This request from the Government of Tunisia is to include the “Tunisian Root Certificate Authority - TunRootCA2” root certificate, and enable the Websites trust bit.
The request is documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1233645 BR Self Assessment is here: https://bugzilla.mozilla.org/attachment.cgi?id=8865381 Summary of Information Gathered and Verified: https://bugzilla.mozilla.org/attachment.cgi?id=8884764 * Root Certificate Download URL: http://www.certification.tn/pub/TunRootCA2.crt * Documents are in French, translated in English CP/CPS in French: http://www.certification.tn/sites/default/files/documents/PolitiqueSERVEURS-PTC-BR-05.pdf CP/CPS in English: http://www.certification.tn/sites/default/files/documents/CPCPS-PTC-BR-EN-05.pdf * CA Hierarchy: This root will have internally-operated subordinate CAs. Currently it has one internally-operated subordinate CA: - Tunisian Server Certificate Authority - TunServerCA2 * This request is to turn on the Websites trust bit. EV treatment is not requested. * CP/CPS of the Tunisian Server Certificate Authority PTC BR: ** Section 1.3.4: “In the context of this CP / CPS, a Server Certificate Responsible (SCR) is a natural person who is responsible for using the certificate of the server or computer device identified in the certificate and the private key corresponding to this certificate, on behalf of the entity identified in that certificate. The SCR is contractually, hierarchically or legally bound to this entity.” ** Section 3.2.2: “Authentication of a client organization is done by checking the following documents: The certificate application form duly completed and signed by the applicant, acting as a certificate request, containing in particular the postal address, the professional e-mail address and the telephone number enabling the NDCA to contact the future bearer; • A copy of the National Identity Card, passport or residence card of the applicant and the SCR; • An extract from the trade register not exceeding three months; The bearer must be informed that the personal identity information he has provided for the registration file will be retained. The verification and validation of the request are carried out in accordance with the provisions described in section 4.2.” ** Section 4.2.1: "For the purpose of verifying the identities of the applicants, the RA, performs the following operations: check the consistency of the registration dossier and the supporting documents submitted; verify the accuracy of the purchase order and payment; verify that the organization holds the domain name by consulting the official databases of AFRINIC or INTERNIC domain names, and ensure that the SCR is aware of the terms and conditions applicable to the use of the certificate. Upon completion of these transactions, the RA sends the request to the CA components responsible for certificate production. The RA then retains a copy of the proof of identity submitted in paper or electronic form having a legal value.” * EV Policy OID: Not Requesting EV treatment * Test Websites Valid certificate: https://valid-ov.certification.tn Revoked certificate: https://revoked-ov.certification.tn Expired certificate: https://expired-ov.certification.tn * CRL URLs: http://crl.certification.tn/TunRootCA2.crl http://crl.certification.tn/TunServerCA2.crl CP/CPS section 2.3: A new CRL is published every 24 hours * OCSP URLs: http://ocsp.certification.tn OCSP responses have a maximum expiration time of 10 days. * Audit: Annual audits are performed by LSTI according to the ETSI TS 102 042 for CA and BR audit criteria. https://bug1233645.bmoattachments.org/attachment.cgi?id=8879910 * Forbidden or Problematic Practices (https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices) None Noted This begins the discussion of the request from the Government of Tunisia is to include the “Tunisian Root Certificate Authority - TunRootCA2” root certificate, and enable the Websites trust bit. I will greatly appreciate your constructive and thoughtful feedback on this request. Aaron _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy