This email closes public discussion and is notice that it is Mozilla’s intent to approve NAVER's request for inclusion. (This starts a 7-day period of last call for objections.)
On Mon, Nov 9, 2020 at 2:10 PM Ben Wilson <bwil...@mozilla.com> wrote: > Step 6 of CA Application Process > <https://wiki.mozilla.org/CA/Application_Process>: *Summary of > Discussion and Resulting Decision:* > > One commenter stated that it appeared that a few certificates were > misissued, i.e. that the stateOrProvinceName field (“S” field) should > probably be the "Gyeonggi-do" as the "Seongnam-si" entered is a city. A > NAVER representative responded that it had fixed the DN structure with L > equal to "Seongnam-si" as city name and S field as "Gyeonggi-do" for > province name. NAVER also added a procedure, in compliance with ISO > 3166-2, to put province information correctly in the S field of user DN for > newly issued certificates. > > A second commenter noted that: (1) wording in the CPS could allow NAVER to > avoid revoking problematic certificates by relying on Korean law; (2) > “relevant legislation” was not referenced in > sections 9.14 and 9.16.3 as required by BR section 9.16.3; and (3) the > list of events logged did not include "All verification activities" as > required by BR section 5.4.1(2). > > Responses to the foregoing included the following: (1) a certificate not > revoked because of Korean law would be a BR violation and the CA would be > required to previously disclose this according to BR section 9.16.3 (the > conflicting requirement could be modified “to the minimum extent necessary > to make the requirement valid and legal” and the CA would have to notify > the CA/Browser Forum of such practice change so that the Forum could react > appropriately. NAVER also stated, “we found that there are no South Korea’s > laws and regulations which affect or refuse the revocation of certificates > that violated the BRs issued by a commercial CA”. (2) A third commenter > stated, “Note that, in this case, the particular language you're concerned > about is part of the BRs themselves, in 4.9.5. However, this is about > ‘when’ to revoke. I think you raise an interesting point that would > benefit from clarification from NAVER, because I think you're correct that > we should be concerned that the shift from ‘when’ to revoke has become > ‘whether’ to revoke, and that is an important difference.” As a result of > these comments, NAVER amended sections 4.9.5, 9.14, and 9.16.3. > > Section 4.9.5 of the NAVER CPS now reads, “The period from receipt of the > Certificate Problem Report or revocation-related notice to published > revocation must not exceed the time frame set forth in Section 4.9.1.1. The > date selected by NAVER Cloud will consider the following criteria: … > Relevant legislation.” > > Section 9.14 of the NAVER CPS now states, “This CPS is governed, construed > and interpreted in accordance with the laws of Republic of Korea. This > choice of law is made to ensure uniform interpretation of this CPS, > regardless of the place of residence or place of use of NAVER Cloud > Certificates or other products and services. The law of Republic of Korea > applies also to all NAVER Cloud commercial or contractual relationships in > which this CPS may apply or quoted implicitly or explicitly in relation to > NAVER Cloud products and services where NAVER Cloud acts as a provider, > supplier, beneficiary receiver or otherwise.” > > (Note that section 1.1 of the NAVER CPS states, “In the event of any > inconsistency between this CPS and the Baseline Requirements, the Baseline > Requirements take precedence over this document.”) > > Section 9.16.3 has been amended by adding a paragraph reading, “In the > event of a conflict between CABF Baseline Requirements and a law, > regulation or government order (hereinafter ‘Law’) of any jurisdiction in > which a CA operates or issues certificates, NAVER Cloud modifies any > conflicting requirement to the minimum extent necessary to make the > requirement valid and legal in the jurisdiction. This applies only to > operations or certificate issuances that are subject to that Law. In such > event, NAVER Cloud immediately (and prior to issuing a certificate under > the modified requirement) includes in Section 9.16.3 of this CPS a detailed > reference to the Law requiring a modification of these Requirements under > this section, and the specific modification to these Requirements > implemented by NAVER Cloud.” > > (3) Section 5.4.1 now states that “NAVER Cloud records at least the > following events: … 2. Subscriber Certificate lifecycle management > events, including: … b. All verification activities stipulated in these > Requirements and the CA’s Certification Practice Statement”. > > A key take-away from a review of these comments and responses is the need > for each CA’s CPS language to provide a firm commitment to revoke > certificates on a timely basis. I think members of the Mozilla community do > not want to have to worry about “when” or “whether” a certificate will be > revoked. In sections 4.9.1.1 and 4.9.5 of the NAVER CPS, NAVER has adopted > essentially the 24-hour and 5-day timeframes of sections 4.9.1.1 and 4.9.5 > of the Baseline Requirements. Certainly, all CAs could improve the > descriptions of their revocation processes, but this language in the NAVER > CPS meets the minimum requirements. Hopefully, NAVER and other CAs will not > only strive to improve their CPS revocation language, but also strive to > revoke certificates quickly when one of the criteria is met. > > Are there any final comments or issues that have not been addressed? If > not, I will be closing public discussion tomorrow [Step 9] and giving > notice that it is Mozilla’s intent to approve NAVER's request for > inclusion [Step 10]. > > Thanks, > > Ben > > > On Thu, Nov 5, 2020 at 8:55 AM Sooyoung Eo via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> Thank you all for the comments during the public discussion phase. >> All matters raised in this public discussion has been fixed and then >> published >> our revised CPS, including changes in sections 4.9.3, 4.9.5, 5.4.1, 9.14, >> and 9.16.3. >> >> You can find the revised CPS v1.5.0 at our repository. >> https://certificate.naver.com/bbs/initCrtfcJob.do >> (directly download link: >> https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=8458f988c4994fc2b5fbae53a0c704c7.pdf&atch_real_file_nm=NAVER%20Cloud%20CPS%20v1.5.0.pdf >> ) >> >> To minimize confusion, I would like to metion that "NAVER BUSINESS >> PLATFORM" >> has been renamed to "NAVER Cloud" without any changes on the ownership of >> the company and Certification Authority on October 26, 2020. >> >> Kind Regards, >> Sooyoung Eo >> >> >> 2020년 11월 4일 수요일 오전 7시 50분 27초 UTC+9에 Ben Wilson님이 작성한 내용: >> > The 3-week public discussion was to close on Monday, but I'd like Naver >> to >> > provide any further final comments and give anyone else an opportunity >> to >> > comment through this Thursday, and then I will proceed with Steps 6-10 >> > (summarize matters, note any remaining items, and make a last call for >> > objections). >> > On Fri, Oct 23, 2020 at 10:04 AM Sooyoung Eo via dev-security-policy < >> > dev-secur...@lists.mozilla.org> wrote: >> > >> > > 2020년 10월 10일 토요일 오전 7시 31분 12초 UTC+9에 George님이 작성한 내용: >> > > > Minor but it seems like all certificates with a stateOrProvinceName >> > > field are misissued. The ST field should probably be the >> "Gyeonggi-do" as >> > > the "Seongnam-si" entered is a city. >> > > > >> > > > >> > > > >> > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> > > > On Friday, 9 October 2020 23:09, Ben Wilson via dev-security-policy >> < >> > > dev-secur...@lists.mozilla.org> wrote: >> > > > >> > > > > Dear All, >> > > > > >> > > > > This is to announce the beginning of the public discussion phase >> of >> > > the >> > > > > Mozilla root CA inclusion process, >> > > > > https://wiki.mozilla.org/CA/Application_Process#Process_Overview, >> >> > > (Steps 4 >> > > > > through 9). Mozilla is considering approval of NAVER Business >> Platform >> > > > > Corp.’s request to include the NAVER Global Root Certification >> > > Authority as >> > > > > a trust anchor with the websites trust bit enabled, as documented >> in >> > > the >> > > > > following Bugzilla case: >> > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221. I hereby >> > > initiate a >> > > > > 3-week comment period, after which if no concerns are raised, we >> will >> > > close >> > > > > the discussion and the request may proceed to the approval phase >> (Step >> > > 10). >> > > > > >> > > > > A Summary of Information Gathered and Verified appears here in >> the >> > > CCADB: >> > > > > >> > > > > >> > > >> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000261 >> > > > > >> > > > > *NAVER Global Root Certification Authority, *valid from 8/18/2017 >> to >> > > > > 8/18/2037 >> > > > > >> > > > > SHA2: >> 88F438DCF8FFD1FA8F429115FFE5F82AE1E06E0C70C375FAAD717B34A49E7265 >> > > > > >> > > > > https://crt.sh/?id=1321953839 >> > > > > >> > > > > Root Certificate Download: >> > > > > >> > > > > >> > > >> https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=CERTILIST&atch_file_nm=1c3763b33dbf457d8672371567fd1a12.crt&atch_real_file_nm=naverrca1.crt >> > > > > >> > > > > CP/CPS: >> > > > > >> > > > > Comments 29 ( >> https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c29) >> > > >> > > > > through 42 in Bugzilla contain discussion concerning the CPS and >> > > revisions >> > > > > thereto. >> > > > > >> > > > > Current CPS is version 1.4.3: >> > > > > >> > > > > >> > > >> https://certificate.naver.com/cmmn/fileDown.do?atch_file_path=POLICY&atch_file_nm=b2daecb6db1846d8aeaf6f41a7aea987.pdf&atch_real_file_nm=NBP >> > > Certification Practice Statement v1.4.3.pdf >> > > > > >> > > > > Repository location: >> https://certificate.naver.com/bbs/initCrtfcJob.do >> > > > > >> > > > > BR Self Assessment (Excel file) is located here: >> > > > > >> > > > > https://bugzilla.mozilla.org/attachment.cgi?id=9063955 >> > > > > >> > > > > Audits: Annual audits are performed by Deloitte according to the >> > > > > WebTrust Standard and WebTrust Baseline Requirements audit >> criteria. >> > > See >> > > > > webtrust.org. The last complete audit period for NAVER was from >> 1 >> > > December >> > > > > 2018 to 30 November 2019 and no issues were found. However, the >> audit >> > > > > report was dated 28 April 2020, which was more than three months >> > > following >> > > > > the end of the audit period. The explanation for the delay in >> > > obtaining the >> > > > > audit report was as follows, “NBP had received a notification >> mail on >> > > > > updating the audit information from CCADB support in March since >> the >> > > Root >> > > > > certificate is only included into Microsoft Root Program. >> According to >> > > > > instructions on the email, I explained that NBP would submit the >> audit >> > > > > update information in April to Microsoft.” The current audit >> period >> > > ends >> > > > > 30 November 2020. >> > > > > >> > > > > *Mis-Issuances * >> > > > > >> > > > > According to crt.sh and censys.io, the issuing CA under this >> root >> > > > > (NAVER Secure Certification Authority 1) has issued approximately >> 80 >> > > > > certificates. I ran the following query for the issuing CA to >> identify >> > > any >> > > > > mis-issuances: >> > > > > >> > > >> https://crt.sh/?caid=126361&opt=cablint,zlint,x509lint&minNotBefore=2017-08-18, >> >> > > >> > > > > and during the course of our review, we identified six test >> > > certificates >> > > > > with errors. (Such certificates have either been revoked or have >> > > expired). >> > > > > See: >> > > > > >> > > > > https://crt.sh/?id=2132664529&opt=cablint,zlint,x509lint >> > > > > >> > > > > https://crt.sh/?id=2102184572&opt=cablint,zlint,x509lint >> > > > > >> > > > > https://crt.sh/?id=1478365347&opt=cablint,zlint,x509lint >> > > > > >> > > > > https://crt.sh/?id=2149282089&opt=cablint,zlint,x509lint >> > > > > >> > > > > https://crt.sh/?id=2149282369&opt=cablint,zlint,x509lint >> > > > > >> > > > > https://crt.sh/?id=2282123486&opt=cablint,zlint,x509lint >> > > > > >> > > > > The explanation provided ( >> > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1404221#c27) was >> > > “Regarding >> > > > > CA/B Forum and X.509 lint tests NBP figured out two(2) >> certificates >> > > which >> > > > > were not complied with BRs right after issuing them. The domains >> on >> > > SANs of >> > > > > the certificates were owned and controlled by NBP. They were >> > > immediately >> > > > > revoked according to CA procedures. For ZLint tests, the >> certificate >> > > (CN= >> > > > > test2-certificate.naver.com) had been issued and became expired >> in >> > > > > compliance with CA Browser Forum BRs and RFC 5280. I understand >> there >> > > is a >> > > > > specific Mozilla policy on Authority Key IDs. NBP already fixed >> the >> > > system >> > > > > functions. There is no such valid certificate and NBP CA >> currently >> > > issues >> > > > > certificates fully complied with the Mozilla policy. You can see >> the >> > > new >> > > > > certificate (CN= test2-certificate.naver.com) was issued without >> any >> > > error >> > > > > at https://crt.sh/?id=2824319278.” >> > > > > >> > > > > I have no further questions or concerns at this time, however I >> urge >> > > anyone >> > > > > with concerns or questions to raise them by replying to this list >> > > under the >> > > > > subject heading above. >> > > > > >> > > > > Again, this email begins a three-week public discussion period, >> which >> > > I’m >> > > > > scheduling to close on Monday, 2-November-2020. >> > > > > >> > > > > Sincerely yours, >> > > > > >> > > > > Ben Wilson >> > > > > >> > > > > Mozilla Root Program >> > > > > >> > > > > dev-security-policy mailing list >> > > > > dev-secur...@lists.mozilla.org >> > > > > https://lists.mozilla.org/listinfo/dev-security-policy >> > > >> > > Hello, I am Sooyoung at NAVER Business Platform. >> > > >> > > As George mentioned, all the certificates, with both of city and >> province >> > > names in stateOrProvinceName field, were issued to NAVER Business >> Platform >> > > (NBP) for test domains. The addresses were verified correctly when >> issuing >> > > them. NBP reflected George’s comment and has fixed the DN structure. >> You >> > > can directly check the issued certificate including the new DN (L is >> > > "Seongnam-si" as city name and S field is "Gyeonggi-do" as province >> name) >> > > as below. >> > > https://crt.sh/?id=3510606493 >> > > >> > > NBP also added additional verification process, in compliance with >> ISO >> > > 3166-2, in order to put province information correctly in S field of >> user >> > > DN for newly issued certificates. >> > > _______________________________________________ >> > > dev-security-policy mailing list >> > > dev-secur...@lists.mozilla.org >> > > https://lists.mozilla.org/listinfo/dev-security-policy >> > > >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy