Le jeudi 27 avril 2017 15:22:27 UTC+2, Aaron Wu a écrit : > This request from the Dhimyotis/Certigna is to include the SHA-256 ‘Certigna > Root CA’ certificate and turn on the Websites and Email trust bits. This root > certificate will eventually replace the SHA-1 ‘Certigna’ root certificate > that was included via Bugzilla #393166. > > Dhimyotis, t e name of the company, is a commercial CA and Certigna is the > brand for their certificates. > > The new ‘Certigna Root CA’ has 7 internally operated subordinated CAs : > - Identity CA : encipherment, authentication and/or digitally-signed email > - Identity Plus CA : authentication and/or digitally-signed email > - Entity CA : seal (EKU : emailProtection or timeStamping) > - Entity Code signing CA : seal (EKU : codeSigning) > - Services CA : SSL (EKU : authServer or authClient) > - Wild CA : SSL (EKU : authServer and authClient) > - FR03 : Seal > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1265683 > > BR Self Assessment is here: > https://bugzilla.mozilla.org/attachment.cgi?id=8861810 > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8862251 > > * Root Certificate Download URL: > http://autorite.dhimyotis.com/certignarootca.der > > * The CP documents are in French and translated into English. > > Document Repository: https://www.certigna.fr/autorites/index.xhtml > CP - Root CA: http://politique.certigna.fr/en/PCcertignarootca.pdf > CP - Services CA: http://politique.certigna.fr/en/PCcertignaservicesca.pdf > CP - Wild CA: http://politique.certigna.fr/en/PCcertignawildca.pdf > > * CA Hierarchy > Certificate Hierarchy Diagram : https://www.certigna.fr/autorites/index.xhtml > > * The request is to enable the Websites and Email trust bits > > ** Section 4.2.1 of CP - Services CA and CP - Wild CA : "The verification of > the FQDN and the entity holding it is achieved using "WHOIS"websites and of > the AFNIC website if applicable. A legal representative of the entity which > hold the domain must formally designate the RC and its entity in a domain > authorization document signed by that representative (request form or > specific form provided by the CA)." > *** This corresponds to BR section 3.2.2.4.5 Domain Authorization Document > > * EV Policy OID: Not Requesting EV treatment > > * Test Websites > Valid certificate : https://valid.servicesca.dhimyotis.com > Expired certificate: https://expired.servicesca.dhimyotis.com > Revoked certificate: https://revoked.servicesca.dhimyotis.com > > * CRL URLs: > Root CAs: http://crl.certigna.fr/certignarootca.crl > Subordinated CAs : https://www.certigna.fr/autorites/index.xhtml > Frequency of updating CRL is described in chapters 2.3 and 4.9.6 of the CP/CPS > > * OCSP URLs: > URI for SSL certificates : http://servicesca.ocsp.certigna.fr/ > Frequency of updating OCSP is described in chapter 4.9.6 of the CP/CPS. > The maximum time elapsing from the revocation of an end entity or CA > certificate until OCSP responders are updated to reflect that revocation : 1 > hour > > * Audit: Annual audits are performed by LSTI according to the ETSI TS 102 042 > / 101 456 criteria. > https://bug1265683.bmoattachments.org/attachment.cgi?id=8856978 > > * Potentially Problematic Practices : None Noted > (https://wiki.mozilla.org/CA:Problematic_Practices) > > This begins the discussion of the request from Dhimyotis/Certigna to include > the SHA-256 ‘Certigna Root CA’ certificate and turn on the Websites and Email > trust bits. > > Aaron
In order to finalize our integration request, I would like to inform you of new information: - We have published all our CPs and CPSs updated on 25/01/2017 in French and English version : https://www.certigna.fr/autorites/index.xhtml - We have updated our integration ticket (https://bugzilla.mozilla.org/show_bug.cgi?id=1265683), because under this authority, we now issue QCP-w/EV qualified certificates. We have updated the Attestation letter and the document "Initial Information Gathering Document" Could you ensure that the Certigna Root CA integration can enable EV recognition for this root authority. We remain at your disposal for any further information. Thanking you in advance for your help. Best regards _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
