM follows to verify the domain owner is the 
same for EV and non-EV SSL certificates. The only difference is that no 
lawyer opinion letter is used for Non-EV SSL. Translations from section 
4-2 of SECOM’s Verification Document describe the process by which Whois 
is used to verify that the domain owner is the same as the certificate 
subscriber company name.



** Translations from Security Communication RootCA Subordinate CA 
Certificate Policy (SCRootCP1) and PfWEVCA‐CP


3.2 Initial identification and authentication
3.2.1 Method to prove possession of private key

It is proved that the applicant has the private key as follows. 
Certificate Signing Request, "CSR" submitted by the applicant and verify 
that the corresponding public key contained in it is signed with private 
key. In addition, check the fingerprint of the CSR to identify the owner 
of the public key.

3.2.2 Authentication of company

Secom authorize the authentication of the applicant company as follows. 
By using the official documents from central or local government, 
database provided by QIIS or QGIS, and another ways that the equal level 
of authorization possible.

3.2.3 Authentication of individual

Secom authorize the authentication of the applicant individual as 
follows. By using the official documents from central or local 
government, database provided by QIIS or QGIS, and another ways that the 
equal level of authorization possible.

3.2.4 Information of non verified certificate user
Not described.
3.2.5 Confirmation of the authority to apply

Secom confirm that the applicant has proper right to apply the 
certificate by the section 3.2 or 3.3 on this CP. In the case if the 
application is made by third party, we request to give us the letter of 
attorney.
* The third party application means that other than the company using 
the host name described on common name of the certificate that is 
described on the section 3.1.1.


4.3.1 Procedures to issue certificate by CA

Secom issues the certificate and prepares the certificate download site 
only available for the applicant. The applicant uses a client 
certificate or one time password along with access key to reach the 
download site.


** Notes from the discussion of the inclusion request


*** There are 2 types of organizations. One is the organization 
registered in the QIIS, "Tokyo Shoko Research". The applicant 
information is obtained from the reliable independent source. This is 
much like an organizational credit reporting agency. Tokyo Shoko 
Research (TSR) is a member of the D&B Worldwide Network since 2005.

http://www.tsr-net.co.jp/en/outline.html


*** Another type is the organization not registered in the QIIS, "Tokyo 
Shoko Rearch". This time, Secom require the organization to submit 
"Certificate of seal impression". "Certificate of seal impression" is 
the official document issued by the local government and only available 
for the representative of the organization. This is the proof of the 
real existence of the organization and there is no identity theft.
This is commonly referred to as a "chop". It can be viewed as the same 
thing as what was formerly required in the US for corporations before a 
lot of the corporate-procedure streamlining went into effect, the 
"embossed seal" which was only available to the corporate secretary.
This chop is used for a traditional tool of business contract in Japan. 
The proof of the chop is referred as "Certificate of seal impression". 
"Certificate of seal impression" is issued by the Legal Affairs Bureaus 
of Ministry of Justice. This official document is issued and available 
only to the representative of the organization. This means that 
possessing this official document is the proof of the representative of 
the applicant's organization and there is no identity theft.



*** In order to validate the autority of the representative, make a 
phone call to the organization using the telephone number from the 
reliable independent source above, and ask switchboard for transfer to 
the applicant's representative.

For those organizations not registered in the QIIS..

In stead of getting the information ourselves from QIIS directly, 
however we get the Certificate of seal impression that is equally or 
more reliable information source from the Legal Affairs Bureaus of 
Ministry of Justice. The certificate of seal impression is submitted to 
us by the representative because of the only available for the 
representative of the organization. Possessing this official document is 
the proof of the representative of the applicant's organization. Its 
watermarked surface of the official document makes us securely verify 
the original one and no copy or fraud made for the document.




** Translations of Secom Passport for Web EV service verification 
procedures


4-2 Verification of the domain owner

By using Whois gateway(NIC domain reference function), we verify the 
applied company name on domain information (the contents included in 
CommonName) and the applicant (if the domain name use consent form is 
submitted, it is same as the domain owner).

The two points to check for exclusive right to use.
For example, the applied CN is "WWW.login.secom.co.jp"

(1) Applied company or company that exists in parents/child relation 
with the applied company owns "secom.co.jp".
(2) Applied company or company that exists in parents/child relation 
with the applied company owns "login.secom.co.jp".

In order to check for parents/child relation, we use QIIS or QGIS(EDINET).

