Re: Including FNMT cert in Firefox 3 (Spanish government)
Gen Kanai a écrit : > On May 22, 2008, at 4:46 PM, Nukeador wrote: > >> You have to understand that it's a public CA, not a private >> enterprise, FNMT is part of the Treasury and Economy Department of >> Spain. > > FNMT is not the only public CA in the list. > Nukeador is speaking about the case of Public CA vs Private CA in Spain, not worldwide. Pascal ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Including FNMT cert in Firefox 3 (Spanish government)
Eddy Nigg (StartCom Ltd.) a écrit : > Nukeador: >> Eddy Nigg (StartCom Ltd.) escribió: >>> >>> Please make FNMT or the individual CAs aware of this fact and ask >>> them to make a request for inclusion according to the guidelines from >>> here: http://wiki.mozilla.org/CA:Root_Certificate_Requests >>> >>> There is nothing else you can do at this stage. >>> >> They have already done it in bug 408008 >> (https://bugzilla.mozilla.org/show_bug.cgi?id=408008), Cristina is >> from FNMT and, as you can see, she sent all the information to the bug >> via Pascal. >> > OK, I understand. This request is fairly new, but I also can't see > anywhere at this bug that the representative of this CA submitted and > completed all information required to start any evaluation according to > http://wiki.mozilla.org/CA:Root_Certificate_Requests This page was created in March, they provided all the data in February based on the scarse documentation we could point them too. You can't blame them for not following guidelines that didn't exist, especially if you haven't informed them personally of a process change after they provided the requested information. > > This bug can't be considered to be a request for inclusion. I suggest > that the representative opens a new bug and provides all needed > information according to the *template* from the above link. Once an > inclusion requests has been submitted correctly the request will be > considered and processed accordingly. (Please also note that currently > there is a backlog of processing CA inclusion requests.) > FNMT has emailed gerv asking if they should open a separate bug or not asking if we needed more information and if they were following the right process. They didn't get any response that's why I attached the files they had sent to the bug. I understand that there is a long backlog, that everybody is busy and that other CA are much more active on bugzilla than FNMT , but saying that they did it incorrectly while we had no clear process to follow and ignored their email is not correct, we definitely have our own wrongs on this issue (and probably other CAs). Fact is that a bug is open, that FNMT has contacted Mozilla Foundation directly both by email and in the bug, they provided the information we were asking and are waiting for us to get back to them with a yes or no answer. Pascal ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Including FNMT cert in Firefox 3 (Spanish government)
Eddy Nigg (StartCom Ltd.) a écrit : > Nukeador: >> Eddy Nigg (StartCom Ltd.) escribió: >>> >>> Please make FNMT or the individual CAs aware of this fact and ask >>> them to make a request for inclusion according to the guidelines from >>> here: http://wiki.mozilla.org/CA:Root_Certificate_Requests >>> >>> There is nothing else you can do at this stage. >>> >> They have already done it in bug 408008 >> (https://bugzilla.mozilla.org/show_bug.cgi?id=408008), Cristina is >> from FNMT and, as you can see, she sent all the information to the bug >> via Pascal. >> > OK, I understand. This request is fairly new, but I also can't see > anywhere at this bug that the representative of this CA submitted and > completed all information required to start any evaluation according to > http://wiki.mozilla.org/CA:Root_Certificate_Requests This page was created in March, they provided all the data in February based on the scarse documentation we could point them too. You can't blame them for not following guidelines that didn't exist, especially if you haven't informed them personally of a process change after they provided the requested information. > > This bug can't be considered to be a request for inclusion. I suggest > that the representative opens a new bug and provides all needed > information according to the *template* from the above link. Once an > inclusion requests has been submitted correctly the request will be > considered and processed accordingly. (Please also note that currently > there is a backlog of processing CA inclusion requests.) > FNMT has emailed gerv asking if they should open a separate bug or not asking if we needed more information and if they were following the right process. They didn't get any response that's why I attached the files they had sent to the bug. I understand that there is a long backlog, that everybody is busy and that other CA are much more active on bugzilla than FNMT , but saying that they did it incorrectly while we had no clear process to follow and ignored their email is not correct, we definitely have our own wrongs on this issue (and probably other CAs). Fact is that a bug is open, that FNMT has contacted Mozilla Foundation directly both by email and in the bug, they provided the information we were asking and are waiting for us to get back to them with a yes or no answer. Pascal ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Including FNMT cert in Firefox 3 (Spanish government)
