Thank you, Ben.I've been doing "reply all", that didn't include [email protected] forwarding now..Thanks M.D.Sent from my Galaxy -------- Original message --------From: "Moudrick M. Dadashov" <[email protected]> Date: 12/7/21 17:33 (GMT+02:00) To: "Lahtiharju, Pekka" <[email protected]>, Ben Wilson <[email protected]> Cc: "Liimatainen, Mika A." <[email protected]>, "Gholami, Ali" <[email protected]> Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 Thank you, Pekka.To my best knowledge, all contractual relations between a CA and its subcontractors not only must be documented, but also be part of the CA audit. I hope Ben could clarify this for us.As for SK ID Solutions, your statement about its independance, unfortunately is not accurate - Telia Company AB is (and has always been) its major lobbist at all levels - this is why we have now huge #eIDAS & #GDPR misimplementation chaos - the # of surrogate QESCs and QSCDs in circulation exceeds 5 million (!).But back to the subject, if I understand correctly, Telia Lithuania (legal name AB Telia Lietuva) is one Telia Finland Oyj's RA, right?Thanks,M.D.Sent from my Galaxy-------- Original message --------From: "Lahtiharju, Pekka" <[email protected]> Date: 12/7/21 16:55 (GMT+02:00) To: "Moudrick M. Dadashov" <[email protected]>, Ben Wilson <[email protected]> Cc: "Liimatainen, Mika A." <[email protected]>, "Gholami, Ali" <[email protected]> Subject: RE: Public Discussion: Inclusion of Telia Root CA v2
Hi Moudrick, This division of Telia RA functionality to two internal affiliated teams is not now documented into our CP/CPS. I think many CA competitors like Entrust are also using several RA teams that are not documented. Should we document our RA practices from this angle? SK ID Solutions is not counted as Telia affiliate because Telia ownership is only 50 %. Telia can’t control it now. Thus, it has its own processes and policies which are independent from Telia. Br Pekka From: Moudrick M. Dadashov <[email protected]> Sent: tiistai 7. joulukuuta 2021 16.23 To: Lahtiharju, Pekka <[email protected]>; Ben Wilson <[email protected]> Cc: Liimatainen, Mika A. <[email protected]>; Gholami, Ali <[email protected]> Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 Thank you, Pekka. Is this RA policy described somewhere in Telia Finland Oyj CA documentation? Hopefully this will help to understand the relationship between Telia Company AB, Telia Finland Oyj and the Estonian CA (a TSP under eIDAS) - SK ID Solutions which is owned by Telia Company AB, Swedbank AB and SEB AB. Thanks, M.D. Sent from my Galaxy -------- Original message -------- From: "Lahtiharju, Pekka" <[email protected]> Date: 12/7/21 16:03 (GMT+02:00) To: "Moudrick M. Dadashov" <[email protected]>, Ben Wilson <[email protected]> Cc: "Liimatainen, Mika A." <[email protected]>, "Gholami, Ali" <[email protected]> Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 Hi Moudrick, Currently Telia CA has two RA teams: one in Telia Finland Oyj in Finland and another in Cygate AB in Sweden. Cygate AB is also fully owned subsidiary of Telia Company AB. All validations from any country are done in these two teams but today we have a policy that company validation is done only to companies where it or its main company is located in one of the Telia countries meaning: FI, SE, NO, DK, EE, LT. These countries are divided to the our RA teams. Telia Finland has responsibility of FI, EE, LT and internal Telia certificates. Cygate has responsibility of SE, NO, DK certificates. Telia Finland Oyj is the “owner” of RA functions and may start using later other Telia affiliates for RA purposes if business in some country grows significantly. Telia Finland Oyj is also responsible of the TLS certificate process. Telia CA won’t use any external parties for TLS validation. This means that your example certificate from “Telia Company AB” is validated by Telia Finland Oyj. Note! DV certificates are enrolled without any country or company validation. Telia also enroll some signature certificates for Swedish Citizens. These client certificates are outside of Mozilla scope based on their EKU. There user identification is outsourced to a third party called Formpipe AB (https://www.formpipe.com/). They use Swedish national citizen authentication called BankID to authenticate users. This functionality is included into our basic Webtrust audit under special subCA “Telia Class 3 CA”. Formpipe is