Thank you, Pekka At least the audit reports in the Repository require password. Please advise.
Thanks, M.D. On Thu, Dec 16, 2021, 09:44 [email protected] < [email protected]> wrote: > All other Telia CA public documentation is here: > https://cps.trust.telia.com. If you think that something is missing > specify what. All links in Ben's initial announcement look good to me. > There are no unnecessary password protections. > > tiistai 14. joulukuuta 2021 klo 19.51.31 UTC+2 [email protected] kirjoitti: > >> Thank you, Pekka >> >> Before we can continue our discussion, could you please add any other >> documents relevant to this request? Make sure the documents are not >> password protected. >> >> I’ve been relying on the documents listed in Ben's initial announcement. >> >> Thanks, >> M.D. >> >> >> Sent from my Galaxy >> >> >> -------- Original message -------- >> From: "[email protected]" <[email protected]> >> Date: 12/14/21 16:01 (GMT+02:00) >> To: [email protected] >> Cc: "[email protected]" <[email protected]>, " >> [email protected]" <[email protected]> >> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 >> >> >You clarified that Telia CA is a group function of virtual Telia CA team >> from many Telia affiliates, in the meantime Mozilla accepts only real CA >> with disclosed locations that were "included in the scope of the audit or >> should have been included in the scope of the audit, whether the inspection >> was physically carried out in person at each location, and which audit >> criteria were checked (or not checked) at each location". >> >> I don't understand your statements above that we are not real or not >> disclosed our locations or audit criteria. Telia CA is a real CA under >> Telia Finland Oyj which is affiliate company of Telia Company AB. This is >> clearly disclosed in our CPS 1.3.1 using this wording: "The CA operating in >> compliance with this CPS is Telia CA. The legal entity responsible of Telia >> CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9). Telia >> Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID >> 5561034249)." Also our annual Webtrust audits clearly states that both >> countries have been in the audit scope. E.g. the last Webtrust report is >> using this wording: "... in providing its SSL and non-SSL Certification >> Authority (CA) services in Finland and Sweden, throughout the period 1 >> April 2020 to 31 March 2021, Telia has: -disclosed its SSL ...". The Full >> Webtrust audit reports are available at links below. Auditors have every >> year visited physically both countries since 2005 to verify our all our >> operations. Also audit criteria (Webtrust and its versions) is clearly >> stated in our audit reports. >> >> >a) Is this audit material available somehere? >> >> Yes, latest: >> https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf, >> >> https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTBR-20210628.pdf >> >> >The documents provided under this request show that Telia Company AB is >> a PKI participant whose roles/responsibilities within the CA are not >> disclosed. I’d suggest in your answers to focus on Telia Company AB CA/RA >> functions/responsibilities rather than ownership details - BRs and Mozilla >> policy do not assume any privileges for owners, affiliates or groups - CA’s >> operational independence must be ensured and respected not only by its >> affiliates (including owners) but also by its own company management. >> >> I don't understand. All participants, locations and audit reports are >> disclosed on our public web pages Telia Certificate Services Repository >> <https://cps.trust.telia.com/>. Both RAs were included in the audits >> like explained above. Swedish RA may not be directly mentioned in CPS but >> none of our competitors is listing all their RA teams either. All our CA/RA >> employees are internal Telia persons. Telia Company AB hasn't any real >> CA/RA role, instead it is the owner of Telia Finland Oyj and thus >> indirectly owner of Telia CA. Audit reports show how all our CA/RA >> processes in all locations have passed audits with only minor deviations. >> Auditors also verify all locations and roles of all trusted persons. >> Company management assertions show that Telia Company Management is behind >> Telia CA. Our CP/CPS documents describe our processes in very detailed >> level. I think that different Telia company roles and responsibilities >> should be already clear but if any more responsibility description is >> required I'm happy to provide such. >> >> >> >b) according to RFC 3647 BRs and Mozilla policy require CP and CPS, >> while this root has CPS only, correct? >> >> Incorrect. Our disclosed CP/CPS is both at the same time. Chapter 1.2 >> clearly states: "This CPS is also a CP for Telia OV, DV and Seal >> certificates.". In many CP/CPS chapters there is at first more general CP >> description and then below how Telia CA has implemented such things. >> >> >you explained that its a Telia group function with two participants >> Telia Finland Oyj and Cygate AB, however based on 1) and the documents >> provided under this request, this CA has at least three PKI participants >> whose roles/responsibilities need to be disclosed. >> >> I don't understand what would be the third Telia CA/RA participant you >> are referring. Telia Company AB's role as the owner has been already >> covered in my previous comments. I don't think owner is any real CA/RA >> role. The only real (functional) roles belong to Telia Finland Oyj which >> has the legal responsibility of Telia CA and of the Finnish RA team and >> Cygate AB which has the legal responsibility of our Swedish RA team. >> >> >you explaned that "We use affiliate like BR defines it", sorry, but this >> is misunderstanding - in BRs affiliate is used in specific CA/RA operation >> contexts, so please be as specific as possible, what is the role of the >> affiliate you mentioned earlier - Telia Lithuania (legal name AB Telia >> Lietuva)? >> Telia Lithuania AB has no role in Telia CA/RA processes. Clear enough? >> They may be using Telia certificates