Eddy Nigg (StartCom Ltd.) a écrit : > Nukeador: >> Eddy Nigg (StartCom Ltd.) escribió: >>> >>> Please make FNMT or the individual CAs aware of this fact and ask >>> them to make a request for inclusion according to the guidelines from >>> here: http://wiki.mozilla.org/CA:Root_Certificate_Requests >>> >>> There is nothing else you can do at this stage. >>> >> They have already done it in bug 408008 >> (https://bugzilla.mozilla.org/show_bug.cgi?id=408008), Cristina is >> from FNMT and, as you can see, she sent all the information to the bug >> via Pascal. >> > OK, I understand. This request is fairly new, but I also can't see > anywhere at this bug that the representative of this CA submitted and > completed all information required to start any evaluation according to > http://wiki.mozilla.org/CA:Root_Certificate_Requests This page was created in March, they provided all the data in February based on the scarse documentation we could point them too. You can't blame them for not following guidelines that didn't exist, especially if you haven't informed them personally of a process change after they provided the requested information. > > This bug can't be considered to be a request for inclusion. I suggest > that the representative opens a new bug and provides all needed > information according to the *template* from the above link. Once an > inclusion requests has been submitted correctly the request will be > considered and processed accordingly. (Please also note that currently > there is a backlog of processing CA inclusion requests.) > FNMT has emailed gerv asking if they should open a separate bug or not asking if we needed more information and if they were following the right process. They didn't get any response that's why I attached the files they had sent to the bug. I understand that there is a long backlog, that everybody is busy and that other CA are much more active on bugzilla than FNMT , but saying that they did it incorrectly while we had no clear process to follow and ignored their email is not correct, we definitely have our own wrongs on this issue (and probably other CAs). Fact is that a bug is open, that FNMT has contacted Mozilla Foundation directly both by email and in the bug, they provided the information we were asking and are waiting for us to get back to them with a yes or no answer. Pascal ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Including FNMT cert in Firefox 3 (Spanish government)
Nelson B Bolyard a écrit : > >> and in the bug, they provided the information we were asking > > They did? That information was supplied in comment 8 by a third > party, namely you. Are you an official representative of FNMT? > If not, then I suggest that you step back, and make it clear to > FNMT that they must communicate with Mozilla directly in the bug. > Again, that is not a new requirement. Mozilla has enforced that > policy for years. I am a Mozilla Corp. employee and a Mozilla Europe board member, Gerv that they contacted by email is a Mozilla Foundation employee and has been visible as the mozilla CA guy in Europe for a long time. Are you telling me that Cristina not creating the attachment herself but asking for help to European mozilla employees is not communicating with Mozilla? Should I draw the conclusion from your comments that you are now the new person in charge of certificates for Mozilla Foundation replacing Gerv? Pascal ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Including FNMT cert in Firefox 3 (Spanish government)
Eddy Nigg (StartCom Ltd.) a écrit : > pascal: >> >> I am a Mozilla Corp. employee and a Mozilla Europe board member, Gerv >> that they contacted by email is a Mozilla Foundation employee and has >> been visible as the mozilla CA guy in Europe for a long time. Are you >> telling me that Cristina not creating the attachment herself but asking >> for help to European mozilla employees is not communicating with Mozilla? >> >> Should I draw the conclusion from your comments that you are now the new >> person in charge of certificates for Mozilla Foundation replacing Gerv? >> >> > Pascal, let me try to explain it better: > > 1.) Gerv is not the person in charge right now, but it's Frank Hecker > since last October 2007. Yes, apparently this information did not cross the pool to the european office... > > 2.) Mozilla needs much more than the CA root certificate. Mozilla needs > all the information requested in the template, it needs information > about policies and practice statements, audits, CRLs, OCSP responders > and much, much more. Please see the pending requests at > http://www.mozilla.org/projects/security/certs/pending/ and browse to > the bugs of each entry. You'll see that they all had to provide > information according to that template. > I'd say that all of these informations are provided into the 200 pages document provided by FNMT, if you think that some data is missing, incomplete or that they haven't provided enough information on specific points, it should have been mentioned in the bug so as that they can act upon it IMO. It is also not clear to me what FNMT has to do to go from bug 408008 to the above URL. pascal ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Including FNMT cert in Firefox 3 (Spanish government)
Eddy Nigg (StartCom Ltd.) a écrit : > pascal: >> Yes, apparently this information did not cross the pool to the european >> office... >> >> > > :-) > > >> >> I'd say that all of these informations are provided into the 200 pages >> document provided by FNMT, > > Which document? Can you point me to a link? I haven't seen anything like > this...perhaps if you explain we can sort out the confusion. > Sure, here are the documents they have linked in their .doc explaining the audit and certificate policy: http://www.cert.fnmt.es/content/pages_std/docs/dpc.pdf http://www.cert.fnmt.es/content/pages_std/docs/ETSI.pdf pascal ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Including FNMT cert in Firefox 3 (Spanish government)
