Thank you, PekkaBefore we can continue our discussion, could you please add any other documents relevant to this request? Make sure the documents are not password protected.I’ve been relying on the documents listed in Ben's initial announcement.Thanks,M.D.Sent from my Galaxy -------- Original message --------From: "[email protected]" <[email protected]> Date: 12/14/21 16:01 (GMT+02:00) To: [email protected] Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 >You clarified that Telia CA is a group function of virtual Telia CA team from many Telia affiliates, in the meantime Mozilla accepts only real CA with disclosed locations that were "included in the scope of the audit or should have been included in the scope of the audit, whether the inspection was physically carried out in person at each location, and which audit criteria were checked (or not checked) at each location".I don't understand your statements above that we are not real or not disclosed our locations or audit criteria. Telia CA is a real CA under Telia Finland Oyj which is affiliate company of Telia Company AB. This is clearly disclosed in our CPS 1.3.1 using this wording: "The CA operating in compliance with this CPS is Telia CA. The legal entity responsible of Telia CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9). Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249)." Also our annual Webtrust audits clearly states that both countries have been in the audit scope. E.g. the last Webtrust report is using this wording: "... in providing its SSL and non-SSL Certification Authority (CA) services in Finland and Sweden, throughout the period 1 April 2020 to 31 March 2021, Telia has: -disclosed its SSL ...". The Full Webtrust audit reports are available at links below. Auditors have every year visited physically both countries since 2005 to verify our all our operations. Also audit criteria (Webtrust and its versions) is clearly stated in our audit reports. >a) Is this audit material available somehere?Yes, latest: https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf, https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTBR-20210628.pdf>The documents provided under this request show that Telia Company AB is a PKI participant whose roles/responsibilities within the CA are not disclosed. I’d suggest in your answers to focus on Telia Company AB CA/RA functions/responsibilities rather than ownership details - BRs and Mozilla policy do not assume any privileges for owners, affiliates or groups - CA’s operational independence must be ensured and respected not only by its affiliates (including owners) but also by its own company management.I don't understand. All participants, locations and audit reports are disclosed on our public web pages Telia Certificate Services Repository. Both RAs were included in the audits like explained above. Swedish RA may not be directly mentioned in CPS but none of our competitors is listing all their RA teams either. All our CA/RA employees are internal Telia persons. Telia Company AB hasn't any real CA/RA role, instead it is the owner of Telia Finland Oyj and thus indirectly owner of Telia CA. Audit reports show how all our CA/RA processes in all locations have passed audits with only minor deviations. Auditors also verify all locations and roles of all trusted persons. Company management assertions show that Telia Company Management is behind Telia CA. Our CP/CPS documents describe our processes in very detailed level. I think that different Telia company roles and responsibilities should be already clear but if any more responsibility description is required I'm happy to provide such.>b) according to RFC 3647 BRs and Mozilla policy require CP and CPS, while this root has CPS only, correct?Incorrect. Our disclosed CP/CPS is both at the same time. Chapter 1.2 clearly states: "This CPS is also a CP for Telia OV, DV and Seal certificates.". In many CP/CPS chapters there is at first more general CP description and then below how Telia CA has implemented such things.>you explained that its a Telia group function with two participants Telia Finland Oyj and Cygate AB, however based on 1) and the documents provided under this request, this CA has at least three PKI participants whose roles/responsibilities need to be disclosed.I don't understand what would be the third Telia CA/RA participant you are referring. Telia Company AB's role as the owner has been already covered in my previous comments. I don't think owner is any real CA/RA role. The only real (functional) roles belong to Telia Finland Oyj which has the legal responsibility of Telia CA and of the Finnish RA team and Cygate AB which has the legal responsibility of our Swedish RA team. >you explaned that "We use affiliate like BR defines it", sorry, but this is misunderstanding - in BRs affiliate is used in specific CA/RA operation contexts, so please be as specific as possible, what is the role of the affiliate you mentioned earlier - Telia Lithuania (legal name AB Telia Lietuva)?Telia Lithuania AB has no role in Telia CA/RA processes. Clear enough? They may be using Telia certificates there thus having "relying