For some reason, Gmail split up this thread into two for me. In case anyone else is having similar issues, here's the original detail for this request:
On Wed, Apr 27, 2016 at 4:56 PM, Kathleen Wilson <[email protected]> wrote: > This request by the Government of Japan, Ministry of Internal Affairs and > Communications, is to include the GPKI 'ApplicationCA2 Root' certificate > and enable the Websites trust bit. This new root certificate has been > created in order to comply with the Baseline Requirements, and will > eventually replace the 'ApplicationCA - Japanese Government' root > certificate that was included via Bugzilla Bug #474706. Note that their > currently-included root certificate expires in 2017, and will be removed > via Bugzilla Bug #1268219. > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=870185 > > And in the pending certificates list: > https://wiki.mozilla.org/CA:PendingCAs > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8673399 > > Noteworthy points: > > * The primary documents are the Root and SubCA CP/CPS, provided in > Japanese and English. > > Document Repository (Japanese): > http://www.gpki.go.jp/apca/cpcps/index.html > Document Repository (English): > https://www2.gpki.go.jp/apca2/apca2_eng.html > Root CP/CPS: > https://www2.gpki.go.jp/apca2/cpcps/cpcps_root_eng.pdf > SubCA CP/CPS: > https://www2.gpki.go.jp/apca2/cpcps/cpcps_sub_eng.pdf > > * CA Hierarchy: This root certificate has one internally-operated > subordinate CA that issues end-entity certificates for SSL and code signing. > > * This request is to turn on the Websites trust bit. > > SubCA CP/CPS section 3.2.2, Authentication of organization identity > As for the application procedure of a server certificate, ... the LRA > shall verify the authenticity of the organization to which the subscriber > belongs according to comparing with organizations which were written in the > application by directory of government officials that the Independent > Administrative Agency National Printing Bureau issued. > > SubCA CP/CPS section 3.2.3, Authentication of individual identity > As for the application procedure of a server certificate, ... the LRA > shall verify the authenticity of the subscriber according to comparing with > name, contact, etc. which were written in the application by directory of > government officials that the Independent Administrative Agency National > Printing Bureau issued. > The LRA also check the intention of an application by a telephone or > meeting. > > SubCA CP/CPS section 4.1.2, Enrollment process and responsibilities > (1) Server certificate > The subscriber shall apply accurate information on their certificate > applications to the LRA. > The LRA shall confirm that the owner of the domain name written as a > name(cn) of a server certificate in the application form belongs to > Ministries and Agencies who have jurisdiction over LRA, or its related > organization with the thirdparty databases and apply accurate information > to the Application CA2(Sub). > > * Mozilla Applied Constraints: This CA has indicated that the CA hierarchy > may be constrained to the *.go.jp domain. > > * Root Certificate Download URL: > https://bugzilla.mozilla.org/attachment.cgi?id=8673392 > https://www.gpki.go.jp/apca2/APCA2Root.der > > * EV Policy OID: Not requesting EV treatment > > * Test Website: > https://www2.gpki.go.jp/apca2/apca2_eng.html > > * CRL URLs: > http://dir.gpki.go.jp/ApplicationCA.crl > http://dir2.gpki.go.jp/ApplicationCA2Root.crl > http://dir2.gpki.go.jp/ApplicationCA2Sub.crl > SubCA CPS section 4.9.7: The CRL of 48-hour validity period is issued at > intervals of 24 hours. > > * OCSP URL: > http://ocsp-sub.gpki.go.jp > http://ocsp-root.gpki.go.jp > > * Audit: Annual audits are performed by KPMG AZSA LLC according to the > WebTrust criteria. > WebTrust Audit (Japanese and English in same document): > https://cert.webtrust.org/SealFile?seal=1793&file=pdf > BR Readiness Assessment: > https://bugzilla.mozilla.org/attachment.cgi?id=8667814 > Response to Audit Findings: > https://bugzilla.mozilla.org/attachment.cgi?id=8667815 > We will improve the issues that was pointed out in the pre-audit and > submit the investigation report by September 2016. > > * Potentially Problematic Practices: None Noted > (http://wiki.mozilla.org/CA:Problematic_Practices) > > This begins the discussion of the request from the Government of Japan to > include the GPKI 'ApplicationCA2 Root' certificate and enable the Websites > trust bit. > > Please review this CA's request and provide feedback now, so that this CA > may address any concerns while awaiting the results of their investigation > report that is expected to show that the issues found during their BR audit > have been addressed. A decision about inclusion will wait until after the > investigation report has been provided. > > Kathleen > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> On Wed, Jul 20, 2016 at 7:58 PM, Kathleen Wilson <[email protected]> wrote: > On Friday, May 20, 2016 at 3:33:56 PM UTC-7, Kathleen Wilson wrote: > > Does anyone have questions, concerns, or feedback on this request from > the Government of Japan, Ministry of Internal Affairs and Communications, > to include the GPKI 'ApplicationCA2 Root' certificate and enable the > Websites trust bit? > > > > Kathleen > > I will greatly appreciate it if someone will review and comment on this > request. > > As always, I appreciate your thoughtful and constructive feedback. > > Kathleen > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
