All, This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process for Fábrica Nacional de Moneda y Timbre (FNMT)’s request to include the AC RAIZ FNMT-RCM SERVIDORES SEGUROS in the root store. See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 through 9).
Mozilla is considering approving FNMT’s request to add the root as a trust anchor with the websites trust bit and EV enabled as documented in Bugzilla bug #1559342 <https://bugzilla.mozilla.org/show_bug.cgi?id=1559342>. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10). *A Summary of Information Gathered and Verified appears here in the CCADB:* https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000418 *AC RAIZ FNMT-RCM SERVIDORES SEGUROS* is valid from 12/20/2018 to 12/20/2043 SHA2 Certificate Hash: 554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB https://crt.sh/?id=1490711558 *Root Certificate Download:* https://www.sede.fnmt.gob.es/documents/10445900/10526749/AC_Raiz_FNMT-RCM-SS.cer *CP/CPS:* https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf Current CPS is version 1.5, published 1-October-2020. Repository location: https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion *2020 BR Self Assessment* (pdf) is located here: https://bugzilla.mozilla.org/attachment.cgi?id=9179612 *Audits:* Annual audits are performed by AENOR Internacional. The most recent audit was completed by AENOR, for the period ending January 12, 2020, according to ETSI EN 319 411-1 audit criteria (OVCP: Organizational Validation Certificate Policy). https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%201%20ETSI%20319%20411-2%20PSC-2019-003%20-%20FNMT-v2.pdf The audit found “All the minor non-conformities have been scheduled to be addressed in the corrective action plan of the Trust Service Provider. No critical non-conformities were identified.” Remediation of the minor conformities was discussed in Bug # 1626805 <https://bugzilla.mozilla.org/show_bug.cgi?id=1626805>. *Incident Reports / Mis-Issuances * *The following bugs/incidents (closed) have been reported. * Bug 1495507 <https://bugzilla.mozilla.org/show_bug.cgi?id=1495507> (filed 10/1/2018) OU field exceeding 64 characters Bug 1544586 <https://bugzilla.mozilla.org/show_bug.cgi?id=1544586> (filed 4/15/2019) 2019 audit findings Bug 1596949 <https://bugzilla.mozilla.org/show_bug.cgi?id=1596949> (filed 11/15/2019) CP/CPS lack CAA processing details Bug 1626805 <https://bugzilla.mozilla.org/show_bug.cgi?id=1626805> (filed 4/1/2020) 2020 audit findings No misissuances were found under this root, and certificates issued under it have passed testing. Revocation checking at https://certificate.revocationcheck.com/testactivetipo1.cert.fnmt.es appears to work fine, except there are a few error messages -- "one of the certificates in the chain could not be checked", "Valid signature but response includes an unnecessary certificate chain" and "Certificate status is 'Revoked' expecting 'Unknown'". Hopefully, these errors can be explained or remedied. Otherwise, I have no further questions or concerns at this time. I urge anyone with any additional concerns or questions to raise them on this list by replying under the subject heading above. Pursuant to Step 5 - "A representative of the CA responds to questions and concerns posted during the public discussion of the CA's request." Again, this email begins a three-week public discussion period, which I’m scheduling to close on or about 9-December-2020. Sincerely yours, Ben Wilson Mozilla Root Program _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy