2015年8月6日木曜日 6時52分26秒 UTC+9 Kathleen Wilson: > SECOM has applied to enable EV treatment for the "Security Communication > RootCA2" root certificate that was included in NSS via Bugzilla Bug #527419. > > SECOM is a Japanese commercial CA that provides SSL and client > certificates for e-Government and participates in several projects for > financial institutions to ensure the secured on-line transactions. > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1096205 > > And in the pending certificates list: > https://wiki.mozilla.org/CA:PendingCAs > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8641274 > > Noteworthy points: > > * Documents are in Japanese. Translations of some sections are attached > to the bug. > > Document Repository: https://repository.secomtrust.net/SC-Root2/index.html > CP: https://repo1.secomtrust.net/spcpp/pfw/pfwevca/PfWEVCA-CP.pdf > CPS: https://repository.secomtrust.net/SC-Root/SCRootCPS.pdf > SubCA CP: https://repository.secomtrust.net/SC-Root/SCRootCP1.pdf > non-EV SSL CP: > https://repo1.secomtrust.net/spcpp/pfw/pfwsr2ca/PfWSR2CA-CP.pdf > SSL Verification Procedures: > https://www.secomtrust.net/service/pfw/apply/ev/1_3.html > > English Translations: > https://bug1096205.bugzilla.mozilla.org/attachment.cgi?id=8573613 > > * CA Hierarchy > This root certificate has subordinate CAs which sign end-entity > certificates for SSL, EV SSL, email (S/MIME), and code signing. > Intermediate CAs are available here: > https://www.secomtrust.net/service/pfw/apply/sr/3_2.html > https://www.secomtrust.net/service/pfw/apply/ev/3_2.html > There is only one (internally-operated) subordinate CA that can issue EV > certs, namely "SECOM Passport for Web EV 2.0 CA". > Externally-operated subCAs are not allowed to issue EV certs. > There is currently one externally-operated subCA, Fuji Xerox. SECOM is > migrating this subCA to be internally-operated by SECOM and be included > in SECOM's policy documentation and audit. > > * All three trust bits are already enabled for this root certificate. > The request is to enable EV treatment. > > ** The procedure that SECOM follows to verify the domain owner is the > same for EV and non-EV SSL certificates. The only difference is that no > lawyer opinion letter is used for Non-EV SSL. Translations from section > 4-2 of SECOM’s Verification Document describe the process by which Whois > is used to verify that the domain owner is the same as the certificate > subscriber company name. > > ** Translations from Security Communication RootCA Subordinate CA > Certificate Policy (SCRootCP1) and PfWEVCA‐CP > > 3.2 Initial identification and authentication > 3.2.1 Method to prove possession of private key > It is proved that the applicant has the private key as follows. > Certificate Signing Request, "CSR" submitted by the applicant and verify > that the corresponding public key contained in it is signed with private > key. In addition, check the fingerprint of the CSR to identify the owner > of the public key. > 3.2.2 Authentication of company > Secom authorize the authentication of the applicant company as follows. > By using the official documents from central or local government, > database provided by QIIS or QGIS, and another ways that the equal level > of authorization possible. > 3.2.3 Authentication of individual > Secom authorize the authentication of the applicant individual as > follows. By using the official documents from central or local > government, database provided by QIIS or QGIS, and another ways that the > equal level of authorization possible. > 3.2.4 Information of non verified certificate user > Not described. > 3.2.5 Confirmation of the authority to apply > Secom confirm that the applicant has proper right to apply the > certificate by the section 3.2 or 3.3 on this CP. In the case if the > application is made by third party, we request to give us the letter of > attorney. > * The third party application means that other than the company using > the host name described on common name of the certificate that is > described on the section 3.1.1. > > 4.3.1 Procedures to issue certificate by CA > Secom issues the certificate and prepares the certificate download site > only available for the applicant. The applicant uses a client > certificate or one time password along with access key to reach the > download site. > > ** Notes from the discussion of the inclusion request > > *** There are 2 types of organizations. One is the organization > registered in the QIIS, "Tokyo Shoko Research". The applicant > information is obtained from the reliable independent source. This is > much like an organizational credit reporting agency. Tokyo Shoko > Research (TSR) is a member of the D&B Worldwide Network since 2005. > http://www.tsr-net.co.jp/en/outline.html > > *** Another type is the organization not registered in the QIIS, "Tokyo > Shoko Rearch". This time, Secom require the organization to submit > "Certificate of seal impression". "Certificate of seal impression" is > the official document issued by the local government and only available > for the representative of the organization. This is the proof of the > real existence of the organization and there is no identity theft. > This is commonly referred to as a "chop". It can be viewed as the same > thing as what was formerly required in the US for corporations before a > lot of the corporate-procedure streamlining went into effect, the > "embossed seal" which was only available to the corporate secretary. > This chop is used for a traditional tool of business contract in Japan. > The proof of the chop is referred as "Certificate of seal impression". > "Certificate of seal impression" is issued by the Legal Affairs Bureaus > of Ministry of Justice. This official document is issued and available > only to the representative of the organization. This means that > possessing this official document is the proof of the representative of > the applicant's organization and there is no identity theft. > > *** In order to validate the autority of the representative, make a > phone call to the organization using the telephone number from the > reliable independent source above, and ask switchboard for transfer to > the applicant's representative. > For those organizations not registered in the QIIS.. > In stead of getting the information ourselves from QIIS directly, > however we get the Certificate of seal impression that is equally or > more reliable information source from the Legal