Minor but it seems like all certificates with a stateOrProvinceName field are misissued. The ST field should probably be the "Gyeonggi-do" as the "Seongnam-si" entered is a city.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, 9 October 2020 23:09, Ben Wilson via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > Dear All, > > This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process, > https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 > through 9). Mozilla is considering approval of NAVER Business Platform > Corp.’s request to include the NAVER Global Root Certification Authority as > a trust anchor with the websites trust bit enabled, as documented in the > following Bugzilla case: > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221. I hereby initiate a > 3-week comment period, after which if no concerns are raised, we will close > the discussion and the request may proceed to the approval phase (Step 10). > > A Summary of Information Gathered and Verified appears here in the CCADB: > > https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000261 > > *NAVER Global Root Certification Authority, *valid from 8/18/2017 to > 8/18/2037 > > SHA2: 88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265 > > https://crt.sh/?id=1321953839 > > Root Certificate Download: > > https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=CERTILIST&atch_file_nm=1c3763b33dbf457d8672371567fd1a12.crt&atch_real_file_nm=naverrca1.crt > > CP/CPS: > > Comments 29 (https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c29) > through 42 in Bugzilla contain discussion concerning the CPS and revisions > thereto. > > Current CPS is version 1.4.3: > > https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=b2daecb6db1846d8aeaf6f41a7aea987.pdf&atch_real_file_nm=NBP > Certification Practice Statement v1.4.3.pdf > > Repository location: https://certificate.naver.com/bbs/initCrtfcJob.do > > BR Self Assessment (Excel file) is located here: > > https://bugzilla.mozilla.org/attachment.cgi?id=9063955 > > Audits: Annual audits are performed by Deloitte according to the > WebTrust Standard and WebTrust Baseline Requirements audit criteria. See > webtrust.org. The last complete audit period for NAVER was from 1 December > 2018 to 30 November 2019 and no issues were found. However, the audit > report was dated 28 April 2020, which was more than three months following > the end of the audit period. The explanation for the delay in obtaining the > audit report was as follows, “NBP had received a notification mail on > updating the audit information from CCADB support in March since the Root > certificate is only included into Microsoft Root Program. According to > instructions on the email, I explained that NBP would submit the audit > update information in April to Microsoft.” The current audit period ends > 30 November 2020. > > *Mis-Issuances * > > According to crt.sh and censys.io, the issuing CA under this root > (NAVER Secure Certification Authority 1) has issued approximately 80 > certificates. I ran the following query for the issuing CA to identify any > mis-issuances: > https://crt.sh/?caid=126361&opt=cablint,zlint,x509lint&minNotBefore=2017-08-18, > and during the course of our review, we identified six test certificates > with errors. (Such certificates have either been revoked or have expired). > See: > > https://crt.sh/?id=2132664529&opt=cablint,zlint,x509lint > > https://crt.sh/?id=2102184572&opt=cablint,zlint,x509lint > > https://crt.sh/?id=1478365347&opt=cablint,zlint,x509lint > > https://crt.sh/?id=2149282089&opt=cablint,zlint,x509lint > > https://crt.sh/?id=2149282369&opt=cablint,zlint,x509lint > > https://crt.sh/?id=2282123486&opt=cablint,zlint,x509lint > > The explanation provided ( > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c27) was “Regarding > CA/B Forum and X.509 lint tests NBP figured out two(2) certificates which > were not complied with BRs right after issuing them. The domains on SANs of > the certificates were owned and controlled by NBP. They were immediately > revoked according to CA procedures. For ZLint tests, the certificate (CN= > test2-certificate.naver.com) had been issued and became expired in > compliance with CA Browser Forum BRs and RFC 5280. I understand there is a > specific Mozilla policy on Authority Key IDs. NBP already fixed the system > functions. There is no such valid certificate and NBP CA currently issues > certificates fully complied with the Mozilla policy. You can see the new > certificate (CN= test2-certificate.naver.com) was issued without any error > at https://crt.sh/?id=2824319278.” > > I have no further questions or concerns at this time, however I urge anyone > with concerns or questions to raise them by replying to this list under the > subject heading above. > > Again, this email begins a three-week public discussion period, which I’m > scheduling to close on Monday, 2-November-2020. > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program > > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy