On November 17, 2020, the public discussion period [Step 4 of the Mozilla
Root Store CA Application Process
<https://wiki.mozilla.org/CA/Application_Process>] began on FNMT’s
inclusion request.

*Summary of Discussion and Completion of Action Items [Steps 5-8]:*

On November 18, 2020, FNMT clarified that it is audited to both ETSI EN 319
411-2 and ETSI 319 411-1.

Also, on that day, a comment was received with the following observations:

(1) certificate profiles could not be located for review - as indicated
subsequently in the thread, FNMT provided links to the certificate profiles
for end entity certificates;

(2) cross-references to a document called the “DGPC” were difficult to
follow - an overall comment was that FNMT’s Certification Practices
Statement (CPS) was confusing with its numerous cross-references to its
DGPC (CPS for its Root CA). FNMT republished its CPS with these
cross-references removed and replaced them with applicable text.  There
were also references to the "DPPP" (FNMT’s CPS), which were replaced by
“CPS”;

(3) there were numerous observations about the CPS (e.g. it lacked a
commitment to communicate back to third parties within 24 hours of
receiving a Certificate Problem Report, etc.) - see
https://groups.google.com/g/mozilla.dev.security.policy/c/T5bYrPznCXQ/m/Rv4ddGh6BQAJ,
and the subsequent response from FNMT, and my similar summary of these
issues in this thread; and

(4) a final suggestion was “[to] have them compare [the CPS] side-by-side
with the BR, and have it at least document their commitment to each of the
baseline requirements explicitly in their CPS”.  FNMT responded, “We have
updated a new BRs Self-Assessment document with CPS v1.6:
https://bug1559342.bmoattachments.org/attachment.cgi?id=9189942”.  I
believe that the BR self-assessment serves this purpose.

This is notice that I am closing public discussion [Step 9] and that it is
Mozilla’s intent to approve FNMT's request for inclusion [Step 10].

This begins a 7-day “last call” period for any final objections.

Thanks,

Ben

On Wed, Dec 9, 2020 at 12:09 PM Ben Wilson <bwil...@mozilla.com> wrote:

