FNMT provided the following clarification regarding its audits: *Audits:* Annual audits are performed by AENOR Internacional. The most recent audit was completed by AENOR, for the period ending January 12, 2020, according to ETSI EN 319 411-1 audit criteria (OVCP: Organizational Validation Certificate Policy). https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%201%20ETSI%20319%20411-2%20PSC-2019-003%20-%20FNMT-v2.pdf
It is mentioned that the audit was performed according to ETSI EN 319 411-1, but the link is the one for our audit ETSI 319 411-2 for QCP-w; EVCP: Policy for EU qualified website certificate issued to a legal person and linking the website to that person Our root is being audited according to both ETSI EN 319 411-2 and ETSI 319 411-1 since we have 2 dedicated subordinate CA: AC Servidores Tipo 1 - for EVCP and AC Servidores Tipo 2 - for OVCP https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%202%20ETSI%20319%20411-1%20PSC-2019-003%20-%20FNMT-v2.pdf On Tue, Nov 17, 2020 at 5:06 PM Ben Wilson <bwil...@mozilla.com> wrote: > All, > > This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process for Fábrica Nacional de Moneda y Timbre > (FNMT)’s request to include the AC RAIZ FNMT-RCM SERVIDORES SEGUROS in the > root store. See > https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps > 4 through 9). > > Mozilla is considering approving FNMT’s request to add the root as a trust > anchor with the websites trust bit and EV enabled as documented in Bugzilla > bug > #1559342 <https://bugzilla.mozilla.org/show_bug.cgi?id=1559342>. > > This email begins the 3-week comment period, after which, if no concerns > are raised, we will close the discussion and the request may proceed to the > approval phase (Step 10). > > *A Summary of Information Gathered and Verified appears here in the CCADB:* > > > https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000418 > > *AC RAIZ FNMT-RCM SERVIDORES SEGUROS* is valid from 12/20/2018 to > 12/20/2043 > > SHA2 Certificate Hash: > 554153B13D2CF9DDB753BFBE1A4E0AE08D0AA4187058FE60A2B862B2E4B87BCB > > https://crt.sh/?id=1490711558 > > *Root Certificate Download:* > > > https://www.sede.fnmt.gob.es/documents/10445900/10526749/AC_Raiz_FNMT-RCM-SS.cer > > > *CP/CPS:* > > https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf > > Current CPS is version 1.5, published 1-October-2020. > > Repository location: > https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion > > *2020 BR Self Assessment* (pdf) is located here: > > https://bugzilla.mozilla.org/attachment.cgi?id=9179612 > > *Audits:* Annual audits are performed by AENOR Internacional. The most > recent audit was completed by AENOR, for the period ending January 12, > 2020, according to ETSI EN 319 411-1 audit criteria (OVCP: Organizational > Validation Certificate Policy). > https://www.aenor.com/Certificacion_Documentos/eiDas/2020%20AENOR%20Anexo%201%20ETSI%20319%20411-2%20PSC-2019-003%20-%20FNMT-v2.pdf > The audit found “All the minor non-conformities have been scheduled to > be addressed in the corrective action plan of the Trust Service Provider. > No critical non-conformities were identified.” Remediation of the minor > conformities was discussed in Bug # 1626805 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1626805>. > > *Incident Reports / Mis-Issuances * > > *The following bugs/incidents (closed) have been reported. * > > Bug 1495507 <https://bugzilla.mozilla.org/show_bug.cgi?id=1495507> (filed > 10/1/2018) OU field exceeding 64 characters > > Bug 1544586 <https://bugzilla.mozilla.org/show_bug.cgi?id=1544586> (filed > 4/15/2019) 2019 audit findings > > Bug 1596949 <https://bugzilla.mozilla.org/show_bug.cgi?id=1596949> (filed > 11/15/2019) CP/CPS lack CAA processing details > > Bug 1626805 <https://bugzilla.mozilla.org/show_bug.cgi?id=1626805> (filed > 4/1/2020) 2020 audit findings > > No misissuances were found under this root, and certificates issued under > it have passed testing. > > Revocation checking at > https://certificate.revocationcheck.com/testactivetipo1.cert.fnmt.es > appears to work fine, except there are a few error messages -- "one of the > certificates in the chain could not be checked", "Valid signature but > response includes an unnecessary certificate chain" and "Certificate status > is 'Revoked' expecting 'Unknown'". Hopefully, these errors can be > explained or remedied. Otherwise, I have no further questions or concerns > at this time. > > I urge anyone with any additional concerns or questions to raise them on > this list by replying under the subject heading above. > > Pursuant to Step 5 - "A representative of the CA responds to questions and > concerns posted during the public discussion of the CA's request." > > Again, this email begins a three-week public discussion period, which I’m > scheduling to close on or about 9-December-2020. > > > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
