Dear Gerv, Given that some of these are BR requirements, why were these controls not in place already? ==> Some of these controls are already in place (such as the field CN and Subject Alternative Name that does not contain a private IP address). In addition to that NDCA has implemented a procedure for the RA operators which include these sections: 1- Validation of the Organization
- In case of a commercial and private organization: The RA operator checks the web site http://www.registre-commerce.tn. Then, he inserts the Tax Identification Number to verify the existence of the organization. - In the case of a public organization : The RA operator checks the web site http://www.infojort.com. Then, he inserts the Tax Identification Number to verify the existence of the organization. 2- Domain Validation : For the National domains, the RA operator checks the web site of the Tunisian Internet Agency which is responsible of the management of the national domain ".tn" and the IP addressing in Tunisia ( http://whois.ati.tn ). For the international domains, the RA operator checks the international whois. In both cases, the RA operator checks if the domain name is the property of the applicant. 3- CSR Validation The RA operator checks the CSR with this URL https://cryptoreport.websecurity.symantec.com/checker/views/csrCheck.jsp 4- Validation of the technical data included in the CSR: The RA operator checks : Digital Signature Algorithm: SHA256 Key Algorithm: RSA Key Size: 2048 5- Validation of the data inserted in the CSR against the data filled in the form : Common name: Organization: Organizational unit: City/locality: State/province: Country: 6- Validation of the email : The RA operator checks if the email is in this form: [email protected] [email protected] [email protected] [email protected] 7- Validation of the information related to the legal person and the subscriber 8- Phone Call to the webmaster of the server Moreover, the NDCA is now implementing a new Managed PKI platform which will be in production by the end of September 2017. For the moment, the only improvement done, is the printing of all the subject alternative names in the certificate for the RA operators, in addition to the other fields (CN, O, OU, mail) in such a way that they can visually check all the fields before the delivery of the certificate. From what date would you say that your CA has been compliant with the CAB Forum Baseline Requirements? ==> The TunRootCA2 and TunServerCA2 passed two successive external audit performed by LSTI. The last audit took place from 27th to 30th September 2016 in applying the relevant ETSI Technical Specifications ETSI TS 102042v2.4.1. The audit was performed by LSTI as a full audit. This audit confirms the validity of the certificate N° 11140 issued on November 2015 and valid until November 2018. The next full audit will be performed from 11th to 15th of September 2017. When will these improvements be implemented? And, given that these are only four possible ways a certificate can be messed up, what other checks are going to be implemented at the same time? ==> These improvements have already been implemented by our service provider during this week. The tests will be done from 14th to 25th of August 2017. The beginning of production is planned for the end of September after the audit. We already have other checks besides those four in our information system such as checking the fields in the CSR. These checks are already implemented. Olfa _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