the only external delegated RA party Telia CA is using. Br Pekka From: Moudrick M. Dadashov <[email protected]> Sent: tiistai 7. joulukuuta 2021 15.18 To: Lahtiharju, Pekka <[email protected]>; Ben Wilson <[email protected]> Cc: Liimatainen, Mika A. <[email protected]>; Gholami, Ali <[email protected]> Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 Hi Pekka, Thanks for clarification. As noted earlier, my question is about distribution/delegation of CA functions among all "part of Telia Company AB". Specifically, I'd like to understand delegated RA functions (if any). Just take an example of issuing an TSL certificate for Telia Company AB. Thanks, M.D. Sent from my Galaxy -------- Original message -------- From: "Lahtiharju, Pekka" <[email protected]> Date: 12/7/21 14:48 (GMT+02:00) To: Ben Wilson <[email protected]> Cc: "Liimatainen, Mika A." <[email protected]>, "Gholami, Ali" <[email protected]>, [email protected] Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 Hi Ben, Here is the full evidence from our legal department related to Telia Company’s right to use trade mark “Telia”. Telia Finland Oyj is a fully owned subsidiary of Telia Company AB and has a license to use trademark TELIA in business in Finland. List of other valid countries is in the attachment. Br Pekka From: Lahtiharju, Pekka Sent: tiistai 7. joulukuuta 2021 10.59 To: Ben Wilson <[email protected]> Cc: Liimatainen, Mika A. <[email protected]>; Gholami, Ali <[email protected]>; [email protected] Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 Hi Ben, I have the main responsibility of this discussion so you should add posting privileges to me. Before that I answer using this email. Telia Group is a huge European company group consisting of about one hundred affiliates in several countries. The main company is “Telia Company AB” in Sweden. Telia Finland Oyj is its Finnish affiliate that is responsible of publicly trusted CA services for the whole company group. Telia Finland Oyj is using some other affiliates like Swedish “Cygate AB” when implementing CA services. Many affiliates resell Telia’s CA services. We have used both company names “Telia Company AB” and “Telia Finland Oyj” in this application. The common name under Telia company group is “Telia” that is trade mark used in all Telia countries by most Telia affiliates. “Telia” trade mark is protected on European Union level using mechanisms of “European Union Intellectual Property Office”. It is also protected in all Telia countries using local rules in each country. The link to describe European Union level trade mark protection system is Trade marks (europa.eu). For these reasons we use name “Telia CA” in most contexts where public can see our CA services. E.g. we want to use CN value “Telia Root CA v2” so that it is clearly linked to Telia Company group in all Telia countries. Generally public is not aware of company names of Telia group or how they own each others, but public usually know our well-known trade mark “Telia” at least in our primary target countries. Br Pekka From: Ben Wilson <[email protected]> Sent: maanantai 6. joulukuuta 2021 20.13 To: Lahtiharju, Pekka <[email protected]>; Liimatainen, Mika A. <[email protected]>; Gholami, Ali <[email protected]> Subject: Re: Public Discussion: Inclusion of Telia Root CA v2 Also, let me know who will be responding so that I can make sure they have posting privileges to the list. On Mon, Dec 6, 2021 at 11:08 AM Ben Wilson <[email protected]> wrote: Please respond to Moudrick on MDSP list and clarify - thanks! My CCADB records say "Telia Finland Oyj, part of Telia Company AB" ---------- Forwarded message --------- From: md <[email protected]> Date: Mon, Dec 6, 2021 at 12:32 AM Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 To: Ben Wilson <[email protected]>, [email protected] <[email protected]> Hi, as Telia Company AB (Sweden) and Telia Oy (Finland) are two separate legal persons, its not clear what is Telia? Actually the same clarification needed for all other countries listed in the Bug. Thanks, M.D. Sent from my Galaxy -------- Original message -------- From: Ben Wilson <[email protected]> Date: 12/1/21 17:16 (GMT+02:00) To: "[email protected]" <[email protected]> Subject: Public Discussion: Inclusion of Telia Root CA v2 All, This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process (https://wiki.mozilla.org/CA/Application_Process#Process_Overview - Steps 4 through 9) for Telia’s inclusion request for the Telia Root CA v2 (https://crt.sh/?id=1199641739). Mozilla is considering approving Telia’s request to add the root as a trust anchor with the websites and email trust bits as documented in Bugzilla #1664161 and CCADB Case #660. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10). Summary This CA certificate for Telia Root CA v2 is valid from 29-Nov-2018 to 29-Nov-2043. SHA2 Certificate Hash: 242B69742FCB1E5B2ABF98898B94572187544E5B4D9911786573621F6A74B82C Root Certificate Downloads: https://support.trust.telia.com/repository/teliarootcav2_selfsigned.cer https://support.trust.telia.com/repository/teliarootcav2_selfsigned.pem CP/CPS: Effective October 14, 2021, the current CPS for the Telia Root CA v2 may be downloaded here: https://cps.trust.telia.com/Telia_Server_Certificate_CPS_v4.4.pdf (v.4.4). Repository location: https://cps.trust.telia.com/ Test Websites: Valid - https://juolukka.cover.telia.fi:10603/ Revoked - https://juolukka.cover.telia.fi:10604/ Expired - https://juolukka.cover.telia.fi:10605/ BR Self Assessment (PDF) is located here: https://support.trust.telia.com/download/CA/Telia_CA_BR_Self_Assessment.pdf Audits: Annual audits are performed by KPMG. The most recent audits were completed for the period ending March 31, 2021, according to WebTrust audit criteria. The standard WebTrust audit (in accordance with v.2.2.1) contained no adverse findings. The WebTrust Baseline Requirements audit (in accordance with v.2.4.1) was qualified based on the fact that the Telia Root CA v1 certificate did not include subject:countryName. (The Telia Root CA v2 contains a subject:countryName of “FI”.) Attachment B to the WebTrust Baseline Requirements audit report listed eight (8) Bugzilla bugs for incidents open during the 2020-2021 audit period, which are now resolved as fixed. They were as follows: Link to Bugzilla Bug Matter description https://bugzilla.mozilla.org/show_bug.cgi?id=1614311 Two CA certificates not listed in 2020 WebTrust audit report https://bugzilla.mozilla.org/show_bug.cgi?id=1612332 Ambiguity on KeyUsage with ECC public key https://bugzilla.mozilla.org/show_bug.cgi?id=1551372 One Telia certificate containing a stateOrProvinceName of “Some-State” https://bugzilla.mozilla.org/show_bug.cgi?id=1649683 Two Telia’s pre-2012 rootCA certificates aren’t fully compliant with Baseline Requirements https://bugzilla.mozilla.org/show_bug.cgi?id=1637854 AIA CA Issuer field pointing to PEM-encoded certificate https://bugzilla.mozilla.org/show_bug.cgi?id=1674536 Certificates with RSA keys where modulus is not divisible by 8 https://bugzilla.mozilla.org/show_bug.cgi?id=1565270 Subject field automatic check in CA system https://bugzilla.mozilla.org/show_bug.cgi?id=1689589 Disallowed curve (P-521) in leaf certificate Recent, open bugs/incidents are the following: Link to Bugzilla Bug Matter description https://bugzilla.mozilla.org/show_bug.cgi?id=1738207 Issued three precertificates with non-NIST EC curve https://bugzilla.mozilla.org/show_bug.cgi?id=1736020 Invalid email contact address was used for few domains https://bugzilla.mozilla.org/show_bug.cgi?id=1737808 Delayed revocation of 5 EE certificates in connection to id=1736020 I have no further questions or concerns about this inclusion request, however I urge anyone with concerns or questions to raise them on this list by replying directly in this discussion thread. Likewise, a representative of Telia must promptly respond directly in the discussion thread to all questions that are posted. Again, this email begins a three-week public discussion period, which I’m scheduling to close on December 22, 2021. Sincerely yours, Ben Wilson Mozilla Root Program -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZZj87QS3jL7R_32JEnfPZeU4hBNBJ%2BGHWU_pUdqF%3Dbbg%40mail.gmail.com. This email may contain information which is privileged or protected against unauthorized disclosure or communication. If you are not the intended recipient, please notify the sender and delete this message and any attachments from your system without producing, distributing or retaining copies thereof or disclosing its contents to any other person. Telia Company processes emails and other files that may contain personal data in accordance with Telia Company’s Privacy Policy. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61af895d.1c69fb81.76647.2f41SMTPIN_ADDED_MISSING%40mx.google.com.