there thus having "relying party" role. >> >> tiistai 14. joulukuuta 2021 klo 11.55.37 UTC+2 [email protected] >> kirjoitti: >> >>> Thanks, Pekka >>> >>> >>> >>> 1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s >>> CA/RA operations? >>> >>> you clarified that Telia CA is a group function of virtual Telia CA team >>> from many Telia affiliates, in the meantime Mozilla accepts only *real* >>> CA with disclosed locations that were "*in**cluded in the scope of the >>> audit or should have been included in the scope of the audit, whether the >>> inspection was physically carried out in person at each location, and which >>> audit criteria were checked (or not checked) at each location*". >>> >>> a) Is this audit material available somehere? >>> >>> The documents provided under this request show that Telia Company AB is >>> a *PKI participant* whose roles/responsibilities within the CA are not >>> disclosed. I’d suggest in your answers to focus on Telia Company AB >>> CA/RA functions/responsibilities rather than ownership details - BRs >>> and Mozilla policy do not assume any privileges for owners, affiliates or >>> groups - CA’s operational independence must be ensured and respected not >>> only by its affiliates (including owners) but also by its own company >>> management. >>> >>> >>> b) according to RFC 3647 BRs and Mozilla policy require CP and CPS, >>> while this root has CPS only, correct? >>> >>> >>> 2) does "Telia CA Policy Management Team" mean Telia Finland Oyj? >>> >>> you explained that its a Telia group function with two participants >>> Telia Finland Oyj and Cygate AB, however based on 1) and the documents >>> provided under this request, this CA has at least three PKI participants >>> whose roles/responsibilities need to be disclosed. >>> >>> >>> 3) what is "affiliate" in terms of specific CA/RA functions? >>> >>> you explaned that "We use affiliate like BR defines it", sorry, but this >>> is misunderstanding - in BRs affiliate is used in specific CA/RA operation >>> contexts, so please be as specific as possible, what is the role of the >>> affiliate you mentioned earlier - Telia Lithuania (legal name AB Telia >>> Lietuva)? >>> >>> >>> Thanks, >>> M.D. >>> >>> Sent from my Galaxy >>> >>> >>> -------- Original message -------- >>> From: "[email protected]" <[email protected]> >>> Date: 12/13/21 08:34 (GMT+02:00) >>> To: [email protected] >>> Cc: "[email protected]" <[email protected]> >>> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 >>> >>> 1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s >>> CA/RA operations? >>> >>> The main company “Telia Company AB” is the owner of the other Telia >>> organizations (aka companies aka subsidiaries aka affiliates). Telia >>> Finland Oyj and Cygate AB are such subsidiaries. Within Telia Company >>> group, each subsidiary is responsible for running the operations. Telia >>> Finland Oyj is the legal entity running Telia CA operations. Telia >>> employees from many Telia companies may belong to group functions that >>> create systems for the whole Telia group. E.g. Telia CA is a group function >>> so that persons in virtual Telia CA team come from many Telia affiliates >>> and thus from many countries. Complex but big enterprises may work like >>> this. To simplify a bit you can say that Telia Finland is running Telia CA >>> using resources from many Telia affiliates. And all is owned by Telia >>> Company AB. All Telia CA employees belong legally to one of the Telia >>> affiliates. >>> >>> 2) does "Telia CA Policy Management Team" mean Telia Finland Oyj? >>> >>> Telia CA Policy Management team is also a Telia group function like >>> described above. Currently it has members from “Telia Finland Oyj” and >>> “Cygate AB”. >>> >>> 3) what is "affiliate" in terms of specific CA/RA functions? >>> >>> We use affiliate like BR defines it: “*Affiliate*: A corporation, >>> partnership, joint venture or other entity controlling, controlled by, or >>> under common control with another entity, or an agency, department, >>> political subdivision, or any entity operating under the direct control of >>> a Government Entity.” Resources to run CA/RA come from several Telia >>> affiliates but CA belongs legally to Telia Finland Oyj. One RA belongs to >>> and is run by Telia Finland Oyj and the other belongs to Cygate AB. >>> maanantai 13. joulukuuta 2021 klo 0.28.41 UTC+2 [email protected] kirjoitti: >>> >>>> Forwarding to the list >>>> >>>> >>>> >>>> Sent from my Galaxy >>>> >>>> >>>> -------- Original message -------- >>>> From: md <[email protected]> >>>> Date: 12/8/21 17:02 (GMT+02:00) >>>> To: "Lahtiharju, Pekka" <[email protected]>, Ben Wilson < >>>> [email protected]> >>>> Cc: "Liimatainen, Mika A." <[email protected]>, "Gholami, >>>> Ali" <[email protected]> >>>> Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 >>>> >>>> Good day, Pekka >>>> >>>> Let’s focus on information directly relevant to this CA. As you already >>>> explained, "Telia" is just a trademark used by Telia Finland Oyj, which is >>>> the CA - a legal entity behind this root inclusion request. >>>> >>>> You have also clarified that Telia Finland Oyj has two (undisclosed) >>>> RAs and a number of so called affiliates. We still need to understand: >>>> >>>> 1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s >>>> CA/RA operations? >>>> >>>> 2) does "Telia CA Policy Management Team" mean Telia Finland Oyj? >>>> >>>> 3) what is "affiliate" in terms of specific CA/RA functions? >>>> >>>> Thanks, >>>> M.D. >>>> >>>> >>>> >>>> Sent from my Galaxy >>>> >>>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3661305c-0adb-436d-a091-46234cb00a1dn%40mozilla.org >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3661305c-0adb-436d-a091-46234cb00a1dn%40mozilla.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/280ffcc7-8afd-429b-9082-cadc167dd58an%40mozilla.org >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/280ffcc7-8afd-429b-9082-cadc167dd58an%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAMMZRrxvjboFLvo%3DTa2ADZk88yZsa3b8O9YhwS738_8r%2Bj%3Dt9w%40mail.gmail.com.