If we cannot find it, we ask the applicant to change the owner as same 
as the applicant company name for WHOIS.
If we cannot refer the owner at Whois gateway, ask the applicant for 
registration.
JP domain: http://whois.jprs.jp/ COM, NET, ORG domain: 
http://www.networksolutions.com/cgi-°©‐bin/whois/whois



4-2-1 For the domain owner is different from the applicant company In 
order to verify the exclusive ownership, we check either document below 
if the domain owner is third party.

Domain name use consent form
Lawyer opinion letter
Points to be checked on the lawyer opinion letter is below.

(1) It is described that the domain (secondary domain) is exclusively 
owned by the applicant company. The domain name is described at item #5 
on the lawyer opinion letter.
(2) The lawyer who wrote the lawyer opinion letter is really existing 
that is checked with 6. Check for the existence of the lawyer for 
supplementation.


** Translation from https://www.secomtrust.net/service/pfw/apply/ev/1_3.html
check whether you are the owner of the domain.
If it ends with ".JP" - JPRS WHOIS (Japan Registry Services Co., Ltd.)
Other - InterNIC Whois Gateway (Network Solutions, Inc.)

And if it is in the old organization information, if there is a mistake 
in the registration information of the domain, please change to the 
correct information contact the domain management company.
If it is set the domain information in private, please publish the 
domain information.



** Translation from 
https://www.secomtrust.net/service/pfw/apply/ev/sts_1.html

1. site content / operator confirmation

In SECOM Trust Systems, and because of the certificate to prove the 
existence of the web site, will check and review

- The presence of the web site
- The existence of the organization that operates the web site

- Requesting organization information, certificate issuance destination 
information (CSR information) and match of the organization that 
operates the web site

2. Confirmation of application information / domain information / trade name
Confirmation of domain information
Will make sure the organization that owns the domain.

If a third party (other than the applicant organization) owns the 
domain, we will submit the documents in order to confirm or being used 
consent with respect to the use of the domain. In addition, will check 
the existence of the organization.



** Translations of Mail Authentication Service Verification Procedure 
provided by SECOM

6. procedure4. Certificate information
Verify for DN information
Whether or not there is a mistake on DN information.
- Not same for company name
- Spelling mistake
- Domain name mistake

- The certificate was issued with the same DN before except the case of 
renewal or reissue.

- Authentication by sending and receiving email.

If it is not possible to send or receive the email, we verify the 
applied email address by making phone call or by another ways to the 
applicant company.

7. procedure5. Verification of the domain owner

By using Whois gateway(NIC domain reference function), we verify the 
applied company name on domain information (the contents included in 
CommonName) and the applicant (if the domain name use consent form is 
submitted, it is same as the domain owner).

JP domain: http://whois.jprs.jp/

COM, NET, ORG domain: http://www.networksolutions.com/cgi-°©‐ 
bin/whois/whois

8. procedure6. Verification by phone call

By making phone call to applicant company and make sure that the 
applicant belongs to the company and apply for the certificate.



* EV Policy OID: 1.2.392.200091.100.721.1

* Root Cert URL: https://repository.secomtrust.net/SC-Root2/SCRoot2ca.cer

* Test Website: https://pfwtest.secomtrust.net/

CRL: https://repository.secomtrust.net/SC-Root2/SCRoot2CRL.crl
http://repo1.secomtrust.net/spcpp/pfw/pfwev2ca/fullcrl.crl
CRL issuing frequency for subordinate end-entity certificates: 24 hours

From SECOM CA Service Passport for Web SR 2.0 Certificate Policy 
(PfWSR2CA-CP.pdf), Section4.9.7: CRL is expired regardless of treatment, 
every 24 hours


OCSP: http://ev2.ocsp.secomtrust.net/


* Audit: SECOM is audited annually by PricewaterhouseCoopers Aarata, 
according to the WebTrust criteria.

WebTrust CA: https://cert.webtrust.org/SealFile?seal=1717&file=pdf
WebTrust BR: https://bugzilla.mozilla.org/attachment.cgi?id=8519802
WebTrust EV: https://cert.webtrust.org/SealFile?seal=1717&file=pdf


This begins the discussion of the request from SECOM to enable EV 
treatment for the "Security Communication RootCA2" root certificate that 
is currently included in NSS.



At the conclusion of this discussion I will provide a summary of issues 
noted and action items. If there are outstanding issues, then an 
additional discussion may be needed as follow-up. If there are no 
outstanding issues, then I will recommend approval of this request in 
the bug.


Kathleen





_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy






















					Reply via email to