On 10/26/15 15:57, [email protected] wrote: > El miércoles, 21 de octubre de 2015, 22:43:15 (UTC+2), Charles Reiss > escribió: >> On 10/21/15 19:17, Kathleen Wilson wrote: >> >> >> What are the apparent subCAs with CNs 'AC FNMT Usuarios' >> [https://crt.sh/?caid=6664 ] and 'ISA CA' [https://crt.sh/?caid=947 >> (example EE cert: https://crt.sh/?id=8983568 )]? > > "AC FNMT Usuarios" is the subCA that issues qualified certificates > exclussively for natural persons (Spanish citizens). This subCA started > operations on february 2015. > > Regarding "ISA CA", the European Commission awarded the FNMT-RCM Company a > contract for PKI services within the scope of European Public Administration > (ISA Program). This subCA issues certificates exclusively within that scope > and only for the specified EU Institutions entitled by the European > Commission to request ISA SSL certificates. > > All of the active server certificates have been issued for domains under: - > testa.eu for STESTA net. (STESTA is the European Community's own private > network, composed of the EuroDomain backbone and Local Domain networks.The > EuroDomain is totally isolated from the public Internet. This guarantees > restricted access as only administrations may access the EuroDomain. Security > is also enhanced by the implementation of IPSEC technology to prevent > eavesdropping and advanced encryption mechanisms.) - europa.eu which holds > internal services of EU public administrations. > > Both, europa.eu and testa.eu are domains property of the European Comission > itself as you can verify at http://www.eurid.eu. > > The server certificate that you refer (https://crt.sh/?id=8983568) is the > only exception. "ec.fnmt.es" is a domain property of FNMT-RCM that just holds > the portal for accesing ISA CA products and services. > > The reasons why this subCAs don't figure in request are: > - "AC FNMT Usuarios" doesn't issue server certificates
Since its subCA certificate is technically capable of having server certificates chaining through it (there's no extendedKeyUsage extension that would prevent this), under section 8 of Mozilla's certificate policy and section 8.1 of the BRs, it must be publicly disclosed and audited. > - ISA CA server certificates are issued exlusively to a very restricted > (almost private) environment Again, based on its subCA certificate, the ISA CA is clearly required to be publicly disclosed and audited under Mozilla's policy and the BRs. My concern is not that it has been used to misissue certificates in the past, but that lax domain/IP control validation procedures may allow mistakes in the future. It is fine to operate restricted subCAs like this (many commercial CAs seem to do it for large organizations), but since they are capable of producing publicly trusted certificates, they must follow the same standards as if they were issuing certificates for the general public. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
