Thanks, PekkaObviously the year end is not the best time for this high risk applicant - Telia Company AB - as a telco and Tier 1 ISP together with its affiliates use/rely on TSL certificates for other undisclosed network management purposes. Also, given Telia Company AB's business practices in my own country, its close "cooperation" with many governments, worth mentioning that this is a semi-government company.As this is the only place where we can discuss Telia Company AB related issues (eIDAS supervisory body assessment procedures are not public), I’d like to summarize the three questions raised earlier:1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s CA/RA operations?i) in your 12-14-21 email: 'I don't understand your statements above that we are not real or not disclosed our locations or audit criteria’, however in your 12-13-21 email: "Telia CA is a group function so that persons in virtual Telia CA team come from many Telia affiliates and thus from many countries. Complex but big enterprises may work like this. To simplify a bit you can say that Telia Finland is running Telia CA using resources from many Telia affiliates." The problem here is that the CA resources need to be clearly identified and audited (irrelevant to who owns what). Ownership of resources also need to be disclosed - it helps relying parties to understand the risk.ii) "Telia CA is a real CA under Telia Finland Oyj which is affiliate company of Telia Company AB".Again, this is confusing, the discussion is about CA operations not ownership.iii) "This is clearly disclosed in our CPS 1.3.1 using this wording: "The CA operating in compliance with this CPS is Telia CA. The legal entity responsible of Telia CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9). Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249)."Please be as specific as possible - we don’t need "responsible of Telia CA", we need identification of the CA - a legal person, so I assume its Telia Finland Oyj and NOT Telia Company AB, right?iv) "Also our annual Webtrust audits clearly states that both countries have been in the audit scope. E.g. the last Webtrust report is using this wording: "... in providing its SSL and non-SSL Certification Authority (CA) services in Finland and Sweden, throughout the period 1 April 2020 to 31 March 2021, Telia has: -disclosed its SSL ..."."the subject of audit should be a legal entity, not a country - the AUDIT REPORTS AND SEALS section of the CA’s Repository lists following 5 items:- WebTrus Audit Report 2021 (15 pages)https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdfThe first 7 pages of this document is TELIA'S MANAGEMENT ASSERTION, which clearly states that: "Telia Company AB (Telia) operates the Certificate Authority (CA) services as listed in Appendix A, and provides the followin services: Subscriber registration, Certificate renewal, Certificate rekey, Certificate issuance, Certificate distribution, Certificate revocation, Certificate validation, Subscriber key generation and management.The management of Telia is responsible for establishing and maintaining effective control over its CA operations."The second part of this document is KPMG’s letter To the Management of Telia Company AB which also clearly states: "We have been engaged, in a reasonable assurance, to report on Telia Company AB’s (Telia) management’s assertion that for its Certification Authority (CA) operations in Finland and Sweden throughout the period 1 April 2020 trough 31 March 2021....”. In this report there is no reference to Telia Finland Oyj.- CA/Browser Forum Baseline Requirements Audit Report 2021 (15 pages) https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTBR-20210628.pdfThe first 6 pages of this document is also TELIA'S MANAGEMENT ASSERTION by Telia Company AB and the second part KPMG's letter To the Management of Telia Company with the same statement as above. In this report there is no reference to Telia Finland Oyj.- Telia Public Response to Audit 2021https://support.trust.telia.com/download/CA/TELIA-PUBLIC-RESPONSE-TO-AUDIT-2021.pdfIn this single page document no reference to Telia Company AB or Telia Finland Oyj.- WebTrust Principles and Criteria for Certification Authorities Sealhttps://www.cpacanada.ca/webtrustseal?sealid=10761The link here refers to the WebTrus Audit Report 2021 (see above).