This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process ( https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for Firmaprofesional’s request to replace its SHA1 root CA certificate with a SHA256 version of the Autoridad de Certificacion Firmaprofesional CIF A62634068 (https://crt.sh/?caid=430).
Mozilla is considering approving Firmaprofesional’s request to add the root as a trust anchor with the websites and email trust bits and EV enabled, as documented in Bugzilla bug #1102143 <https://bugzilla.mozilla.org/show_bug.cgi?id=1102143>. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10). *A Summary of Information Gathered and Verified appears here in the CCADB:* https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000053 This CA certificate for Autoridad de Certificacion Firmaprofesional CIF A62634068 is valid from 9/23/2014 to 5/5/2036. (The previous CA certificate is valid from 5/20/2009 to 12/31/2030.) *SHA2 Certificate Hash:* 57DE0583EFD2B26E0361DA99DA9DF4648DEF7EE8441C3B728AFA9BCDE0F9B26A https://crt.sh/?id=12977067 This new CA certificate is signed using sha256WithRSAEncryption, whereas the previous CA certificate was signed using sha1. *Root Certificate Download:* http://crl.firmaprofesional.com/caroot256.crt *CP/CPS:* Effective June 28, 2021, the current CPS for Firmaprofesional is version 210628: https://www.firmaprofesional.com/wp-content/uploads/pdfs/FP_CPS-210628-EN-sFP.pdf Repository location: https://www.firmaprofesional.com/certification-policies-and-practices/ *Test Websites:* Valid - https://www.firmaprofesional.com Valid EV - https://testsslev2021.firmaprofesional.com Revoked - https://testrevokedsslev.firmaprofesional.com Expired - https://testexpiredsslev.firmaprofesional.com *BR Self Assessment* is located here: https://www.firmaprofesional.com/wp-content/uploads/pdfs/Firmaprofesional_BR_Self_Assessment-210519-EN.pdf *Audits:* Annual audits are performed by AENOR. The most recent audits were completed for the period ending March 27, 2021, according to ETSI audit criteria. https://www.aenor.com/Certificacion_Documentos/eiDas/2021%20AENOR%20Anexo%20ETSI%20319%20411-1-2%20PSC-FIRMAPROFESIONAL.pdf There were three findings in the audit report plus a list of six Bugzilla bugs for incidents open during the 2020 -2021 audit period. They were as follows: *Link to Bugzilla Bug* *Matter description* https://bugzilla.mozilla.org/show_bug.cgi?id=1649943 Firmaprofesional: Incorrect OCSP Delegated Responder Certificate https://bugzilla.mozilla.org/show_bug.cgi?id=1651637 Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU https://bugzilla.mozilla.org/show_bug.cgi?id=1649502 Firmaprofesional: 2020 Audit Report Finding 1 out of 4 (CPS did not adequately disclose how Firmaprofesional would provide CRLs under certain scenarios) https://bugzilla.mozilla.org/show_bug.cgi?id=1649679 Firmaprofesional: 2020 Audit Report Finding 2 out of 4 (contingency datacenter did not have same security measures as main datacenter) https://bugzilla.mozilla.org/show_bug.cgi?id=1649724 Firmaprofesional: 2020 Audit Report Finding 3 out of 4 (inadequate log-keeping) https://bugzilla.mozilla.org/show_bug.cgi?id=1649726 Firmaprofesional: 2020 Audit Report Finding 4 out of 4 (certificate issued with subject:organizationIdentifier field prior adoption by CABF of v. 1.7.0 of the EVGs) https://bugzilla.mozilla.org/show_bug.cgi?id=1717790 Firmaprofesional: 2021 Audit Report Finding 1 out of 3 (recordkeeping lacked formal assignment and acceptance of appointment to trusted role) https://bugzilla.mozilla.org/show_bug.cgi?id=1717791 Firmaprofesional: 2021 Audit Report Finding 2 out of 3 (trusted role of Validation Specialist inadequately defined) https://bugzilla.mozilla.org/show_bug.cgi?id=1717795 Firmaprofesional: 2021 Audit Report Finding 3 out of 3 (certificates did not include CABF CP OID) (related to https://bugzilla.mozilla.org/show_bug.cgi?id=1700145) Firmaprofesional has no open incidents at this time, and I have no further questions or concerns about this inclusion request, however I urge anyone with concerns or questions to raise them on this list by replying using the subject heading above. A representative of Firmaprofesional must promptly respond directly in the discussion thread to all questions that are posted. Again, this email begins a three-week public discussion period, which I’m scheduling to close on or about November 11, 2021. Sincerely yours, Ben Wilson Mozilla Root Program -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZ%3Dm-ootpBV48WoSBEny7NOfaH7%2BA1YSs20YWALONcX0A%40mail.gmail.com.
