This request by the Government of Japan, Ministry of Internal Affairs and Communications, is to include the GPKI 'ApplicationCA2 Root' certificate and enable the Websites trust bit. This new root certificate has been created in order to comply with the Baseline Requirements, and will eventually replace the 'ApplicationCA - Japanese Government' root certificate that was included via Bugzilla Bug #474706. Note that their currently-included root certificate expires in 2017, and will be removed via Bugzilla Bug #1268219.
The request is documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=870185 And in the pending certificates list: https://wiki.mozilla.org/CA:PendingCAs Summary of Information Gathered and Verified: https://bugzilla.mozilla.org/attachment.cgi?id=8673399 Noteworthy points: * The primary documents are the Root and SubCA CP/CPS, provided in Japanese and English. Document Repository (Japanese): http://www.gpki.go.jp/apca/cpcps/index.html Document Repository (English): https://www2.gpki.go.jp/apca2/apca2_eng.html Root CP/CPS: https://www2.gpki.go.jp/apca2/cpcps/cpcps_root_eng.pdf SubCA CP/CPS: https://www2.gpki.go.jp/apca2/cpcps/cpcps_sub_eng.pdf * CA Hierarchy: This root certificate has one internally-operated subordinate CA that issues end-entity certificates for SSL and code signing. * This request is to turn on the Websites trust bit. SubCA CP/CPS section 3.2.2, Authentication of organization identity As for the application procedure of a server certificate, ... the LRA shall verify the authenticity of the organization to which the subscriber belongs according to comparing with organizations which were written in the application by directory of government officials that the Independent Administrative Agency National Printing Bureau issued. SubCA CP/CPS section 3.2.3, Authentication of individual identity As for the application procedure of a server certificate, ... the LRA shall verify the authenticity of the subscriber according to comparing with name, contact, etc. which were written in the application by directory of government officials that the Independent Administrative Agency National Printing Bureau issued. The LRA also check the intention of an application by a telephone or meeting. SubCA CP/CPS section 4.1.2, Enrollment process and responsibilities (1) Server certificate The subscriber shall apply accurate information on their certificate applications to the LRA. The LRA shall confirm that the owner of the domain name written as a name(cn) of a server certificate in the application form belongs to Ministries and Agencies who have jurisdiction over LRA, or its related organization with the thirdparty databases and apply accurate information to the Application CA2(Sub). * Mozilla Applied Constraints: This CA has indicated that the CA hierarchy may be constrained to the *.go.jp domain. * Root Certificate Download URL: https://bugzilla.mozilla.org/attachment.cgi?id=8673392 https://www.gpki.go.jp/apca2/APCA2Root.der * EV Policy OID: Not requesting EV treatment * Test Website: https://www2.gpki.go.jp/apca2/apca2_eng.html * CRL URLs: http://dir.gpki.go.jp/ApplicationCA.crl http://dir2.gpki.go.jp/ApplicationCA2Root.crl http://dir2.gpki.go.jp/ApplicationCA2Sub.crl SubCA CPS section 4.9.7: The CRL of 48-hour validity period is issued at intervals of 24 hours. * OCSP URL: http://ocsp-sub.gpki.go.jp http://ocsp-root.gpki.go.jp * Audit: Annual audits are performed by KPMG AZSA LLC according to the WebTrust criteria. WebTrust Audit (Japanese and English in same document): https://cert.webtrust.org/SealFile?seal=1793&file=pdf BR Readiness Assessment: https://bugzilla.mozilla.org/attachment.cgi?id=8667814 Response to Audit Findings: https://bugzilla.mozilla.org/attachment.cgi?id=8667815 We will improve the issues that was pointed out in the pre-audit and submit the investigation report by September 2016. * Potentially Problematic Practices: None Noted (http://wiki.mozilla.org/CA:Problematic_Practices) This begins the discussion of the request from the Government of Japan to include the GPKI 'ApplicationCA2 Root' certificate and enable the Websites trust bit. Please review this CA's request and provide feedback now, so that this CA may address any concerns while awaiting the results of their investigation report that is expected to show that the issues found during their BR audit have been addressed. A decision about inclusion will wait until after the investigation report has been provided. Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