party" role.tiistai 14. joulukuuta 2021 klo 11.55.37 UTC+2 [email protected] kirjoitti:Thanks, Pekka1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s CA/RA operations?you clarified that Telia CA is a group function of virtual Telia CA team from many Telia affiliates, in the meantime Mozilla accepts only real CA with disclosed locations that were "included in the scope of the audit or should have been included in the scope of the audit, whether the inspection was physically carried out in person at each location, and which audit criteria were checked (or not checked) at each location".a) Is this audit material available somehere?The documents provided under this request show that Telia Company AB is a PKI participant whose roles/responsibilities within the CA are not disclosed. I’d suggest in your answers to focus on Telia Company AB CA/RA functions/responsibilities rather than ownership details - BRs and Mozilla policy do not assume any privileges for owners, affiliates or groups - CA’s operational independence must be ensured and respected not only by its affiliates (including owners) but also by its own company management.b) according to RFC 3647 BRs and Mozilla policy require CP and CPS, while this root has CPS only, correct?2) does "Telia CA Policy Management Team" mean Telia Finland Oyj?you explained that its a Telia group function with two participants Telia Finland Oyj and Cygate AB, however based on 1) and the documents provided under this request, this CA has at least three PKI participants whose roles/responsibilities need to be disclosed.3) what is "affiliate" in terms of specific CA/RA functions?you explaned that "We use affiliate like BR defines it", sorry, but this is misunderstanding - in BRs affiliate is used in specific CA/RA operation contexts, so please be as specific as possible, what is the role of the affiliate you mentioned earlier - Telia Lithuania (legal name AB Telia Lietuva)?Thanks,M.D.Sent from my Galaxy-------- Original message --------From: "[email protected]" <[email protected]> Date: 12/13/21 08:34 (GMT+02:00) To: [email protected] Cc: "[email protected]" <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s CA/RA operations?
The main company “Telia Company AB” is the owner of the other Telia organizations (aka companies aka subsidiaries aka affiliates). Telia Finland Oyj and Cygate AB are such subsidiaries. Within Telia Company group, each subsidiary is responsible for running the operations. Telia Finland Oyj is the legal entity running Telia CA operations. Telia employees from many Telia companies may belong to group functions that create systems for the whole Telia group. E.g. Telia CA is a group function so that persons in virtual Telia CA team come from many Telia affiliates and thus from many countries. Complex but big enterprises may work like this. To simplify a bit you can say that Telia Finland is running Telia CA using resources from many Telia affiliates. And all is owned by Telia Company AB. All Telia CA employees belong legally to one of the Telia affiliates. 2) does "Telia CA Policy Management Team" mean Telia Finland Oyj? Telia CA Policy Management team is also a Telia group function like described above. Currently it has members from “Telia Finland Oyj” and “Cygate AB”. 3) what is "affiliate" in terms of specific CA/RA functions? We use affiliate like BR defines it: “Affiliate: A corporation, partnership, joint venture or other entity controlling, controlled by, or under common control with another entity, or an agency, department, political subdivision, or any entity operating under the direct control of a Government Entity.” Resources to run CA/RA come from several Telia affiliates but CA belongs legally to Telia Finland Oyj. One RA belongs to and is run by Telia Finland Oyj and the other belongs to Cygate AB.maanantai 13. joulukuuta 2021 klo 0.28.41 UTC+2 [email protected] kirjoitti:Forwarding to the listSent from my Galaxy-------- Original message --------From: md <[email protected]> Date: 12/8/21 17:02 (GMT+02:00) To: "Lahtiharju, Pekka" <[email protected]>, Ben Wilson <[email protected]> Cc: "Liimatainen, Mika A." <[email protected]>, "Gholami, Ali" <[email protected]> Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 Good day, PekkaLet’s focus on information directly relevant to this CA. As you already explained, "Telia" is just a trademark used by Telia Finland Oyj, which is the CA - a legal entity behind this root inclusion request.You have also clarified that Telia Finland Oyj has two (undisclosed) RAs and a number of so called affiliates. We still need to understand:1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s CA/RA operations?2) does "Telia CA Policy Management Team" mean Telia Finland Oyj?3) what is "affiliate" in terms of specific CA/RA functions?Thanks,M.D.Sent from my Galaxy -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3661305c-0adb-436d-a091-46234cb00a1dn%40mozilla.org. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/280ffcc7-8afd-429b-9082-cadc167dd58an%40mozilla.org. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61b8d9a0.1c69fb81.550c8.69bdSMTPIN_ADDED_MISSING%40mx.google.com.
