El viernes, 4 de diciembre de 2020 a las 18:20:41 UTC+1, Matthias van de Meent escribió: > Thanks for the pointer, Ben. > > I didn't realise that the links in section 'Particulares AC Raíz > FNMT-RCM Servidores Seguros' of their main repository [1] were links > to repositories that would include the applicable CPS... As those > sections seemed to be for ICAs of the root, I didn't consider them as > a source for the CPS of their parent CA. Together with that the CPS > pointers in the certificate profile point to the main repository and > that the QcPDS links in the certificate profiles don't seem to point > to anything, I got lost... > > So, sorry for the noise, I was very confused by the structure of the > repository. > > Now that I know where to look, I'll probably check the contents more > thoroughly sometime in the following weekend, at first glance they > already looked much better. > > -Matthias > > [1] > https://www.sede.fnmt.gob.es/en/normativa/declaracion-de-practicas-de-certificacion > On Wed, 2 Dec 2020, 23:44 Ben Wilson, <bwi...@mozilla.com> wrote: > > > > Matthias, > > Have you been able to obtain the CPS downloadable from here: > > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1 or here: > > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2 ? (They > > both lead to the same CPS v. 1.6 document.) > > Ben > > > > On Wed, Dec 2, 2020 at 7:15 AM Matthias van de Meent via > > dev-security-policy <dev-secur...@lists.mozilla.org> wrote: > >> > >> On Fri, 27 Nov 2020 at 11:19, Santiago Brox via dev-security-policy < > >> dev-secur...@lists.mozilla.org> wrote: > >> > > >> > El jueves, 19 de noviembre de 2020 a las 0:47:03 UTC+1, Matthias van de > >> Meent escribió: > >> > > On Wed, 18 Nov 2020, 01:06 Ben Wilson via dev-security-policy, > >> > > <dev-secur...@lists.mozilla.org> wrote: > >> > > > > >> > > > [...] > >> > > > > >> > > > *CP/CPS:* > >> > > > > >> > > > > >> https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf > >> > >> > > > > >> > > > Current CPS is version 1.5, published 1-October-2020. > >> > > > > >> > > > Repository location: > >> > > > > >> https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion > >> > >> > > > > >> > > I'm having trouble finding the end entity certificate profiles in this > >> > > CPS. According to the CPS s7.1.2, they are supposed to be available at > >> > > http://www.cert.fnmt.es/dpcs/, but that redirects me to a repository > >> > > [0] of which the only english-language document [1] does not contain > >> > > any end entity certificate profiles, but only the root and ICA > >> > > profiles in attachments. Similarly, I cannot find the CPS you linked > >> > > in their repository. > >> > > > >> > All the relevant documentation (CPS, PDS, Terms and conditions, > >> certificate profiles, and old versions of CPSs) of each CA is published in > >> its corresponding channel in the website, all of them accessible from: > >> > > >> https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion > >> > >> > >> I'm sorry, but I'm having trouble finding a link to the latest version of > >> the CPS of the to-be-included root in that repository. If you add this > >> CPS, > >> it would be useful to take Mozilla Root Store Policy section 3.3 (6) into > >> account ("CAs must provide a way to clearly determine which CP and CPS > >> applies to each of its root and intermediate certificates"). > >> > >> > For AC RAIZ FNMT-RCM SERVIDORES SEGUROS we have 2 channels (one for each > >> intermediate CA): > >> > AC SERVIDORES SEGUROS TIPO 1: > >> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1 > >> > and > >> > AC SERVIDORES SEGUROS TIPO 2: > >> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2 > >> > > >> > In regards the certificate profiles, we have included in CPS v1.6 > >> > section > >> 7.1.2. direct links to the published documents of profiles. > >> > > >> > The document describing the profiles of the Website authentication > >> certificates, including all extensions, are published at > >> > AC SERVIDORES SEGUROS TIPO 1: > >> > > >> https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo1.pdf > >> > >> > AC SERVIDORES SEGUROS TIPO 2: > >> > > >> https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo2.pdf > >> > >> > > >> > >> Thank you for the links, I probably overlooked them before. > >> > >> > > I noticed that the CPS defers a great amount of sections (section 5, > >> > > 6.2, 6.4, 8.2 - 8.7 and large parts of section 9) to the DGPC, which > >> > > probably is [1] but that is never explicitly confirmed in the CPS - > >> > > there is no explicit link to any repository in section 1.6.1 where the > >> > > acronym is defined, nor are there any other indications that this DGPC > >> > > is located in the repository under the link of [0]. This is confusing, > >> > > and detrimental to the readability of the document. > >> > > > >> > CPS new version (v1.6) integrates all the sections that were referred to > >> in the DGPC (v5.8) and which applied in general to all our CAs. From > >> version 1.6 our CPS collects in a single document all the information and > >> BRs compliance commitments for our AC RAIZ FNMT-RCM SERVIDORES SEGUROS > >> > [...] > >> > I hope that we have been able to resolve all the issues raised with this > >> new version of the CPS (1.6) and have gained in transparency. > >> > Thanks > >> > Santiago. > >> > >> Thanks for the update, it sounds promising. I'll check it again once I can > >> find the CPS in the repository. > >> > >> Regards, > >> > >> Matthias > >> _______________________________________________ > >> dev-security-policy mailing list > >> dev-secur...@lists.mozilla.org > >> https://lists.mozilla.org/listinfo/dev-security-policy Thanks Matthias. We will work with the web content management team to evaluate possible improvements in the distribution of our CPSs site. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: FNMT: Public Discussion of Root Inclusion Request
Santiago Brox via dev-security-policy Fri, 04 Dec 2020 11:41:00 -0800
- FNMT: Public Discussion of R... Ben Wilson via dev-security-policy
- Re: FNMT: Public Discus... Ben Wilson via dev-security-policy
- Re: FNMT: Public Discus... Matthias van de Meent via dev-security-policy
- Re: FNMT: Public Discus... Santiago Brox via dev-security-policy
- Re: FNMT: Public Discus... Santiago Brox via dev-security-policy
- Re: FNMT: Public Di... Matthias van de Meent via dev-security-policy
- Re: FNMT: Publi... Ben Wilson via dev-security-policy
- Re: FNMT: P... Matthias van de Meent via dev-security-policy
- Re: FNMT: P... Santiago Brox via dev-security-policy