Gervase Markham a écrit : > pascal wrote: >> FNMT has emailed gerv asking if they should open a separate bug or not >> asking if we needed more information and if they were following the >> right process. They didn't get any response that's why I attached the >> files they had sent to the bug. > > If people are emailing me specifically at [EMAIL PROTECTED] and not > getting a response I want to know about it. (I would have directed them > to Frank.) > > Gerv That's the email they used yes, so that would be an email address ending in @fnmt.es sent in february or maybe march. Cristina contacted me in April (and actually sent emails to all european addresses she could find) for help: "Hola , me comentan mis responsables que hace un mes ya os pasaron los datos que nos solcitásteis a la dirección [EMAIL PROTECTED] sin respuesta. No sabemos si lo recibísteis o si nosotros hemos sido los que no hemos recibido vuestra respuesta. Te adjunto los datos solicitados, por favor guíame si puedes los pasos que debemos dar para que se pueda incluir. Os estoy escribiendo a varios contactos para poder incluir el certificado pero no conseguimos avanzar. Yo soy el contacto de la FNMT con vosotros así que cualquier cosa me la puedes comentar. Gracias" probably in your spam box :) Pascal ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Including FNMT cert in Firefox 3 (Spanish government)
Frank Hecker a écrit : > And to add to this, for Pascal's benefit: I am responsible for the > overall process of evaluating root CA certificates for inclusion in > Mozilla, and I make the final decisions. Gerv has been at school and so > has not been involved with certificate stuff for the past 9 months or > so; however he may do some cert-related work this summer. Finally, we > have a new person, Kathleen Wilson, helping gather information from CAs > for use in our evaluation. > Great news, thanks Frank Pascal ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Building certificate trusted chain problem
Hello, i look for some information about firefox and the building trusted chain mecanism. I have a certificate containing two URL in the AIA extension: 1) p7c files containing cross-certificates 2) OCSP URL I made a two PKI domain cross-certified with each one. I tried to verify the identity of a website in the domain A and just add the CA of the domain B in my keystore. With IE 6&7 it worked: CA B verified certificate A. Problem: When i tried this with firefox, there is a warning which informs me that the CA issuer isn't trusted. Do you have any idea to solve this problem or there is any module to add? Best regards, Pascal Firefox 3.0.5 NSS 3.12 Windows XP/Vista Linux Fedora 10 x64 -- View this message in context: http://www.nabble.com/Building-certificate-trusted-chain-problem-tp21833645p21833645.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
How to imoprt a p7c files into firefox?
Hi, does anybody have a solution to import automatically (via AIA extension) some certificates which are in a p7c files ? It works with IE 6 & 7. Best regards, Pascal -- View this message in context: http://www.nabble.com/How-to-imoprt-a-p7c-files-into-firefox--tp21850565p21850565.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: How to imoprt a p7c files into firefox?
Hi, thank you for your reply. In fact, i have a certificate containing a AIA extension. In this extension, there is the URL of my .p7c files which includes 3 certificates. These certificates are required to build the trusted chain. I explain: I have two PKI domains : A and B. A server in the domain A, server A, is in SSL mode. Its certificate contains the AIA extension like i said at the beginning of the post. A user in the domain B, user B, has its own CA root certificate, CA root B, in his certificates store. The p7c files provides, to the navigator, the cross-certificates to build the certification chain. >If you expect NSS to fetch chained certificates through Internet >download than it is correct that Firefox doesn't do that. How can I do that? Could you advise me? Best regards, Pascal -- View this message in context: http://www.nabble.com/Re%3A-How-to-imoprt-a-p7c-files-into-firefox--tp21850840p21855627.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: How to imoprt a p7c files into firefox?
Hi, >Include all the certificates which chain from the original end-user >certificate into the PKCS7 file. Firefox should import them happily. I agree with you, that's i've done. In fact, the problem is: EE certificate contains an AIA extension which indicates a p7c file. In this p7c file, there is a cross-certificate which also contains an AIA extension with the URL of an another p7c files. In this p7c file, there is the second cross-certificate and the user, which receives the EE certificate, can validate the certificate with its own CA Root. Is it possible to do that with Firefox? >If you expect NSS to fetch chained certificates through Internet >download than it is correct that Firefox doesn't do that. Is there any button or configuration in Firefox to do that? Best regards, Pascal -- View this message in context: http://www.nabble.com/Re%3A-How-to-imoprt-a-p7c-files-into-firefox--tp21850840p21868162.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Public CPS Requirement [Was: Certigna Root Inclusion Request]
On 11 fév, 05:16, Frank Hecker wrote: > Eddy Nigg wrote: > > On 02/10/2009 10:06 PM, Frank Hecker: > >> If you cannot publish the CPS because it contains private information, I > >> suggest as an alternative that you provide some sort of official > >>Certignadocument that summarizes the portions of the CPS that are of > >> most interest to us (i.e., those relating to validation of subcriber > >> information). > > > That would be a precedent too which I wouldn't recommend. We really want > > to know what was audited, don't we? > > See my comment to David Ross. > > Frank > > -- > Frank Hecker > hec...@mozillafoundation.org I don't really understand what's the matter This CA has obtained ETSI TS 102042 certification from LSTI. I've found the information at http://www.lsti-certification.fr/index.php?option=com_content&view=article&id=55&Itemid=15 This company has an agreement from COFRAC the official french committee of accreditation. The COFRAC has published an audit guide for CA audits. So, I suppose that these auditors have done their job according to this guide which is in my opinion very exhaustive. So I wonder why some people here want to investigate so deeply... Pascal MERLIN Consultant en sécurité www.auditiel.fr -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
