The 3-week public discussion was to close on Monday, but I'd like Naver to provide any further final comments and give anyone else an opportunity to comment through this Thursday, and then I will proceed with Steps 6-10 (summarize matters, note any remaining items, and make a last call for objections).
On Fri, Oct 23, 2020 at 10:04 AM Sooyoung Eo via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > 2020년 10월 10일 토요일 오전 7시 31분 12초 UTC+9에 George님이 작성한 내용: > > Minor but it seems like all certificates with a stateOrProvinceName > field are misissued. The ST field should probably be the "Gyeonggi-do" as > the "Seongnam-si" entered is a city. > > > > > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Friday, 9 October 2020 23:09, Ben Wilson via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > > > Dear All, > > > > > > This is to announce the beginning of the public discussion phase of > the > > > Mozilla root CA inclusion process, > > > https://wiki.mozilla.org/CA/Application_Process#Process_Overview, > (Steps 4 > > > through 9). Mozilla is considering approval of NAVER Business Platform > > > Corp.’s request to include the NAVER Global Root Certification > Authority as > > > a trust anchor with the websites trust bit enabled, as documented in > the > > > following Bugzilla case: > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221. I hereby > initiate a > > > 3-week comment period, after which if no concerns are raised, we will > close > > > the discussion and the request may proceed to the approval phase (Step > 10). > > > > > > A Summary of Information Gathered and Verified appears here in the > CCADB: > > > > > > > https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000261 > > > > > > *NAVER Global Root Certification Authority, *valid from 8/18/2017 to > > > 8/18/2037 > > > > > > SHA2: 88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265 > > > > > > https://crt.sh/?id=1321953839 > > > > > > Root Certificate Download: > > > > > > > https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=CERTILIST&atch_file_nm=1c3763b33dbf457d8672371567fd1a12.crt&atch_real_file_nm=naverrca1.crt > > > > > > CP/CPS: > > > > > > Comments 29 (https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c29) > > > > through 42 in Bugzilla contain discussion concerning the CPS and > revisions > > > thereto. > > > > > > Current CPS is version 1.4.3: > > > > > > > https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=b2daecb6db1846d8aeaf6f41a7aea987.pdf&atch_real_file_nm=NBP > Certification Practice Statement v1.4.3.pdf > > > > > > Repository location: https://certificate.naver.com/bbs/initCrtfcJob.do > > > > > > BR Self Assessment (Excel file) is located here: > > > > > > https://bugzilla.mozilla.org/attachment.cgi?id=9063955 > > > > > > Audits: Annual audits are performed by Deloitte according to the > > > WebTrust Standard and WebTrust Baseline Requirements audit criteria. > See > > > webtrust.org. The last complete audit period for NAVER was from 1 > December > > > 2018 to 30 November 2019 and no issues were found. However, the audit > > > report was dated 28 April 2020, which was more than three months > following > > > the end of the audit period. The explanation for the delay in > obtaining the > > > audit report was as follows, “NBP had received a notification mail on > > > updating the audit information from CCADB support in March since the > Root > > > certificate is only included into Microsoft Root Program. According to > > > instructions on the email, I explained that NBP would submit the audit > > > update information in April to Microsoft.” The current audit period > ends > > > 30 November 2020. > > > > > > *Mis-Issuances * > > > > > > According to crt.sh and censys.io, the issuing CA under this root > > > (NAVER Secure Certification Authority 1) has issued approximately 80 > > > certificates. I ran the following query for the issuing CA to identify > any > > > mis-issuances: > > > > https://crt.sh/?caid=126361&opt=cablint,zlint,x509lint&minNotBefore=2017-08-18, > > > > and during the course of our review, we identified six test > certificates > > > with errors. (Such certificates have either been revoked or have > expired). > > > See: > > > > > > https://crt.sh/?id=2132664529&opt=cablint,zlint,x509lint > > > > > > https://crt.sh/?id=2102184572&opt=cablint,zlint,x509lint > > > > > > https://crt.sh/?id=1478365347&opt=cablint,zlint,x509lint > > > > > > https://crt.sh/?id=2149282089&opt=cablint,zlint,x509lint > > > > > > https://crt.sh/?id=2149282369&opt=cablint,zlint,x509lint > > > > > > https://crt.sh/?id=2282123486&opt=cablint,zlint,x509lint > > > > > > The explanation provided ( > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c27) was > “Regarding > > > CA/B Forum and X.509 lint tests NBP figured out two(2) certificates > which > > > were not complied with BRs right after issuing them. The domains on > SANs of > > > the certificates were owned and controlled by NBP. They were > immediately > > > revoked according to CA procedures. For ZLint tests, the certificate > (CN= > > > test2-certificate.naver.com) had been issued and became expired in > > > compliance with CA Browser Forum BRs and RFC 5280. I understand there > is a > > > specific Mozilla policy on Authority Key IDs. NBP already fixed the > system > > > functions. There is no such valid certificate and NBP CA currently > issues > > > certificates fully complied with the Mozilla policy. You can see the > new > > > certificate (CN= test2-certificate.naver.com) was issued without any > error > > > at https://crt.sh/?id=2824319278.” > > > > > > I have no further questions or concerns at this time, however I urge > anyone > > > with concerns or questions to raise them by replying to this list > under the > > > subject heading above. > > > > > > Again, this email begins a three-week public discussion period, which > I’m > > > scheduling to close on Monday, 2-November-2020. > > > > > > Sincerely yours, > > > > > > Ben Wilson > > > > > > Mozilla Root Program > > > > > > dev-security-policy mailing list > > > dev-security-policy@lists.mozilla.org > > > https://lists.mozilla.org/listinfo/dev-security-policy > > Hello, I am Sooyoung at NAVER Business Platform. > > As George mentioned, all the certificates, with both of city and province > names in stateOrProvinceName field, were issued to NAVER Business Platform > (NBP) for test domains. The addresses were verified correctly when issuing > them. NBP reflected George’s comment and has fixed the DN structure. You > can directly check the issued certificate including the new DN (L is > "Seongnam-si" as city name and S field is "Gyeonggi-do" as province name) > as below. > https://crt.sh/?id=3510606493 > > NBP also added additional verification process, in compliance with ISO > 3166-2, in order to put province information correctly in S field of user > DN for newly issued certificates. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
