On April 7, 2021, we began public discussion[1] on the TunTrust root CA inclusion request[2] (Step 4 of the Mozilla Root Store CA Application Process[3]).
*Summary of Discussion and Completion of Action Items [Application Process, Steps 5-8]:* Initially, there was a question whether name constraints would be placed on the TunTrust Root CA for the .tn ccTLD. There was uncertainty on exactly how this would be addressed and concern expressed that government-operated, name-constrained CAs present risk and limited value to Mozilla users, as expressed by comments in this thread: [4]. TunTrust clarified that the “TunTrust Services CA … is restricted to only issue OV SSL certificates to domain names under “.tn” top-level domain and owned by entities operating under the Tunisian Jurisdiction” until June 2023, when there would be no constraints based on the top-level domain name or an entity’s jurisdiction.[5] As to government-operated CAs, Mozilla has allowed them historically. They have unique challenges in dealing with local regulations and requests. Still, we require that such CAs always maintain secure, independent, and compliant operations--including taking timely action to ensure compliance, providing transparency, and engaging in good communication. Another comment expressed concern that TunTrust did not intend to check CAA records when TunTrust or an affiliate was the DNS Operator (as defined in RFC 7719) of the domain's DNS. As a result, TunTrust published version 4.7 of its CPS[6] to remove such statement. Also, as of July 1, 2021, the Baseline Requirements have removed this exception to CAA checking.[7] Based on other comments about the TunTrust application, Mozilla conducted a separate discussion on “Quantifying the Value of Adding a New CA”[8], and we published a new wiki page, “CA/Quantifying Value” in which we state, “The applicant must present an explanation of the benefits to our users so that the community can identify, measure, value, and understand the benefits of including the root certificate and determine whether it is worth the risk of including it.”[9] TunTrust submitted a value justification[5] and an operating budget[10], which I have reviewed, summarized, and found satisfactory.[11] I do not have any further questions, and I do not believe that there are any remaining action items. This is notice that I am closing public discussion (Application Process, Step 9) and that it is Mozilla’s intent to approve this request for inclusion (Step 10). This begins a 7-day “last call” period for any final objections. Thanks, Ben [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/dTTp4ZfUW34/m/xfK1LQXSBQAJ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1587779 [3] https://wiki.mozilla.org/CA/Application_Process [4] https://groups.google.com/g/mozilla.dev.security.policy/c/tr_PDVsZ6-k/m/5CBRufpOZZAJ [5] https://bugzilla.mozilla.org/attachment.cgi?id=9226817 [6] https://www.tuntrust.tn/sites/default/files/Ressources/CPCPS-TunTrustPKI.pdf [7] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.7.7-redline.pdf [8] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/LT_5efOFsSU [9] https://wiki.mozilla.org/CA/Quantifying_Value [10] https://bugzilla.mozilla.org/attachment.cgi?id=9228562 [11] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/dTTp4ZfUW34/m/0FN9hAYkAgAJ On Wed, Aug 11, 2021 at 2:40 PM Ben Wilson <[email protected]> wrote: > All, > > For your review, here is my own, abridged version of TunTrust’s value > justification. > > See https://wiki.mozilla.org/CA/Quantifying_Value and > https://bugzilla.mozilla.org/attachment.cgi?id=9226817 . > > *Ownership and Management Structure* > > The beneficial owner of the TunTrust Root CA is the Agence Nationale de > Certification Electronique (“ANCE”) under the Ministry of > <https://www.mtc.gov.tn/> Communication Technologies of Tunisia > <https://www.mtc.gov.tn/> pursuant to Law no. 2000-83 of 9 August 2000 > <https://www.tuntrust.tn/sites/default/files/reglementations/loi_2000-83_fr.pdf> > . > > Tunisian Ministry of Communications Technologies > > | > > ANCE Board of Directors (TunTrust) > > | > > ANCE Director-General > > | | | > > Audit and Risk Analysis Department IMS Department Technical Department > > | > > Engineers (conduct continuous monitoring, compliance, risk assessment, > etc. and report to Board of Directors) > > ANCE (TunTrust) implements and maintains an Integrated Management System > (IMS) that complies with ISO 9001 and ISO 