Affairs Bureaus of > Ministry of Justice. The certificate of seal impression is submitted to > us by the representative because of the only available for the > representative of the organization. Possessing this official document is > the proof of the representative of the applicant's organization. Its > watermarked surface of the official document makes us securely verify > the original one and no copy or fraud made for the document. > > > ** Translations of Secom Passport for Web EV service verification > procedures > > 4-2 Verification of the domain owner > By using Whois gateway(NIC domain reference function), we verify the > applied company name on domain information (the contents included in > CommonName) and the applicant (if the domain name use consent form is > submitted, it is same as the domain owner). > The two points to check for exclusive right to use. > For example, the applied CN is "WWW.login.secom.co.jp" > (1) Applied company or company that exists in parents/child relation > with the applied company owns "secom.co.jp". > (2) Applied company or company that exists in parents/child relation > with the applied company owns "login.secom.co.jp". > In order to check for parents/child relation, we use QIIS or QGIS(EDINET). > If we cannot find it, we ask the applicant to change the owner as same > as the applicant company name for WHOIS. > If we cannot refer the owner at Whois gateway, ask the applicant for > registration. > JP domain: http://whois.jprs.jp/ COM, NET, ORG domain: > http://www.networksolutions.com/cgi-°©‐bin/whois/whois > > 4-2-1 For the domain owner is different from the applicant company In > order to verify the exclusive ownership, we check either document below > if the domain owner is third party. > Domain name use consent form > Lawyer opinion letter > Points to be checked on the lawyer opinion letter is below. > (1) It is described that the domain (secondary domain) is exclusively > owned by the applicant company. The domain name is described at item #5 > on the lawyer opinion letter. > (2) The lawyer who wrote the lawyer opinion letter is really existing > that is checked with 6. Check for the existence of the lawyer for > supplementation. > > ** Translation from https://www.secomtrust.net/service/pfw/apply/ev/1_3.html > check whether you are the owner of the domain. > If it ends with ".JP" - JPRS WHOIS (Japan Registry Services Co., Ltd.) > Other - InterNIC Whois Gateway (Network Solutions, Inc.) > And if it is in the old organization information, if there is a mistake > in the registration information of the domain, please change to the > correct information contact the domain management company. > If it is set the domain information in private, please publish the > domain information. > > ** Translation from > https://www.secomtrust.net/service/pfw/apply/ev/sts_1.html > 1. site content / operator confirmation > In SECOM Trust Systems, and because of the certificate to prove the > existence of the web site, will check and review > - The presence of the web site > - The existence of the organization that operates the web site > - Requesting organization information, certificate issuance destination > information (CSR information) and match of the organization that > operates the web site > 2. Confirmation of application information / domain information / trade name > Confirmation of domain information > Will make sure the organization that owns the domain. > If a third party (other than the applicant organization) owns the > domain, we will submit the documents in order to confirm or being used > consent with respect to the use of the domain. In addition, will check > the existence of the organization. > > ** Translations of Mail Authentication Service Verification Procedure > provided by SECOM > 6. procedure4. Certificate information > Verify for DN information > Whether or not there is a mistake on DN information. > - Not same for company name > - Spelling mistake > - Domain name mistake > - The certificate was issued with the same DN before except the case of > renewal or reissue. > - Authentication by sending and receiving email. > If it is not possible to send or receive the email, we verify the > applied email address by making phone call or by another ways to the > applicant company. > 7. procedure5. Verification of the domain owner > By using Whois gateway(NIC domain reference function), we verify the > applied company name on domain information (the contents included in > CommonName) and the applicant (if the domain name use consent form is > submitted, it is same as the domain owner). > JP domain: http://whois.jprs.jp/ > COM, NET, ORG domain: http://www.networksolutions.com/cgi-°©‐ > bin/whois/whois > 8. procedure6. Verification by phone call > By making phone call to applicant company and make sure that the > applicant belongs to the company and apply for the certificate. > > > * EV Policy OID: 1.2.392.200091.100.721.1 > > * Root Cert URL: https://repository.secomtrust.net/SC-Root2/SCRoot2ca.cer > > * Test Website: https://pfwtest.secomtrust.net/ > > CRL: https://repository.secomtrust.net/SC-Root2/SCRoot2CRL.crl > http://repo1.secomtrust.net/spcpp/pfw/pfwev2ca/fullcrl.crl > CRL issuing frequency for subordinate end-entity certificates: 24 hours > From SECOM CA Service Passport for Web SR 2.0 Certificate Policy > (PfWSR2CA-CP.pdf), Section4.9.7: CRL is expired regardless of treatment, > every 24 hours > > OCSP: http://ev2.ocsp.secomtrust.net/ > > * Audit: SECOM is audited annually by PricewaterhouseCoopers Aarata, > according to the WebTrust criteria. > WebTrust CA: https://cert.webtrust.org/SealFile?seal=1717&file=pdf > WebTrust BR: https://bugzilla.mozilla.org/attachment.cgi?id=8519802 > WebTrust EV: https://cert.webtrust.org/SealFile?seal=1717&file=pdf > > This begins the discussion of the request from SECOM to enable EV > treatment for the "Security Communication RootCA2" root certificate that > is currently included in NSS. > > At the conclusion of this discussion I will provide a summary of issues > noted and action items. If there are outstanding issues, then an > additional discussion may be needed as follow-up. If there are no > outstanding issues, then I will recommend approval of this request in > the bug. > > Kathleen
Thank you Kathleen-san, Out most recent the WebTrust audit report is posted at the URL below. https://cert.webtrust.org/ViewSeal?id=1907 Hisashi Kamo Secom _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
