On October 20, 2021, we began the public discussion period [Step 4 of the Mozilla Root Store CA Application Process <https://wiki.mozilla.org/CA/Application_Process>] for Firmaprofesional’s inclusion request. We have received no negative comments. There does not appear any action item for Firmaprofesional to complete in order to move this request forward. This is notice that I am closing the public discussion period [Step 9] and that it is Mozilla’s intent to approve the inclusion request [Step 10].
This begins a 7-day “last call” period (through Nov. 18, 2021) for any final objections. Thanks, Ben On Wed, Oct 20, 2021 at 11:12 AM Ben Wilson <[email protected]> wrote: > This is to announce the beginning of the public discussion phase of the > Mozilla root CA inclusion process ( > https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps > 4 through 9) for Firmaprofesional’s request to replace its SHA1 root CA > certificate with a SHA256 version of the Autoridad de Certificacion > Firmaprofesional CIF A62634068 (https://crt.sh/?caid=430). > > Mozilla is considering approving Firmaprofesional’s request to add the > root as a trust anchor with the websites and email trust bits and EV > enabled, as documented in Bugzilla bug #1102143 > <https://bugzilla.mozilla.org/show_bug.cgi?id=1102143>. This email begins > the 3-week comment period, after which, if no concerns are raised, we will > close the discussion and the request may proceed to the approval phase > (Step 10). > > *A Summary of Information Gathered and Verified appears here in the CCADB:* > > > https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000053 > > This CA certificate for Autoridad de Certificacion Firmaprofesional CIF > A62634068 is valid from 9/23/2014 to 5/5/2036. (The previous CA > certificate is valid from 5/20/2009 to 12/31/2030.) > > *SHA2 Certificate Hash:* > 57DE0583EFD2B26E0361DA99DA9DF4648DEF7EE8441C3B728AFA9BCDE0F9B26A > > https://crt.sh/?id=12977067 > > This new CA certificate is signed using sha256WithRSAEncryption, whereas > the previous CA certificate was signed using sha1. > > *Root Certificate Download:* > > http://crl.firmaprofesional.com/caroot256.crt > > > *CP/CPS:* Effective June 28, 2021, the current CPS for Firmaprofesional > is version 210628: > https://www.firmaprofesional.com/wp-content/uploads/pdfs/FP_CPS-210628-EN-sFP.pdf > > Repository location: > https://www.firmaprofesional.com/certification-policies-and-practices/ > > *Test Websites:* > > Valid - https://www.firmaprofesional.com > > Valid EV - https://testsslev2021.firmaprofesional.com > > Revoked - https://testrevokedsslev.firmaprofesional.com > > Expired - https://testexpiredsslev.firmaprofesional.com > > > > *BR Self Assessment* is located here: > https://www.firmaprofesional.com/wp-content/uploads/pdfs/Firmaprofesional_BR_Self_Assessment-210519-EN.pdf > > *Audits:* Annual audits are performed by AENOR. The most recent audits > were completed for the period ending March 27, 2021, according to ETSI > audit criteria. > https://www.aenor.com/Certificacion_Documentos/eiDas/2021%20AENOR%20Anexo%20ETSI%20319%20411-1-2%20PSC-FIRMAPROFESIONAL.pdf > > There were three findings in the audit report plus a list of six Bugzilla > bugs for incidents open during the 2020 -2021 audit period. They were as > follows: > > *Link to Bugzilla Bug* > > *Matter description* > > https://bugzilla.mozilla.org/show_bug.cgi?id=1649943 > > Firmaprofesional: Incorrect OCSP Delegated Responder Certificate > > https://bugzilla.mozilla.org/show_bug.cgi?id=1651637 > > Firmaprofesional: Failure to revoke ICAs within 7 days: OCSP EKU > > https://bugzilla.mozilla.org/show_bug.cgi?id=1649502 > > Firmaprofesional: 2020 Audit Report Finding 1 out of 4 (CPS did not > adequately disclose how Firmaprofesional would provide CRLs under certain > scenarios) > > https://bugzilla.mozilla.org/show_bug.cgi?id=1649679 > > Firmaprofesional: 2020 Audit Report Finding 2 out of 4 (contingency > datacenter did not have same security measures as main datacenter) > > https://bugzilla.mozilla.org/show_bug.cgi?id=1649724 > > Firmaprofesional: 2020 Audit Report Finding 3 out of 4 (inadequate > log-keeping) > > https://bugzilla.mozilla.org/show_bug.cgi?id=1649726 > > Firmaprofesional: 2020 Audit Report Finding 4 out of 4 (certificate > issued with subject:organizationIdentifier field prior adoption by CABF of > v. 1.7.0 of the EVGs) > > https://bugzilla.mozilla.org/show_bug.cgi?id=1717790 > > Firmaprofesional: 2021 Audit Report Finding 1 out of 3 (recordkeeping > lacked formal assignment and acceptance of appointment to trusted role) > > https://bugzilla.mozilla.org/show_bug.cgi?id=1717791 > > Firmaprofesional: 2021 Audit Report Finding 2 out of 3 (trusted role of > Validation Specialist inadequately defined) > > https://bugzilla.mozilla.org/show_bug.cgi?id=1717795 > > Firmaprofesional: 2021 Audit Report Finding 3 out of 3 (certificates did > not include CABF CP OID) (related to > https://bugzilla.mozilla.org/show_bug.cgi?id=1700145) > > > > Firmaprofesional has no open incidents at this time, and I have no further > questions or concerns about this inclusion request, however I urge anyone > with concerns or questions to raise them on this list by replying using the > subject heading above. > > A representative of Firmaprofesional must promptly respond directly in the > discussion thread to all questions that are posted. > > Again, this email begins a three-week public discussion period, which I’m > scheduling to close on or about November 11, 2021. > > Sincerely yours, > > Ben Wilson > > Mozilla Root Program > > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaasrSMd5nPkSG_UmhWY0M%3DqKYsAzSEmUYKLYpihD_gSdw%40mail.gmail.com.
