El viernes, 4 de diciembre de 2020 a las 18:20:41 UTC+1, Matthias van de Meent 
escribió:
> Thanks for the pointer, Ben. 
> 
> I didn't realise that the links in section 'Particulares AC Raíz 
> FNMT-RCM Servidores Seguros' of their main repository [1] were links 
> to repositories that would include the applicable CPS... As those 
> sections seemed to be for ICAs of the root, I didn't consider them as 
> a source for the CPS of their parent CA. Together with that the CPS 
> pointers in the certificate profile point to the main repository and 
> that the QcPDS links in the certificate profiles don't seem to point 
> to anything, I got lost... 
> 
> So, sorry for the noise, I was very confused by the structure of the 
> repository. 
> 
> Now that I know where to look, I'll probably check the contents more 
> thoroughly sometime in the following weekend, at first glance they 
> already looked much better. 
> 
> -Matthias 
> 
> [1] 
> https://www.sede.fnmt.gob.es/en/normativa/declaracion-de-practicas-de-certificacion
> On Wed, 2 Dec 2020, 23:44 Ben Wilson, <bwi...@mozilla.com> wrote: 
> > 
> > Matthias, 
> > Have you been able to obtain the CPS downloadable from here: 
> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1 or here: 
> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2 ? (They 
> > both lead to the same CPS v. 1.6 document.) 
> > Ben 
> > 
> > On Wed, Dec 2, 2020 at 7:15 AM Matthias van de Meent via 
> > dev-security-policy <dev-secur...@lists.mozilla.org> wrote: 
> >> 
> >> On Fri, 27 Nov 2020 at 11:19, Santiago Brox via dev-security-policy < 
> >> dev-secur...@lists.mozilla.org> wrote: 
> >> > 
> >> > El jueves, 19 de noviembre de 2020 a las 0:47:03 UTC+1, Matthias van de 
> >> Meent escribió:
> >> > > On Wed, 18 Nov 2020, 01:06 Ben Wilson via dev-security-policy, 
> >> > > <dev-secur...@lists.mozilla.org> wrote: 
> >> > > > 
> >> > > > [...] 
> >> > > > 
> >> > > > *CP/CPS:* 
> >> > > > 
> >> > > > 
> >> https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf
> >>  
> >> > > > 
> >> > > > Current CPS is version 1.5, published 1-October-2020. 
> >> > > > 
> >> > > > Repository location: 
> >> > > > 
> >> https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
> >>  
> >> > > > 
> >> > > I'm having trouble finding the end entity certificate profiles in this 
> >> > > CPS. According to the CPS s7.1.2, they are supposed to be available at 
> >> > > http://www.cert.fnmt.es/dpcs/, but that redirects me to a repository 
> >> > > [0] of which the only english-language document [1] does not contain 
> >> > > any end entity certificate profiles, but only the root and ICA 
> >> > > profiles in attachments. Similarly, I cannot find the CPS you linked 
> >> > > in their repository. 
> >> > >
> >> > All the relevant documentation (CPS, PDS, Terms and conditions, 
> >> certificate profiles, and old versions of CPSs) of each CA is published in 
> >> its corresponding channel in the website, all of them accessible from: 
> >> > 
> >> https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
> >>  
> >> 
> >> I'm sorry, but I'm having trouble finding a link to the latest version of 
> >> the CPS of the to-be-included root in that repository. If you add this 
> >> CPS, 
> >> it would be useful to take Mozilla Root Store Policy section 3.3 (6) into 
> >> account ("CAs must provide a way to clearly determine which CP and CPS 
> >> applies to each of its root and intermediate certificates"). 
> >> 
> >> > For AC RAIZ FNMT-RCM SERVIDORES SEGUROS we have 2 channels (one for each 
> >> intermediate CA): 
> >> > AC SERVIDORES SEGUROS TIPO 1: 
> >> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1 
> >> > and 
> >> > AC SERVIDORES SEGUROS TIPO 2: 
> >> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2 
> >> > 
> >> > In regards the certificate profiles, we have included in CPS v1.6 
> >> > section 
> >> 7.1.2. direct links to the published documents of profiles. 
> >> > 
> >> > The document describing the profiles of the Website authentication 
> >> certificates, including all extensions, are published at 
> >> > AC SERVIDORES SEGUROS TIPO 1: 
> >> > 
> >> https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo1.pdf
> >>  
> >> > AC SERVIDORES SEGUROS TIPO 2: 
> >> > 
> >> https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo2.pdf
> >>  
> >> > 
> >> 
> >> Thank you for the links, I probably overlooked them before. 
> >>
> >> > > I noticed that the CPS defers a great amount of sections (section 5, 
> >> > > 6.2, 6.4, 8.2 - 8.7 and large parts of section 9) to the DGPC, which 
> >> > > probably is [1] but that is never explicitly confirmed in the CPS - 
> >> > > there is no explicit link to any repository in section 1.6.1 where the 
> >> > > acronym is defined, nor are there any other indications that this DGPC 
> >> > > is located in the repository under the link of [0]. This is confusing, 
> >> > > and detrimental to the readability of the document. 
> >> > >
> >> > CPS new version (v1.6) integrates all the sections that were referred to 
> >> in the DGPC (v5.8) and which applied in general to all our CAs. From 
> >> version 1.6 our CPS collects in a single document all the information and 
> >> BRs compliance commitments for our AC RAIZ FNMT-RCM SERVIDORES SEGUROS 
> >> > [...] 
> >> > I hope that we have been able to resolve all the issues raised with this 
> >> new version of the CPS (1.6) and have gained in transparency. 
> >> > Thanks 
> >> > Santiago. 
> >> 
> >> Thanks for the update, it sounds promising. I'll check it again once I can 
> >> find the CPS in the repository. 
> >> 
> >> Regards, 
> >> 
> >> Matthias 
> >> _______________________________________________ 
> >> dev-security-policy mailing list 
> >> dev-secur...@lists.mozilla.org 
> >> https://lists.mozilla.org/listinfo/dev-security-policy
Thanks Matthias. We will work with the web content management team to evaluate 
possible improvements in the distribution of our CPSs site.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to