>> FNMT has applied to include the “AC RAIZ FNMT-RCM” root certificate >> and enable the Websites trust bit. >> >> Fábrica Nacional de Moneda y Timbre (FNMT) is a government agency >> that provides services to Spain as a national CA. >> >> The request is documented in the following bug: >> https://bugzilla.mozilla.org/show_bug.cgi?id=435736
Here's a summary of the audit information that has been provided, and the intermediate certs that have been revoked (to be added to OneCRL). WebTrust CA audit statement from PricewaterhouseCoopers dated May 18, 2016 https://bug435736.bmoattachments.org/attachment.cgi?id=8766584 Root certificates covered: FNMT-RCM Root CA Intermediate certificates covered: “CA Administracion Publica” and “CA Components Informaticos” WebTrust BR audit statement from PricewaterhouseCoopers dated May 18, 2016 https://bug435736.bmoattachments.org/attachment.cgi?id=8766583 Root certificates covered: FNMT-RCM Root CA Intermediate certificates covered: “CA Administracion Publica” and “CA Components Informaticos” ETSI TS 101 456 audit certificate from TUVIT dated 2016-06-21 https://bug435736.bmoattachments.org/attachment.cgi?id=8775143 Root certificates covered: OU=AC RAIZ FNMT-RCM Intermediate certificates covered: CN = AC Administracion Publica CN = AC FNMT Usarios CN = AC Representacion Audit Attestation by TUVIT https://bug435736.bmoattachments.org/attachment.cgi?id=8775145 Root certificates covered: OU=AC RAIZ FNMT-RCM “The assessment covered the period from May 6, 2015 until May 4 2016. It was verified that the CA’s “AC FNMT Usuarios” and “AC Representacion” don’t issue SSL/TSL certificates” Intermediate certificates revoked and to be added to OneCRL: https://bugzilla.mozilla.org/show_bug.cgi?id=1263949 subject: C=ES, O=FNMT-RCM, OU=AC APE sha1 hash: 8A:8E:8D:48:BC:44:F7:9D:80:67:F8:0F:14:1E:C5:A0:A9:97:99:D5 sha256 hash: FD:01:90:1F:E7:C4:F5:14:D6:36:DF:64:C0:74:4A:A4:02:9D:B9:16:A3:6F:28:47:4C:84:0E:68:07:93:6A:1E subject: C=ES, O=FNMT-RCM, OU=AC APE sha1 hash: 24:F1:1E:3F:73:DE:D8:92:D4:F0:E3:3B:8A:8F:5A:A5:21:88:A3:C2 sha256 hash: 0D:4C:32:4B:B0:B0:08:F4:5E:EC:73:8B:8E:51:B3:7D:25:0F:76:F0:5F:6A:0C:30:13:66:10:20:A2:07:25:65 subject: C=ES, O=FNMT-RCM, CN=ISA CA sha1 hash: 5E:7F:EE:F9:4C:1F:C5:C6:A2:34:46:8C:89:6B:5D:BA:CA:05:97:69 sha256 hash: 05:2B:EB:BD:CD:5C:84:7B:FA:0F:6F:B0:EA:22:46:B5:5B:A9:EE:55:E0:2A:2D:48:0B:87:FC:2F:34:2C:84:43 subject: C=ES, O=FNMT-RCM, OU=AC APE sha1 hash: 35:EC:75:F8:81:25:03:39:D1:52:5F:EB:0E:23:44:BC:DE:7A:5A:5C sha256 hash: C0:81:EA:C7:B9:80:7B:70:BD:DC:AC:13:1F:07:B6:67:E4:D9:DE:7F:56:8C:43:BA:01:11:13:A1:E7:53:48:99 subject: C=ES, O=FNMT-RCM, CN=EU ISA CA sha1 hash: 7C:C6:1C:DE:A5:7E:02:6E:2D:A5:C3:C7:66:01:39:A6:6E:AC:80:DE sha256 hash: BF:1C:7E:BA:A0:AC:08:9C:16:DD:C7:EA:03:88:D8:3F:47:21:DD:86:2F:E8:71:5E:19:BA:07:82:AE:D1:46:FE subject: C=ES, O=FNMT-RCM, CN=EU ISA CA sha1 hash: B5:CF:1B:22:8A:1A:A3:93:84:3A:C8:02:AB:F9:58:A1:A5:5F:DF:ED sha256 hash: 69:9C:E8:E2:05:65:1E:F4:8B:03:85:33:15:AE:48:2C:A0:4B:F2:B3:E2:D9:B5:A5:EF:08:E8:CB:13:86:9B:B6 The action items that had resulted from the discussion of this request are as follows. >> 1) FNMT and Mozilla will need to make sure the revoked intermediate >> certificates get added to OneCRL. >> >> 2) The "AC FNMT Usuarios" intermediate certificate will need to be >> audited annually to ensure that it never issues TLS/SSL certificates. >> If the audit ever comes back inconclusive or if there is ever any doubt >> that such an audit could detect any inadvertent issuance, the assumption >> should be that miss-issuance has occurred and it would be reasonable to >> act accordingly. >> >> 3) FNMT will work with the CAB Forum to resolve the conflicts between >> the BRs and the requirements that Spanish CAs must follow (i.e. the >> certlint errors, https://bugzilla.mozilla.org/show_bug.cgi?id=435736#c160). I believe that these action items have or are being addressed such that we may move forward with approving FNMT's request to include the “AC RAIZ FNMT-RCM” root certificate and enable the Websites trust bit. If there are no further concerns then I will close this discussion and recommend approval in the bug. (https://bugzilla.mozilla.org/show_bug.cgi?id=435736) Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
