Hi Charles, Answers: 1 - The external registration authorities that are mentioned are the ones that were later linked to CA SERPRO SSL.
At the beginning of the CA, during the point in time and period of time audit, we only used the SERPRO(AR SERPRO) registration authority(internal registration authority). About the CPS, I will be updating immediatly it and publishing it on the CCADB and on our CA page. 2 - As I explained earlier, we had problems with the SAN of all these certificates, alerted by Mozilla to our Root CA, as the Root CA rules overlapped the BR SSL rules. Unfortunately, due to the very large number of certificates, it was not possible to fulfill what is expected(24 hours timeline), both from the BR SSL regulations and what we reflect in our regulations (CPS). These revocations, unfortunately, lasted much longer than expected. We understand that we would not, yet, be infringing the rules, because our certificate is not in the Mozilla program. Em terça-feira, 6 de dezembro de 2022 às 15:00:40 UTC-3, Charles Reiss escreveu: > 1. The WebTrust audit for period ending 29 May 2022 states: > "SERPRO-CA makes use of external registration authorities for specific > subscriber registration activities as disclosed in SERPRO-CA’s business > practices. Our procedures did not extend to the controls exercised by > these external registration authorities." > But section 1.3.2 of the CPS seems to only mention an internal RA. What > external RAs is the audit statement referring to? > 2. The period of time audit for May 2020-2021 appears to be at https://repositorio.serpro.gov.br/docs/auditoria/02_-_AC_SERPRO_SSL_Webtrust_BR_SSL_and_Network_Security_-_Period_of_Time_Audit_Report.pdf . In this audit the malformed SANs others have found are noted and the management's assertions state that SERPRO "started the certificate revocation process, with subsequent re-issuance, a process that is in progress" in a statement dated 25 August 2021. The CRL for the "Autoridade Certificadora do SERPRO SSLv1" subCA appears to have timestamps well into September for when these certificates are actually revoked (for example, https://crt.sh/?id=4541931304 has revocation timestamped 9 September). This seems to violate the 24-hour timeline expected in the BRs and SERPRO's CPS for revocation once SERPRO becomes aware certificates were issued in error. > On Wednesday, November 16, 2022 at 10:52:33 PM UTC-5 [email protected] > wrote: > >> All, >> >> This is to announce the beginning of a six-week public discussion period >> for the inclusion request of Serviço Federal de Processamento de Dados >> (SERPRO) (Bug # 1677631 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1677631>, CCADB Case # 680 >> <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000680>) >> >> for its Autoridade Certificadora do SERPRO SSLv1 issuing CA certificate >> (SERPRO SSLv1), issued under the Autoridade Certificadora Raiz Brasileira >> v10, which is the root CA designated under the Brazilian PKI for support of >> TLS certificate issuance. Mozilla is considering SERPRO’s request to >> add the SERPRO SSLv1 CA as a trust anchor with the websites trust bit >> enabled. >> >> Download – https://repositorio.serpro.gov.br/cadeias/serprossl.crt >> >> crt.sh - >> https://crt.sh/?sha256=08FC942D5176E568ACBEF9C595F36A20DE6ACF9EA30C6F5FCEDD48216ED5B070 >> >> >> *Repository:* The SERPRO document repository is located here: >> https://certificados.serpro.gov.br/serprossl/certification-policies. >> >> *Relevant Policy and Practices Documentation: * >> >> An English version of the SERPRO CPS (v.4.2), March 2022, is available >> here: https://repositorio.serpro.gov.br/docs/CPS_SERPRO_SSL_CA.pdf >> >> *Self-Assessments and Mozilla CPS Reviews* are located within Bug # >> 1677631 <https://bugzilla.mozilla.org/show_bug.cgi?id=1677631>: >> >> AC_SERPRO_SSL_Self_Assessment.ods >> <https://bugzilla.mozilla.org/attachment.cgi?id=9192419> >> >> Mozilla’s CP/CPS Review comments – Comment # >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1677631#c2>2, Comment #73 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1677631#c73>, and Comment >> #77 <https://bugzilla.mozilla.org/show_bug.cgi?id=1677631#c77> >> >> *Value-vs-Risk Justification from SERPRO – *see Value vs >> Risk_SERPRO_SSL_CA.pdf >> <https://bugzilla.mozilla.org/attachment.cgi?id=9292088> >> >> *Audits:* Annual audits have been performed by PKI Contabilidade e >> Auditoria Ltda in accordance with the Webtrust Principles and Criteria for >> Certification Authorities. The most recent audits available were published >> on July 22, 2022, for the period ending May 29, 2022. See >> >> >> https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=b6a5cf89-dd0a-484e-bad5-5cf4faeb10a0 >> (Standard >> Webtrust) >> >> >> https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?attachmentid=5bee38f1-db75-46fe-91df-2ff67c6f0560 >> >> (WebTrust Baseline Requirements) >> >> I have no other questions related to SERPRO’s inclusion request; however, >> I urge anyone with concerns or questions to raise them on this list by >> replying directly in this discussion thread. Likewise, a representative of >> SERPRO must promptly respond directly in the discussion thread to all >> questions that are posted. >> >> This email begins a 6-week period for public discussion and comment, >> which I’m scheduling to close on or about December 31, 2022, after which, >> if no concerns are raised, we will close the discussion and the request may >> proceed to Mozilla’s one-week “last-call” phase. >> >> Sincerely yours, >> >> Ben Wilson >> >> Mozilla Root Program Manager >> > -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/0a82becd-29d5-40d7-ade7-fda45c5544ean%40ccadb.org.
