Does SERPRO expect to use external registration authorities in the near future?
Currently we already use external registration authorities. What identity validation tasks will they perform? Where are the procedures for them documented? Each RA, which issues CA SERPRO SSL certificates, uses specific operating procedures. For each RA associated with CA, specific training was carried out and validators specialized in this type of issue were trained. We carry out the checks provided for in BR SSL, such as validating the domain following the item: 3.2.2.4.2 and 3.2.2.4.18, in addition to searching the URL, which we look for through the google transparency report (https://transparencyreport. google.com/safe-browsing/search?url= ). If the search returns a message that SOME NOT secure content WAS found, the requester is informed that it will not be possible to issue the certificate for the URL in question until this situation is resolved. We also make the query using the WHOis tool ( https://registro.br/tecnologia/ferramentas/whois/ ). This query aims to verify: a) which organization is responsible for the domain with Registro.Br; b) which person or which area of the organization is registered as responsible for the domain. There are conditions to follow the approval, that is, if the requester is the same as responsible for the domain or if the name and e-mail constant in the request also match what appears in the domain. For domains other than .br, we use the link https://who.is/ with the same criteria mentioned above. We also validate whether the requester has management of the request address (URL) Obs. 1: This requirement shows that the requester has management (control) over the request address (URL). This evidence is automatically confirmed by the CA software. Obs. 2: The customer/applicant, right after the request in the CA software, receives the instructions in his e-mail on how to proceed to carry out this test of control as foreseen in the operational procedure. All of these procedures are carried out at the time of requesting the certificate, including the CA software automatically validating the proof of control, in addition to validating the applicant's possession and the company's and applicant's documents. In addition to verifying the certificates issued by the CA, we also follow the rule provided for in BR SSL, to perform a self-audit of three percent of the Certificates issued by the CA, on a quarterly basis. Em sábado, 10 de dezembro de 2022 às 22:50:13 UTC-3, Charles Reiss escreveu: > > > On Wednesday, December 7, 2022 at 2:40:23 PM UTC-5 Lucia Castelli wrote: > >> Hi Charles, >> >> Answers: >> 1 - The external registration authorities that are mentioned are the ones >> that were later linked to CA SERPRO SSL. >> >> At the beginning of the CA, during the point in time and period of time >> audit, we only used the SERPRO(AR SERPRO) registration authority(internal >> registration authority) >> > Does SERPRO expect to use external registration authorities in the near > future? If so, what identity validation tasks will they perform? Where are > the procedures for them documented? > > - Charles Reiss > > >> -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/bfc5223f-36b8-4c7a-acc1-6da82e53b20en%40ccadb.org.