27001. The IMS design is based on > a Plan-Do-Check-Act (PDCA) approach to ensure continuous improvement of > compliance and incident management processes to meet security, quality and > compliance requirements. > > *CA Hierarchy Highlights* > > · TunTrust Services CA: This issuing CA is restricted to only issue OV SSL > certificates to domain names under “.tn” top-level domain and owned by > entities operating under the Tunisian Jurisdiction. > > · TunTrust Qualified CA: This issuing CA is technically constrained to > prevent issuance of SSL- certificates. > > · Starting June 2022: Issuing S/MIME certificates in compliance with the > currently-in-progress CA/B Forum S/MIME Baseline Requirements. S/MIME > certificates would be used on Tunisian national platforms: e-banking > services, e-gov services, e-health, etc. > > · Starting June 2023: Issuing SSL Certificates with no constraints on the > top-level domain name, nor on the entity's jurisdiction starting June 2023. > > *Budgeting* > > TunTrust's budget document is uploaded here: > https://bugzilla.mozilla.org/attachment.cgi?id=9228562 > > It's annual compliance budget is determined based on: > > · The compliance plan derived from the continuous risk assessment; > > · Action plans derived from external and internal audit reports; > > · Resources identified by each department of TunTrust that are required to > achieve compliance and to maintain and improve the TunTrust IMS; and > > · As new technology becomes available, the possibility of introducing it > to improve the efficiency and security of the IMS is to be considered. > > The compliance annual budget is validated by the board of directors and > then approved by the Ministry. TunTrust holds monthly follow-up meetings to > prevent forecast deviation and ensure enough budget allocation in case of > unforeseen compliance issues. The annual budget can be updated in case of > urgent compliance issues, and TunTrust indicates that it and its Board are > willing to allocate the necessary budget in a timely manner to quickly > address compliance incidents (prevention and/or remediation actions). > > *CA System* > > TunTrust uses Primekey EJBCA Enterprise Solution, with a subscription to > professional support and maintenance to keep its CA updated and compliant > with audit and policy requirements. Hardware and software are purchased > with vendor support and maintenance services to have access to the latest > stable releases and security patches. TunTrust's continuous investment plan > is to improve its infrastructure through maintenance services and > procurement strategies to acquire new hardware/software aiming at improving > the efficiency and security of the IMS. All systems and equipment that > would be in End-of Life or End-of-Support states are substituted with > upgraded versions or newer equipment. > > *Personnel* > > Key TunTrust personnel appear to have sufficient PKI domain experience and > system and security training. > > Individuals in trusted roles receive regular training on evolving > technologies and changes to audit frameworks and requirements (WebTrust, > CA/B Forum, Mozilla Security Policy, ISO 9001 and ISO 27001). TunTrust also > conducts an annual security awareness program. > > Annual risk assessments evaluate the strength of the compliance team in > terms of numbers and expertise. > > *Compliance* > > TunTrust uses PDCA/continuous improvement, change management processes, > and a watch process. > > As evidence of its proactive approach to compliance, TunTrust omitted the > OU field from its OV SSL Certificate Profile in advance of CABF Ballot SC47. > > With respect to the documented watch procedure, engineers from the Audit > and Risk Analysis Department are formally designated to regularly report to > the Board of Directors about any potential compliance issue or newly > adopted approaches that they might find about while following: > > · Discussions in Mozilla's dev-security-policy forums (the previous and > the current ones); > > · Updates to the Mozilla root store policy (starting from the discussions > on the draft on Github); > > · Mozilla Incident Dashboard - CA incidents and misissuance reports; > > · Discussions in the Working Groups and Subcommittees of the CA/B Forum - > subscribed to the mailing lists of the SCWG, the Validation list, the > Public list, the NetSec list and the Infrastructure list; > > · New ballots from the state of “Under Consideration” to the “Review > Period” of the Guidelines; > > · The CT logs group, https://groups.google.com/g/certificate-transparency; > > · Chromium CT policy <https://chromium.github.io/ct-policy/ct_policy.html>and > Certificate Transparency Logs that are recognized by > <https://cs.chromium.org/chromium/src/components/certificate_transparency/data/log_list.json> > Chromium, > https://cs.chromium.org/chromium/src/components/certificate_transparency/data/log_list.json > ; > > · Updates to linting tools (zlint, cablint, certlint); > > · Updates to Microsoft Root Store Policy Program Requirements and Audit > Requirements; > > · Updates to the WebTrust Principles and Criteria on the website of CPA > Canada; > > · Updates to the ETSI standards on the etsi.org website; > > · Updates to the ISO 9000 and 27000 series on the iso.org website. > > Engineers from the Technical Department and from the Audit and Risk > Analysis Department are formally designated to regularly report to the > Board of Directors about any technical updates and new recommendations in > the PKI and Information Security industries that may impact its systems. > > *Automation* > > As part of its continuous infrastructure development strategy, automated > security and compliance controls are continuously enforced in addition to > real-time monitoring and alerting systems. TunTrust has implemented > automation in its systems and equipment, such as: > > · Automated monitoring systems that detect configuration changes and > alerts administrators in real-time of these changes; > > · Automated systems that monitor system and equipment performance (CPU, > RAM, disk space, etc.) and alerts administrators in real-time of any > problems; > > · Control over Certificate Attributes to conform to the CA/B Forum > Baseline Requirements (such as prohibiting the underscore character, etc.); > > · Automated Patch Management for Windows systems (Ongoing automation for > RedHat systems, refer to incident bug > <https://bugzilla.mozilla.org/show_bug.cgi?id=1663953>); > > · System and network audit logging process, backup and recovery, and IT > asset inventorying; > > · Pre-configured EJBCA Validators: CAA Checking, Black List Checking and > Weak key Checking; and > > · Lint Checking: TunTrust uses zlint, cablint and certlint as linting > tools before Certificate Issuance. > > *Risk Assessment* > > TunTrust’s risk assessment is updated annually (as part of the annual > compliance program) and before implementing major changes (new platforms, > major updates to systems, physical and environmental changing factors, > etc.). It includes strategic and operational risks. The risk assessment and > risk mitigation plan are reviewed by independent auditors in the context of > audits performed. TunTrust maintains and regularly (at least annually and > before major changes) updates its risk assessment using ISO 27005 for risk > management. Per the ISO 27001 audit, TunTrust is required to justify all > decisions taken to deal with the identified risks. > > *Audits and Assessments* > > TunTrust undergoes: > > · WebTrust Audits since 2019; > > · ETSI audits since 2015; > > · ISO audits since 2015; > > · An annual information security audit as mandated by the Tunisian > National Law > <https://www.ansi.tn/sites/default/files/loi%205-2004%20FR.pdf>. This > mandatory audit includes a technical audit (vulnerability scan, internal > and external pentesting, etc.), an organizational audit (in accordance with > the ISO 27001 standard) and a risk assessment (in accordance with the > ISO27005 standard); and > > · Internal audits of systems and processes in accordance with compliance > requirements. > > *Summary* > > In summary, TunTrust has: > > · a regularly reviewed risk assessment that covers operational risks; > > · automated monitoring systems that detect changes to configuration files > and other security events and send real-time alerts; > > · security and quality metrics that are controlled through periodic > self-audits, vulnerability scans and internal and external penetration > tests; and > > · automation and minimized human actions on systems where possible. > > Based on my reading of TunTrust's value justification, it appears that we > should move forward with approving TunTrust's application for CA inclusion. > I look forward to any additional comments. > > Sincerely yours, > > Ben > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYCRUkod8f5etBGsyQfhEJSJZy8jxLsTjBH3VE2h7H48Q%40mail.gmail.com.
