| Kathleen-- As I understand it, the request is for only CA2(Root) to be included in the trust store. Is that correct? The CP/CPS document submitted for the CA2(Root) hardly seems sufficient to satisfy anyone for one simple reason: there is no detail! I'm surprised the auditors (KPMG in this case) found this to be acceptable. If the CA2(Sub) is not to be included in the Mozilla trust store then I don't see how it's CP/CPS can be reviewed for consideration here. My recommendation is to reject this request and ask that the root's documentation be rewritten to reflect the policies and procedures that apply to all certs that chain to this root.
For some reason, Gmail split up this thread into two for me. In case anyone
else is having similar issues, here's the original detail for this request: On Wed, Apr 27, 2016 at 4:56 PM, Kathleen Wilson <[email protected]> wrote: > This request by the Government of Japan, Ministry of Internal Affairs and > Communications, is to include the GPKI 'ApplicationCA2 Root' certificate > and enable the Websites trust bit. This new root certificate has been > created in order to comply with the Baseline Requirements, and will > eventually replace the 'ApplicationCA - Japanese Government' root > certificate that was included via Bugzilla Bug #474706. Note that their > currently-included root certificate expires in 2017, and will be removed > via Bugzilla Bug #1268219. > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=870185 > > And in the pending certificates list: > https://wiki.mozilla.org/CA:PendingCAs > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8673399 > > Noteworthy points: > > * The primary documents are the Root and SubCA CP/CPS, provided in > Japanese and English. > > Document Repository (Japanese): > http://www.gpki.go.jp/apca/cpcps/index.html > Document Repository (English): > https://www2.gpki.go.jp/apca2/apca2_eng.html > Root CP/CPS: > https://www2.gpki.go.jp/apca2/cpcps/cpcps_root_eng.pdf > SubCA CP/CPS: > https://www2.gpki.go.jp/apca2/cpcps/cpcps_sub_eng.pdf > > * CA Hierarchy: This root certificate has one internally-operated > subordinate CA that issues end-entity certificates for SSL and code signing. > > * This request is to turn on the Websites trust bit. > > SubCA CP/CPS section 3.2.2, Authentication of organization identity > As for the application procedure of a server certificate, ... the LRA > shall verify the authenticity of the organization to which the subscriber > belongs according to comparing with organizations which were written in the > application by directory of government officials that the Independent > Administrative Agency National Printing Bureau issued. > > SubCA CP/CPS section 3.2.3, Authentication of individual identity > As for the application procedure of a server certificate, ... the LRA > shall verify the authenticity of the subscriber according to comparing with > name, contact, etc. which were written in the application by directory of > government officials that the Independent Administrative Agency National > Printing Bureau issued. > The LRA also check the intention of an application by a telephone or > meeting. > > SubCA CP/CPS section 4.1.2, Enrollment process and responsibilities > (1) Server certificate > The subscriber shall apply accurate information on their certificate > applications to the LRA. > The LRA shall confirm that the owner of the domain name written as a > name(cn) of a server certificate in the application form belongs to > Ministries and Agencies who have jurisdiction over LRA, or its related > organization with the thirdparty databases and apply accurate information > to the Application CA2(Sub). > > * Mozilla Applied Constraints: This CA has indicated that the CA hierarchy > may be constrained to the *.go.jp domain. > > * Root Certificate Download URL: > https://bugzilla.mozilla.org/attachment.cgi?id=8673392 > https://www.gpki.go.jp/apca2/APCA2Root.der > > * EV Policy OID: Not requesting EV treatment > > * Test Website: > https://www2.gpki.go.jp/apca2/apca2_eng.html > > * CRL URLs: > http://dir.gpki.go.jp/ApplicationCA.crl > http://dir2.gpki.go.jp/ApplicationCA2Root.crl > http://dir2.gpki.go.jp/ApplicationCA2Sub.crl > SubCA CPS section 4.9.7: The CRL of 48-hour validity period is issued at > intervals of 24 hours. > > * OCSP URL: > http://ocsp-sub.gpki.go.jp > http://ocsp-root.gpki.go.jp > > * Audit: Annual audits are performed by KPMG AZSA LLC according to the > WebTrust criteria. > WebTrust Audit (Japanese and English in same document): > https://cert.webtrust.org/SealFile?seal=1793&file=pdf > BR Readiness Assessment: > https://bugzilla.mozilla.org/attachment.cgi?id=8667814 > Response to Audit Findings: > https://bugzilla.mozilla.org/attachment.cgi?id=8667815 > We will improve the issues that was pointed out in the pre-audit and > submit the investigation report by September 2016. > > * Potentially Problematic Practices: None Noted > (http://wiki.mozilla.org/CA:Problematic_Practices) > > This begins the discussion of the request from the Government of Japan to > include the GPKI 'ApplicationCA2 Root' certificate and enable the Websites > trust bit. > > Please review this CA's request and provide feedback now, so that this CA > may address any concerns while awaiting the results of their investigation > report that is expected to show that the issues found during their BR audit > have been addressed. A decision about inclusion will wait until after the > investigation report has been provided. > > Kathleen > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> On Wed, Jul 20, 2016 at 7:58 PM, Kathleen Wilson <[email protected]> wrote: > On Friday, May 20, 2016 at 3:33:56 PM UTC-7, Kathleen Wilson wrote: > > Does anyone have questions, concerns, or feedback on this request from > the Government of Japan, Ministry of Internal Affairs and Communications, > to include the GPKI 'ApplicationCA2 Root' certificate and enable the > Websites trust bit? > > > > Kathleen > > I will greatly appreciate it if someone will review and comment on this > request. > > As always, I appreciate your thoughtful and constructive feedback. > > Kathleen > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
