SECOM has applied to enable EV treatment for the "Security Communication
RootCA2" root certificate that was included in NSS via Bugzilla Bug #527419.
SECOM is a Japanese commercial CA that provides SSL and client
certificates for e-Government and participates in several projects for
financial institutions to ensure the secured on-line transactions.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1096205
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8641274
Noteworthy points:
* Documents are in Japanese. Translations of some sections are attached
to the bug.
Document Repository: https://repository.secomtrust.net/SC-Root2/index.html
CP: https://repo1.secomtrust.net/spcpp/pfw/pfwevca/PfWEVCA-CP.pdf
CPS: https://repository.secomtrust.net/SC-Root/SCRootCPS.pdf
SubCA CP: https://repository.secomtrust.net/SC-Root/SCRootCP1.pdf
non-EV SSL CP:
https://repo1.secomtrust.net/spcpp/pfw/pfwsr2ca/PfWSR2CA-CP.pdf
SSL Verification Procedures:
https://www.secomtrust.net/service/pfw/apply/ev/1_3.html
English Translations:
https://bug1096205.bugzilla.mozilla.org/attachment.cgi?id=8573613
* CA Hierarchy
This root certificate has subordinate CAs which sign end-entity
certificates for SSL, EV SSL, email (S/MIME), and code signing.
Intermediate CAs are available here:
https://www.secomtrust.net/service/pfw/apply/sr/3_2.html
https://www.secomtrust.net/service/pfw/apply/ev/3_2.html
There is only one (internally-operated) subordinate CA that can issue EV
certs, namely "SECOM Passport for Web EV 2.0 CA".
Externally-operated subCAs are not allowed to issue EV certs.
There is currently one externally-operated subCA, Fuji Xerox. SECOM is
migrating this subCA to be internally-operated by SECOM and be included
in SECOM's policy documentation and audit.
* All three trust bits are already enabled for this root certificate.
The request is to enable EV treatment.
most recent the WebTrust audit report is posted at the URL below.
https://cert.webtrust.org/ViewSeal?id=1907
The updated SECOM CP for Ryan-san's comment is attached to
https://bugzilla.mozilla.org/show_bug.cgi?id=1096205
CP (English): https://bugzilla.mozilla.org/attachment.cgi?id=8679302
The addition for the section 2.2, 3.2.7 and 4.9.9 addressed with proposed
update to the English version of CP.
The corresponding section were made comprehensible by red characters.
I propose that we move forward with approving and implementing SECOM's
request to enable EV treatment for the the "Security Communication
RootCA2" root certificate that was included in NSS via Bugzilla Bug #527419.
In parallel, I plan to continue to track the action item for SECOM to
update their CP/CPS documentation to address the concerns that have been
raised. I believe that Ryan Sleevi is also planning to review the full
translated CP, but I am confident that SECOM will be prompt to address
any further concerns that are raised.
I plan to track SECOM's status on updating their CP in the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=1096205
Does anyone have objections or concerns about this?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
