Minor but it seems like all certificates with a stateOrProvinceName field are 
misissued. The ST field should probably be the "Gyeonggi-do" as the 
"Seongnam-si" entered is a city.



‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, 9 October 2020 23:09, Ben Wilson via dev-security-policy 
<dev-security-policy@lists.mozilla.org> wrote:

> Dear All,
>
> This is to announce the beginning of the public discussion phase of the
> Mozilla root CA inclusion process,
> https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4
> through 9). Mozilla is considering approval of NAVER Business Platform
> Corp.’s request to include the NAVER Global Root Certification Authority as
> a trust anchor with the websites trust bit enabled, as documented in the
> following Bugzilla case:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1404221. I hereby initiate a
> 3-week comment period, after which if no concerns are raised, we will close
> the discussion and the request may proceed to the approval phase (Step 10).
>
> A Summary of Information Gathered and Verified appears here in the CCADB:
>
> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000261
>
> *NAVER Global Root Certification Authority, *valid from 8/18/2017 to
> 8/18/2037
>
> SHA2: 88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265
>
> https://crt.sh/?id=1321953839
>
> Root Certificate Download:
>
> https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=CERTILIST&atch_file_nm=1c3763b33dbf457d8672371567fd1a12.crt&atch_real_file_nm=naverrca1.crt
>
> CP/CPS:
>
> Comments 29 (https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c29)
> through 42 in Bugzilla contain discussion concerning the CPS and revisions
> thereto.
>
> Current CPS is version 1.4.3:
>
> https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=b2daecb6db1846d8aeaf6f41a7aea987.pdf&atch_real_file_nm=NBP
>  Certification Practice Statement v1.4.3.pdf
>
> Repository location: https://certificate.naver.com/bbs/initCrtfcJob.do
>
> BR Self Assessment (Excel file) is located here:
>
> https://bugzilla.mozilla.org/attachment.cgi?id=9063955
>
> Audits: Annual audits are performed by Deloitte according to the
> WebTrust Standard and WebTrust Baseline Requirements audit criteria. See
> webtrust.org. The last complete audit period for NAVER was from 1 December
> 2018 to 30 November 2019 and no issues were found. However, the audit
> report was dated 28 April 2020, which was more than three months following
> the end of the audit period. The explanation for the delay in obtaining the
> audit report was as follows, “NBP had received a notification mail on
> updating the audit information from CCADB support in March since the Root
> certificate is only included into Microsoft Root Program. According to
> instructions on the email, I explained that NBP would submit the audit
> update information in April to Microsoft.” The current audit period ends
> 30 November 2020.
>
> *Mis-Issuances *
>
> According to crt.sh and censys.io, the issuing CA under this root
> (NAVER Secure Certification Authority 1) has issued approximately 80
> certificates. I ran the following query for the issuing CA to identify any
> mis-issuances:
> https://crt.sh/?caid=126361&opt=cablint,zlint,x509lint&minNotBefore=2017-08-18,
> and during the course of our review, we identified six test certificates
> with errors. (Such certificates have either been revoked or have expired).
> See:
>
> https://crt.sh/?id=2132664529&opt=cablint,zlint,x509lint
>
> https://crt.sh/?id=2102184572&opt=cablint,zlint,x509lint
>
> https://crt.sh/?id=1478365347&opt=cablint,zlint,x509lint
>
> https://crt.sh/?id=2149282089&opt=cablint,zlint,x509lint
>
> https://crt.sh/?id=2149282369&opt=cablint,zlint,x509lint
>
> https://crt.sh/?id=2282123486&opt=cablint,zlint,x509lint
>
> The explanation provided (
> https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c27) was “Regarding
> CA/B Forum and X.509 lint tests NBP figured out two(2) certificates which
> were not complied with BRs right after issuing them. The domains on SANs of
> the certificates were owned and controlled by NBP. They were immediately
> revoked according to CA procedures. For ZLint tests, the certificate (CN=
> test2-certificate.naver.com) had been issued and became expired in
> compliance with CA Browser Forum BRs and RFC 5280. I understand there is a
> specific Mozilla policy on Authority Key IDs. NBP already fixed the system
> functions. There is no such valid certificate and NBP CA currently issues
> certificates fully complied with the Mozilla policy. You can see the new
> certificate (CN= test2-certificate.naver.com) was issued without any error
> at https://crt.sh/?id=2824319278.”
>
> I have no further questions or concerns at this time, however I urge anyone
> with concerns or questions to raise them by replying to this list under the
> subject heading above.
>
> Again, this email begins a three-week public discussion period, which I’m
> scheduling to close on Monday, 2-November-2020.
>
> Sincerely yours,
>
> Ben Wilson
>
> Mozilla Root Program
>
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy


_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to