On Fri, 27 Nov 2020 at 11:19, Santiago Brox via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
>
> El jueves, 19 de noviembre de 2020 a las 0:47:03 UTC+1, Matthias van de
Meent escribió:
> > On Wed, 18 Nov 2020, 01:06 Ben Wilson via dev-security-policy,
> > <dev-secur...@lists.mozilla.org> wrote:
> > >
> > > [...]
> > >
> > > *CP/CPS:*
> > >
> > >
https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf
> > >
> > > Current CPS is version 1.5, published 1-October-2020.
> > >
> > > Repository location:
> > >
https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
> > >
> > I'm having trouble finding the end entity certificate profiles in this
> > CPS. According to the CPS s7.1.2, they are supposed to be available at
> > http://www.cert.fnmt.es/dpcs/, but that redirects me to a repository
> > [0] of which the only english-language document [1] does not contain
> > any end entity certificate profiles, but only the root and ICA
> > profiles in attachments. Similarly, I cannot find the CPS you linked
> > in their repository.
> >
> All the relevant documentation (CPS, PDS, Terms and conditions,
certificate profiles, and old versions of CPSs) of each CA is published in
its corresponding channel in the website, all of them accessible from:
>
https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion

I'm sorry, but I'm having trouble finding a link to the latest version of
the CPS of the to-be-included root in that repository. If you add this CPS,
it would be useful to take Mozilla Root Store Policy section 3.3 (6) into
account ("CAs must provide a way to clearly determine which CP and CPS
applies to each of its root and intermediate certificates").

> For AC RAIZ FNMT-RCM SERVIDORES SEGUROS we have 2 channels (one for each
intermediate CA):
> AC SERVIDORES SEGUROS TIPO 1:
> https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1
> and
> AC SERVIDORES SEGUROS TIPO 2:
> https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2
>
> In regards the certificate profiles, we have included in CPS v1.6 section
7.1.2. direct links to the published documents of profiles.
>
> The document describing the profiles of the Website authentication
certificates, including all extensions, are published at
> AC SERVIDORES SEGUROS TIPO 1:
>
https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo1.pdf
> AC SERVIDORES SEGUROS TIPO 2:
>
https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo2.pdf
>

Thank you for the links, I probably overlooked them before.

> > I noticed that the CPS defers a great amount of sections (section 5,
> > 6.2, 6.4, 8.2 - 8.7 and large parts of section 9) to the DGPC, which
> > probably is [1] but that is never explicitly confirmed in the CPS -
> > there is no explicit link to any repository in section 1.6.1 where the
> > acronym is defined, nor are there any other indications that this DGPC
> > is located in the repository under the link of [0]. This is confusing,
> > and detrimental to the readability of the document.
> >
> CPS new version (v1.6) integrates all the sections that were referred to
in the DGPC (v5.8) and which applied in general to all our CAs. From
version 1.6 our CPS collects in a single document all the information and
BRs compliance commitments for our AC RAIZ FNMT-RCM SERVIDORES SEGUROS
> [...]
> I hope that we have been able to resolve all the issues raised with this
new version of the CPS (1.6) and have gained in transparency.
> Thanks
> Santiago.

Thanks for the update, it sounds promising. I'll check it again once I can
find the CPS in the repository.

Regards,

Matthias
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to