> Just a reminder - today, the public discussion period will close and then
> I'll be preparing a summary of the discussion.  In addition to reviewing
> FNMT's response of 27-November, I also reviewed the CPS v. 1.6 and make the
> following observations:
> Matthias van de Meent wrote:
>
> I'm having trouble finding the end entity certificate profiles in this CPS.
> According to the CPS s7.1.2, they are supposed to be available at
> http://www.cert.fnmt.es/dpcs/, but that redirects me to a repository [0]
> of which the only english-language document [1] does not contain any end
> entity certificate profiles, but only the root and ICA profiles in
> attachments. Similarly, I cannot find the CPS you linked in their
> repository.
>
> I was able to review the end entity certificate profiles at
> https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo1.pdf
> and
> https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo2.pdf
>
> I noticed that the CPS defers a great amount of sections (section 5, 6.2,
> 6.4, 8.2 - 8.7 and large parts of section 9) to the DGPC, which probably
> is [1] but that is never explicitly confirmed in the CPS - there is no
> explicit link to any repository in section 1.6.1 where the acronym is
> defined, nor are there any other indications that this DGPC is located in
> the repository under the link of [0]. This is confusing, and detrimental
> to the readability of the document.
>
> I noticed that the acronym "DPPP" has been replaced with "CPS" and that
> language from the "DGPC" has been copied into the CPS.
>
> CPS s4.9.2 and s1.5.2 both mention that third parties may send certificate
> problem reports, and select parties may send revocation requests, which
> is great; but I cannot find a commitment to communicating a preliminary
> report within 24 hours to the reporter as stipulated by BR 4.9.5.
>
> CPS section 4.9.5 now states that "Within 24 hours after receiving a CPR,
> the CA will investigate the facts and circumstances related to the CPR and
> provide a preliminary report to both the Subscriber and the entity who
> filed the CPR."
>
> CPS / DGPC s5.2.2 includes by reference an internal policy, which may or
> may not comply with the "at least dual control for CA private key 
> backup/storage/recovery"
> requirement of BR 5.2.2.
>
> CPS section 5.2.2 now states, "The FNMTs Private Key are backed up,
> stored, and recovered only by personnel in trusted roles using, at least,
> dual control in a physically secured environment."
>
> CPS / DGPC s5.3.1 only guarantee the "experience and knowledge", not the
> "trustworthiness and identity" of the operators.
>
> CPS section 5.3.1 now states, "These requirements are guaranteed by the
> corresponding criteria in the personnel selection processes, verifying the
> identity and trustworthiness of such person and that the employee's
> professional profile is as appropriate as possible to the characteristics
> of the tasks to be developed. The trustworthiness and suitability of the
> assigned trusted roles are reviewed periodically."
>
> CPS / DGPC s5.3.3 does not provide information on the specific topics that
> are SHALL-qualified in BR s5.3.3. This same can be said about s5.3.4 and
> s5.3.7.
>
> As noted by FNMT, these sections now reference its Annual Training Plan,
> the periodicity of its revision and the verification of compliance of the
> required experience and knowledge in case of hiring independent contractors
> for trusted duties.
>
> CPS / DGPC s5.4.1 does definately not mention logging rejection/acceptance
> of certificate requests (BR s5.4.1(1)(3)), and probably also doesn't
> cover some other parts, but the language is very opaque (i.e. unclear). ...
> looks further ... those specific events are apparently included in 5.5.1
> Types of Records Archived (?)
>
> Subsections a) and b) in section 5.4.1 now mention "Approval and rejection
> of certificate requests".
>
> CPS / DGPC s5.4.3 does not comply with BR 5.4.3: Audit log retention of
> 15 years is not enough to cover the CA certificate event record log retention
> timespan of 2 years past the latest of 1.) the destruction of the CA
> private key, and 2.) the revocation or expiration of the final CA
> certificate of that private key. Unless of course you expect to revoke
> the root and destroy the CA keys within 13 years after creation.
>
> As noted, BR section 5.4.3 only requires retention for two years after
> expiration. As now worded in the CPS (with 15-year retention), the BRs are
> satisfied.
>
> CPS / DGPC s6.1.1.1 (CA Key Pair Generation) fails to include the procedure
> with which CA keys are generated. More specifically, the current
> implication is that the auditor could not be witness of the CA key
> generation ceremony, nor have seen any evidence other than the report,
> and sign this report. This fails to apply BR 6.1.1.1(1) items 2 and 3,
> and BR 6.1.1.1(2)(2). The procedure included by reference is not
> accessible [3] and may add requirements, but those requirements need not
> meet the baseline of the BR.
>