- WebTrust Principles and Criteria for Certification Authorities - SSL Baseline with Network Security Sealhttps://www.cpacanada.ca/webtrustseal?sealid=10761The link here also refers to the WebTrus Audit Report 2021 (see above).v) "The Full Webtrust audit reports are available at links below. Auditors have every year visited physically both countries since 2005 to verify our all our operations. Also audit criteria (Webtrust and its versions) is clearly stated in our audit reports."See above, again, we are not talking about country audits. If something seams to you clearly stated, help us to see that with specific references - as noted earlier, Mozilla policy requires clear indication of which audit criteria were checked (or not checked) at each location" - as you don’t have a CP and the relevant parts are not identified in the CP/CPS, its unclear what criteria you are talking about.vi) "All participants, locations and audit reports are disclosed on our public web pages Telia Certificate Services Repository".Sorry, this generic claims don’t help, specific questions need specific answers.vii) "Both RAs were included in the audits like explained above. Swedish RA may not be directly mentioned in CPS but none of our competitors is listing all their RA teams either."See above my comment iv) I’m sure revisiting RFC 3647 should help, does it matter that "none of our competitors is listing all their RA teams either"? RAs are essential part of CA operations!viii) ”All our CA/RA employees are internal Telia persons. Telia Company AB hasn't any real CA/RA role, instead it is the owner of Telia Finland Oyj and thus indirectly owner of Telia CA.""Telia persons" should not be accepted, only persons with contractual relations with the CA - Telia Finland Oyj. Here in Lithuania Telia has created the same chaos - just forget about the laws and standards, do like "Telia persons".ix) "Audit reports show how all our CA/RA processes in all locations have passed audits with only minor deviations. Auditors also verify all locations and roles of all trusted persons."Please don’t forget to indicate specific document and pages. This generic claims don’t help.x) "Company management assertions show that Telia Company Management is behind Telia CA. Our CP/CPS documents describe our processes in very detailed level. I think that different Telia company roles and responsibilities should be already clear but if any more responsibility description is required I'm happy to provide such."But you have already explained that the CA under this request is Telia Finland Oyj (?!). If Telia Company AB is involved in the CA operations, it needs be identified as a PKI participant.xi) "Our disclosed CP/CPS is both at the same time. Chapter 1.2 clearly states: "This CPS is also a CP for Telia OV, DV and Seal certificates.". In many CP/CPS chapters there is at first more general CP description and then below how Telia CA has implemented such things."Sorry, this is not what we expect per Section 3.5 of RFC 3647. Could you replace "In many CP/CPS chapters" with specific chapter numbers? x) "I don't understand what would be the third Telia CA/RA participant you are referring. Telia Company AB's role as the owner has been already covered in my previous comments. I don't think owner is any real CA/RA role. The only real (functional) roles belong to Telia Finland Oyj which has the legal responsibility of Telia CA and of the Finnish RA team and Cygate AB which has the legal responsibility of our Swedish RA team."As shown above (see comment iv), actually you have two undisclosed PKI participants: Telia Company AB and Cygate AB.Conclusion: Telia Company AB is a PKI participant with undisclosed obligations.2) does "Telia CA Policy Management Team" mean Telia Finland Oyj?Not clear.3) what is "affiliate" in terms of specific CA/RA functions?Not clear.If approved, this request will create a precedent of ”do like Telia” - a practice that is widely used by Telia Company AB and its affiliates in the trust services markets under eIDAS. That’s how the recent eIDAS & GDPR misimplementation chaos started.I suggest this request be approved after the conversion of corporate relationships into clearly identified, disclosed and audited specific PKI participant roles.Thanks,M.D. -------- Original message --------From: "[email protected]" <[email protected]> Date: 12/16/21 09:44 (GMT+02:00) To: [email protected] Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 All other Telia CA public documentation is here: https://cps.trust.telia.com. If you think that something is missing specify what. All links in Ben's initial announcement look good to me. There are no unnecessary password protections. tiistai 14. joulukuuta 2021 klo 19.51.31 UTC+2 [email protected] kirjoitti:Thank you, PekkaBefore we can continue our discussion, could you please add any other documents relevant to this request? Make sure the documents are not password protected.I’ve been relying on the documents listed in Ben's initial announcement.Thanks,M.D.Sent from my Galaxy-------- Original message --------From: "[email protected]" <[email protected]> Date: 12/14/21 16:01 (GMT+02:00) To: [email protected] Cc: "[email protected]" <[email protected]>, "[email protected]" <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 >You clarified that Telia CA is a group function of virtual Telia CA team from many Telia affiliates, in the meantime Mozilla accepts only real CA with disclosed locations that were "included in the scope of the audit or should have been included in the scope of the audit, whether the inspection was physically carried out in person at each location, and which audit criteria were checked (or not checked) at each location".I don't understand your statements above that we are not real or not disclosed our locations or audit criteria. Telia CA is a real CA under Telia Finland Oyj which is affiliate company of Telia Company AB. This is clearly disclosed in our CPS 1.3.1 using this wording: "The CA operating in compliance with this CPS is Telia CA. The legal entity responsible of Telia CA is Finnish company “Telia Finland Oyj” (BusinessID 1475607-9). Telia Finland Oyj is part of Swedish company “Telia Company AB” (BusinessID 5561034249)." Also our annual Webtrust audits clearly states that both countries have been in the audit scope. E.g. the last Webtrust report is using this wording: "... in providing its SSL and non-SSL Certification Authority (CA) services in Finland and Sweden, throughout the period 1 April 2020 to 31 March 2021, Telia has: -disclosed its SSL ...". The Full Webtrust audit reports are available at links below. Auditors have every year visited physically both countries since 2005 to verify our all our operations. Also audit criteria (Webtrust and its versions) is clearly stated in our audit reports. >a) Is this audit material available somehere?Yes, latest: https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTCA-20210628.pdf, https://support.trust.telia.com/download/CA/Telia-2020-2021-WebTrust-Auditor-Report-WTBR-20210628.pdf>The documents provided under this request show that Telia Company AB is a PKI participant whose roles/responsibilities within the CA are not disclosed. I’d suggest in your answers to focus on Telia Company AB CA/RA functions/responsibilities rather than ownership details - BRs and Mozilla policy do not assume any privileges for owners, affiliates or groups - CA’s operational independence must be ensured and respected not only by its affiliates (including owners) but also by its own company management.I don't understand. All participants, locations and audit reports are disclosed on our public web pages Telia Certificate Services Repository. Both RAs were included in the audits like explained above. Swedish RA may not be directly mentioned in CPS but none of our competitors is listing all their RA teams either. All our CA/RA employees are internal Telia persons. Telia Company AB hasn't any real CA/RA role, instead it is the owner of Telia Finland Oyj and thus indirectly owner of Telia CA. Audit reports show how all our CA/RA processes in all locations have passed audits with only minor deviations. Auditors also verify all locations and roles of all trusted persons. Company management assertions show that Telia Company Management is behind Telia CA. Our CP/CPS documents describe our processes in very detailed level. I think that different Telia company roles and responsibilities should be already clear but if any more responsibility description is required I'm happy to provide such.>b) according to RFC 3647 BRs and Mozilla policy require CP and CPS, while this root has CPS only, correct?Incorrect. Our disclosed CP/CPS is both at the same time. Chapter 1.2 clearly states: "This CPS is also a CP for Telia OV, DV and Seal certificates.". In many CP/CPS chapters there is at first more general CP description and then below how Telia CA has implemented such things.>you explained that its a Telia group function with two participants Telia Finland Oyj and Cygate AB, however based on 1) and the documents provided under this request, this CA has at least three PKI participants whose roles/responsibilities need to be disclosed.I don't understand what would be the third Telia CA/RA participant you are referring. Telia Company AB's role as the owner has been already covered in my previous comments. I don't think owner is any real CA/RA role. The only real (functional) roles belong to Telia Finland Oyj which has the legal responsibility of Telia CA and of the Finnish RA team and Cygate AB which has the legal responsibility of our Swedish RA team. >you explaned that "We use affiliate like BR defines it", sorry, but this is misunderstanding - in BRs affiliate is used in specific CA/RA operation contexts, so please be as specific as possible, what is the role of the affiliate you mentioned earlier - Telia Lithuania (legal name AB Telia Lietuva)?Telia Lithuania AB has no role in Telia CA/RA processes. Clear enough? They may be using Telia certificates there thus having "relying party" role.tiistai 14. joulukuuta 2021 klo 11.55.37 UTC+2 [email protected] kirjoitti:Thanks, Pekka1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s CA/RA operations?you clarified that Telia CA is a group function of virtual Telia CA team from many Telia affiliates, in the meantime Mozilla accepts only real CA with disclosed locations that were "included in the scope of the audit or should have been included in