On 1/19/16 10:59 AM, Kathleen Wilson wrote:
On 1/12/16 4:16 PM, Kathleen Wilson wrote:
On 12/9/15 1:35 PM, Kathleen Wilson wrote:
The first discussion of the ANF root inclusion request was here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/cNgy1_rkv6A/h8YOlR3AFMIJ
ANF has responded to the concerns that were raised, so I am now opening
the second discussion about their inclusion request.
ANF has applied to include the “ANF Global Root CA” root certificate,
enable the Websites trust bit, and enable EV treatment.
ANF Autoridad de Certificación (ANF AC) is a private Certification
Authority, recognized and accredited by the Spanish Government as a
Certificate Services Provider (CSP). ANF AC has accredited more than
1000 Registry Authorities throughout Spain to issue qualified user
identity certificates. ANF CA also issues certificates for SSL with and
without Extended Validation.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=555156
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8644470
Noteworthy points:
* The primary documents are the CPS and SSL CP, which are provided in
Spanish and English.
Document repository (Spanish):
http://www.anf.es/es/politicas/psc-acreditado/documentos-publicados
Document Repository (English): http://www.anf.es/en/
CP: https://www.anf.es/es/pdf/PC_SSL_Sede_EV_EN.pdf
CPS: https://www.anf.es/es/pdf/DPC_ANF_AC_EN.pdf
* CA Hierarchy: This root has eight internally-operated subordinate CAs
which sign end-entity certificates for individuals and organizations.
- ANF High Assurance EV CA1 (SHA1 and SHA256): Issues technical
certificates for authentication services SSL, SSL EV, Encryption and
Code Signing.
- ANF High Assurance AP CA1 (SHA1 and SHA256): Issues end-entity
certificates for Public Administrations.
- ANF Global CA1 (SHA1 and SHA256): Issues certificates for the
management and administration of the PKI of ANF AC.
- ANF Assured ID CA1 (SHA1 and SHA256): Issues end-entity in accordance
with the provisions of Electronic Signature Law 59/2003.
* This request is to enable the websites trust bit and enable EV
treatment.
Does anyone need more time to review this request?
If not, and no one has any questions/concerns about this request, then I
will close this discussion and recommend approval in the bug.
Thanks,
Kathleen
ANF responded to all of the questions and concerns that were raised in
the first discussion, and no one has raised further questions or
concerns in this second discussion.
Therefore, I am closing this discussion and will recommend approval in
the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=555156
Any further follow-up on this request should be added directly to the bug.
Thanks,
Kathleen
To provide an update on this request...
Ryan re-reviewed the request and commented in the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=555156#c90
And we are waiting for the CA to respond.
Depending on their response, some of the things he noted could result in
the CA needing to issue all new intermediate certs and/or get re-audited.
We will track the CA's responses and progress in the bug, and I will
re-open this discussion once all the concerns have been properly addressed.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