> CPS Section 6.1.1.1 now specifies, "Following this procedure, the FNMT-RCM
> will prepare and follow a Key Generation Script, have a Qualified Auditor
> witness the CA Key Pair generation process, and have a Qualified Auditor
> issue a report opining that the CA followed its key ceremony during its Key
> and Certificate generation process and the controls used to ensure the
> integrity and confidentiality of the Key Pair."
>
> CPS s6.2 points to a section s6.2 in the DGPC, which is blank. Therefore,
> I'm missing the documentation on that the CA is committed to securing the
> CA private key material in a BR-compliant manner.
>
> Section 6.2 now states, "FNMT-RCM shall protect its Private Key(s) in
> accordance with the provisions of this CPS and in a compliance with
> CA/Browser Forum's Baseline Requirements"
>
> CPS / DGPC s6.2.4 does not apply the requirements of BR 6.2 nor 5.2.2 to
> their private key backup procedure.
>
> Section 6.2.4 of the CPS now states, "Backup copies of CA Private Keys
> shall be backed up by multiple persons in Trusted Role position sand only
> be stored in encrypted form on cryptographic modules that meet the
> requirements specified in Section 6.2.1."
>
> CPS delegates s6.2.5 fully to the DGPC, but that s6.2.5 requires the CPS
> to at least specify a maximum number of copies of the private key, which
> is not specified.
>
> Section 6.2.5 now states, "Only the FNMT-RCM may make a backup of the
> Private keys, guaranteeing that the security level of the copied data is at
> least equal to that of the original data and that the number of data
> duplicated does not exceed the minimum necessary to assure service
> continuity. The Signature creation data are not duplicated for any other
> purpose."
>
> CPS / DGPC s6.2.6 has the interesting construction "Consequently, the Keys
> cannot be transferred, although there is a recovery procedure", which
> implies a procedure to extract and transfer keys exists.
>
> CPS Section 6.2.6 now states, "The Certification Authorities’ Private keys
> are generated as described in point “6.1 Key generation and installation”.
> In the event that a Private Key is to be transported from one Cryptographic
> Module to another, the Private Key must be encrypted during transport.
> Private Keys must never exist in plain text form outside the Cryptographic
> Module boundary."
>
> CPS / DGPC s6.2.7 fails to commit FNMT to using devices meeting FIPS 140
> level 3 or higher (as that is apparently located in DGPC 6.2.1 and 6.2.8
> (?))
>
> Section 6.2.7 now states, "Root CA private keys of the FNMT-RCM are
> generated and stored inside cryptographic modules which meet the
> requirements of 6.2.1 of this CPS"
>
> CPS / DGPC does not mention "factor" or "2fa" according to my search, even
> though BR 6.5.2 specifies 'The CA SHALL enforce multi-factor authentication
> for all accounts capable of directly causing certificate issuance.".
>
> Section 6.5.1 now states, "The FNMT-RCM shall enforce multi-factor
> authentication for all accounts capable of directly causing certificate
> issuance."
>
> ... skipped over similar issues in 7: failure to document a commitment to
> the relevant sections of the BR ... skipped over similar issues in 8:
> failure to document a commitment to the relevant sections of the BR
>
> FNMT indicated "Sections 7 and 8 have been reviewed and more detailed
> information has been included in CPS v.1.6 sections 7.1.2, 8, 8.1, and 8.5.
> "
>
>
>
> On Fri, Dec 4, 2020 at 12:40 PM Santiago Brox via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
>
>> El viernes, 4 de diciembre de 2020 a las 18:20:41 UTC+1, Matthias van de
>> Meent escribió:
>> > Thanks for the pointer, Ben.
>> >
>> > I didn't realise that the links in section 'Particulares AC Raíz
>> > FNMT-RCM Servidores Seguros' of their main repository [1] were links
>> > to repositories that would include the applicable CPS... As those
>> > sections seemed to be for ICAs of the root, I didn't consider them as
>> > a source for the CPS of their parent CA. Together with that the CPS
>> > pointers in the certificate profile point to the main repository and
>> > that the QcPDS links in the certificate profiles don't seem to point
>> > to anything, I got lost...
>> >
>> > So, sorry for the noise, I was very confused by the structure of the
>> repository.
>> >
>> > Now that I know where to look, I'll probably check the contents more
>> > thoroughly sometime in the following weekend, at first glance they
>> > already looked much better.
>> >
>> > -Matthias
>> >
>> > [1]
>> https://www.sede.fnmt.gob.es/en/normativa/declaracion-de-practicas-de-certificacion
>> > On Wed, 2 Dec 2020, 23:44 Ben Wilson, <bwi...@mozilla.com> wrote:
>> > >
>> > > Matthias,
>> > > Have you been able to obtain the CPS downloadable from here:
>> > > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1 or
>> here: https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2
>> ? (They both lead to the same CPS v. 1.6 document.)
>> > > Ben
>> > >
>> > > On Wed, Dec 2, 2020 at 7:15 AM Matthias van de Meent via