the scope of the audit, whether the inspection was physically carried out in person at each location, and which audit criteria were checked (or not checked) at each location".a) Is this audit material available somehere?The documents provided under this request show that Telia Company AB is a PKI participant whose roles/responsibilities within the CA are not disclosed. I’d suggest in your answers to focus on Telia Company AB CA/RA functions/responsibilities rather than ownership details - BRs and Mozilla policy do not assume any privileges for owners, affiliates or groups - CA’s operational independence must be ensured and respected not only by its affiliates (including owners) but also by its own company management.b) according to RFC 3647 BRs and Mozilla policy require CP and CPS, while this root has CPS only, correct?2) does "Telia CA Policy Management Team" mean Telia Finland Oyj?you explained that its a Telia group function with two participants Telia Finland Oyj and Cygate AB, however based on 1) and the documents provided under this request, this CA has at least three PKI participants whose roles/responsibilities need to be disclosed.3) what is "affiliate" in terms of specific CA/RA functions?you explaned that "We use affiliate like BR defines it", sorry, but this is misunderstanding - in BRs affiliate is used in specific CA/RA operation contexts, so please be as specific as possible, what is the role of the affiliate you mentioned earlier - Telia Lithuania (legal name AB Telia Lietuva)?Thanks,M.D.Sent from my Galaxy-------- Original message --------From: "[email protected]" <[email protected]> Date: 12/13/21 08:34 (GMT+02:00) To: [email protected] Cc: "[email protected]" <[email protected]> Subject: Re: FW: RE: Public Discussion: Inclusion of Telia Root CA v2 1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s CA/RA operations?
The main company “Telia Company AB” is the owner of the other Telia organizations (aka companies aka subsidiaries aka affiliates). Telia Finland Oyj and Cygate AB are such subsidiaries. Within Telia Company group, each subsidiary is responsible for running the operations. Telia Finland Oyj is the legal entity running Telia CA operations. Telia employees from many Telia companies may belong to group functions that create systems for the whole Telia group. E.g. Telia CA is a group function so that persons in virtual Telia CA team come from many Telia affiliates and thus from many countries. Complex but big enterprises may work like this. To simplify a bit you can say that Telia Finland is running Telia CA using resources from many Telia affiliates. And all is owned by Telia Company AB. All Telia CA employees belong legally to one of the Telia affiliates. 2) does "Telia CA Policy Management Team" mean Telia Finland Oyj? Telia CA Policy Management team is also a Telia group function like described above. Currently it has members from “Telia Finland Oyj” and “Cygate AB”. 3) what is "affiliate" in terms of specific CA/RA functions? We use affiliate like BR defines it: “Affiliate: A corporation, partnership, joint venture or other entity controlling, controlled by, or under common control with another entity, or an agency, department, political subdivision, or any entity operating under the direct control of a Government Entity.” Resources to run CA/RA come from several Telia affiliates but CA belongs legally to Telia Finland Oyj. One RA belongs to and is run by Telia Finland Oyj and the other belongs to Cygate AB.maanantai 13. joulukuuta 2021 klo 0.28.41 UTC+2 [email protected] kirjoitti:Forwarding to the listSent from my Galaxy-------- Original message --------From: md <[email protected]> Date: 12/8/21 17:02 (GMT+02:00) To: "Lahtiharju, Pekka" <[email protected]>, Ben Wilson <[email protected]> Cc: "Liimatainen, Mika A." <[email protected]>, "Gholami, Ali" <[email protected]> Subject: RE: Public Discussion: Inclusion of Telia Root CA v2 Good day, PekkaLet’s focus on information directly relevant to this CA. As you already explained, "Telia" is just a trademark used by Telia Finland Oyj, which is the CA - a legal entity behind this root inclusion request.You have also clarified that Telia Finland Oyj has two (undisclosed) RAs and a number of so called affiliates. We still need to understand:1) How/if Telia Company AB is (Sweden) involved in Telia Finland Oyj’s CA/RA operations?2) does "Telia CA Policy Management Team" mean Telia Finland Oyj?3) what is "affiliate" in terms of specific CA/RA functions?Thanks,M.D.Sent from my Galaxy -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3661305c-0adb-436d-a091-46234cb00a1dn%40mozilla.org. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/280ffcc7-8afd-429b-9082-cadc167dd58an%40mozilla.org. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2572d036-b45c-4bea-b23b-3a0dfcf0de1en%40mozilla.org. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/61cc7199.1c69fb81.171b7.be3b%40mx.google.com.
