Sorry for chiming in late, I was monitoring this discussion and thought
of adding a comment about the completeness of audit reports.
In my understanding, when Mozilla or any other Root Program is
evaluating audit reports (Point-in-Time or Period-of-Time), they must
confirm that all entities/functions that should be audited, are included
in the submitted audit reports.
It is acceptable to submit multiple audit reports when multiple legal
entities fulfill different CA functions, but at the end of the day all
functions that need to be audited must be accounted for.
If the CA is company A and they have an external RA which is company B,
then one of the following is acceptable:
a) Company A presents an audit report that contains its own CA
operations AND the operations of company B, which means that the auditor
of company A has engaged into independently evaluating the RA operations
of company B
b) Company A presents an audit report that contains its own CA
operations and states that it did not evaluate operations of external RA
of company B, and there is a separate external audit report of company B
which independently evaluates the RA operations of company B. Together,
these two audit reports prove that all audited functions have been
performed and nothing is missing.
If I understand one of Moudrick's concerns (obviously he has plenty of
concerns but I only focus on the audit completeness), the audit report
submitted by Telia does not include an opinion on "external RAs" which
means that we are missing an audit report about these external RAs.
AFAIK, external RAs are not exempt and must be audited by a qualified
(external) auditor. Unless I am missing something, I believe that only
Enterprise RAs can exist without external audits.
Ryan, Peter, do you agree with the last comment?
Thanks,
Dimitris.
PS: I was trying to find the right message in the various existing
threads to reply to but it was too many messages to process, so
apologies for starting a new thread.
On 1/12/2021 5:15 μ.μ., Ben Wilson wrote:
All,
This is to announce the beginning of the public discussion phase of
the Mozilla root CA inclusion process
(https://wiki.mozilla.org/CA/Application_Process#Process_Overview -
Steps 4 through 9) for Telia’s inclusion request for the Telia Root CA
v2 (https://crt.sh/?id=1199641739).
Mozilla is considering approving Telia’s request to add the root as a
trust anchor with the websites and email trust bits as documented in
Bugzilla #1664161
<https://bugzilla.mozilla.org/show_bug.cgi?id=1664161> and CCADB Case
#660
<https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000660>.
This email begins the 3-week comment period, after which, if no
concerns are raised, we will close the discussion and the request may
proceed to the approval phase (Step 10).
*Summary*
This CA certificate for Telia Root CA v2 is valid from 29-Nov-2018 to
29-Nov-2043.
*SHA2 Certificate Hash:*
242B69742FCB1E5B2ABF98898B94572187544E5B4D9911786573621F6A74B82C
*Root Certificate Downloads:*
https://support.trust.telia.com/repository/teliarootcav2_selfsigned.cer
https://support.trust.telia.com/repository/teliarootcav2_selfsigned.pem
*CP/CPS:* Effective October 14, 2021, the current CPS for the Telia
Root CA v2 may be downloaded here:
https://cps.trust.telia.com/Telia_Server_Certificate_CPS_v4.4.pdf (v.4.4).
Repository location: https://cps.trust.telia.com/
*Test Websites:*
Valid - https://juolukka.cover.telia.fi:10603/
Revoked - https://juolukka.cover.telia.fi:10604/
Expired - https://juolukka.cover.telia.fi:10605/
*BR Self Assessment* (PDF) is located here:
https://support.trust.telia.com/download/CA/Telia_CA_BR_Self_Assessment.pdf
*Audits:*Annual audits are performed by KPMG. The most recent audits
were completed for the period ending March 31, 2021, according to
WebTrust audit criteria. The standard WebTrust audit (in accordance
with v.2.2.1) contained no adverse findings. The WebTrust Baseline
Requirements audit (in accordance with v.2.4.1) was qualified based on
the fact that the Telia Root CA v1 certificate
<https://crt.sh/?id=989582> did not include subject:countryName. (The
Telia Root CA v2 contains a subject:countryName of “FI”.)
Attachment B to the WebTrust Baseline Requirements audit report listed
eight (8) Bugzilla bugs for incidents open during the 2020-2021 audit
period, which are now resolved as fixed.They were as follows:
*Link to Bugzilla Bug*
*Matterdescription***
https://bugzilla.mozilla.org/show_bug.cgi?id=1614311
Two CA certificates not listed in 2020 WebTrust audit report
https://bugzilla.mozilla.org/show_bug.cgi?id=1612332
Ambiguity on KeyUsage with ECC public key
https://bugzilla.mozilla.org/show_bug.cgi?id=1551372
One Telia certificate containing a stateOrProvinceName of “Some-State”
https://bugzilla.mozilla.org/show_bug.cgi?id=1649683
Two Telia’s pre-2012 rootCA certificates aren’t fully compliant with
Baseline Requirements
https://bugzilla.mozilla.org/show_bug.cgi?id=1637854
AIA CA Issuer field pointing to PEM-encoded certificate
https://bugzilla.mozilla.org/show_bug.cgi?id=1674536
Certificates with RSA keys where modulus is not divisible by 8
https://bugzilla.mozilla.org/show_bug.cgi?id=1565270
Subject field automatic check in CA system
https://bugzilla.mozilla.org/show_bug.cgi?id=1689589
Disallowed curve (P-521) in leaf certificate
Recent, open bugs/incidents are the following:
*Link to Bugzilla Bug*
*Matterdescription***
https://bugzilla.mozilla.org/show_bug.cgi?id=1738207
Issued three precertificates with non-NIST EC curve
https://bugzilla.mozilla.org/show_bug.cgi?id=1736020
Invalid email contact address was used for few domains
https://bugzilla.mozilla.org/show_bug.cgi?id=1737808
Delayed revocation of 5 EE certificates in connection to id=1736020
I have no further questions or concerns about this inclusion request,
however I urge anyone with concerns or questions to raise them on this
list by replying directly in this discussion thread. Likewise, a
representative of Telia must promptly respond directly in the
discussion thread to all questions that are posted.
Again, this email begins a three-week public discussion period, which
I’m scheduling to close on December 22, 2021.
Sincerely yours,
Ben Wilson
Mozilla Root Program
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZZj87QS3jL7R_32JEnfPZeU4hBNBJ%2BGHWU_pUdqF%3Dbbg%40mail.gmail.com
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaZZj87QS3jL7R_32JEnfPZeU4hBNBJ%2BGHWU_pUdqF%3Dbbg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/5f2835a8-61f5-3a98-e7dc-8a4ff1f45e70%40it.auth.gr.