>> dev-security-policy <dev-secur...@lists.mozilla.org> wrote:
>> > >>
>> > >> On Fri, 27 Nov 2020 at 11:19, Santiago Brox via dev-security-policy
>> <
>> > >> dev-secur...@lists.mozilla.org> wrote:
>> > >> >
>> > >> > El jueves, 19 de noviembre de 2020 a las 0:47:03 UTC+1, Matthias
>> van de
>> > >> Meent escribió:
>> > >> > > On Wed, 18 Nov 2020, 01:06 Ben Wilson via dev-security-policy,
>> > >> > > <dev-secur...@lists.mozilla.org> wrote:
>> > >> > > >
>> > >> > > > [...]
>> > >> > > >
>> > >> > > > *CP/CPS:*
>> > >> > > >
>> > >> > > >
>> > >>
>> https://www.sede.fnmt.gob.es/documents/10445900/10536309/dpc_ss_english.pdf
>> > >> > > >
>> > >> > > > Current CPS is version 1.5, published 1-October-2020.
>> > >> > > >
>> > >> > > > Repository location:
>> > >> > > >
>> > >>
>> https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
>> > >> > > >
>> > >> > > I'm having trouble finding the end entity certificate profiles
>> in this
>> > >> > > CPS. According to the CPS s7.1.2, they are supposed to be
>> available at
>> > >> > > http://www.cert.fnmt.es/dpcs/, but that redirects me to a
>> repository
>> > >> > > [0] of which the only english-language document [1] does not
>> contain
>> > >> > > any end entity certificate profiles, but only the root and ICA
>> > >> > > profiles in attachments. Similarly, I cannot find the CPS you
>> linked
>> > >> > > in their repository.
>> > >> > >
>> > >> > All the relevant documentation (CPS, PDS, Terms and conditions,
>> > >> certificate profiles, and old versions of CPSs) of each CA is
>> published in
>> > >> its corresponding channel in the website, all of them accessible
>> from:
>> > >> >
>> > >>
>> https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion
>> > >>
>> > >> I'm sorry, but I'm having trouble finding a link to the latest
>> version of
>> > >> the CPS of the to-be-included root in that repository. If you add
>> this CPS,
>> > >> it would be useful to take Mozilla Root Store Policy section 3.3 (6)
>> into
>> > >> account ("CAs must provide a way to clearly determine which CP and
>> CPS
>> > >> applies to each of its root and intermediate certificates").
>> > >>
>> > >> > For AC RAIZ FNMT-RCM SERVIDORES SEGUROS we have 2 channels (one
>> for each
>> > >> intermediate CA):
>> > >> > AC SERVIDORES SEGUROS TIPO 1:
>> > >> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-1
>> > >> > and
>> > >> > AC SERVIDORES SEGUROS TIPO 2:
>> > >> > https://www.sede.fnmt.gob.es/en/dpcs/ac-servidores-seguros-tipo-2
>> > >> >
>> > >> > In regards the certificate profiles, we have included in CPS v1.6
>> section
>> > >> 7.1.2. direct links to the published documents of profiles.
>> > >> >
>> > >> > The document describing the profiles of the Website authentication
>> > >> certificates, including all extensions, are published at
>> > >> > AC SERVIDORES SEGUROS TIPO 1:
>> > >> >
>> > >>
>> https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo1.pdf
>> > >> > AC SERVIDORES SEGUROS TIPO 2:
>> > >> >
>> > >>
>> https://www.sede.fnmt.gob.es/documents/10445900/10575386/Perfiles_certificados_servidores_seguros_tipo2.pdf
>> > >> >
>> > >>
>> > >> Thank you for the links, I probably overlooked them before.
>> > >>
>> > >> > > I noticed that the CPS defers a great amount of sections
>> (section 5,
>> > >> > > 6.2, 6.4, 8.2 - 8.7 and large parts of section 9) to the DGPC,
>> which
>> > >> > > probably is [1] but that is never explicitly confirmed in the
>> CPS -
>> > >> > > there is no explicit link to any repository in section 1.6.1
>> where the
>> > >> > > acronym is defined, nor are there any other indications that
>> this DGPC
>> > >> > > is located in the repository under the link of [0]. This is
>> confusing,
>> > >> > > and detrimental to the readability of the document.
>> > >> > >
>> > >> > CPS new version (v1.6) integrates all the sections that were
>> referred to
>> > >> in the DGPC (v5.8) and which applied in general to all our CAs. From
>> > >> version 1.6 our CPS collects in a single document all the
>> information and
>> > >> BRs compliance commitments for our AC RAIZ FNMT-RCM SERVIDORES
>> SEGUROS
>> > >> > [...]
>> > >> > I hope that we have been able to resolve all the issues raised
>> with this
>> > >> new version of the CPS (1.6) and have gained in transparency.
>> > >> > Thanks
>> > >> > Santiago.
>> > >>
>> > >> Thanks for the update, it sounds promising. I'll check it again once
>> I can
>> > >> find the CPS in the repository.
>> > >>
>> > >> Regards,
>> > >>
>> > >> Matthias
>> > >> _______________________________________________
>> > >> dev-security-policy mailing list
>> > >> dev-secur...@lists.mozilla.org
>> > >> https://lists.mozilla.org/listinfo/dev-security-policy
>> Thanks Matthias. We will work with the web content management team to
>> evaluate possible improvements in the distribution of our CPSs site.
>> _______________________________________________
>> dev-security-policy mailing list
>> dev-security-policy@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>>
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to