The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at
https://www.mozilla.org/about/governance/policies/security- group/certs/policy/inclusion/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. Inclusion Policy Section 4 [Technical]. I am not aware of instances where Government of Spain, Fábrica Nacional de Moneda y Timbre (FNMT) has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. Inclusion Policy Section 6 [Relevance and Policy]. FNMT appears to provide a service relevant to Mozilla users. It provides services to Spain as a national CA. Root Certificate Name: AC RAIZ FNMT-RCM O From Issuer Field: FNMT-RCM Trust Bits: Websites EV Policy OID(s): Not EV Root Certificate Download URL: http://www.cert.fnmt.es/certs/ACRAIZFNMTRCM.crt CA Document Repository: https://www.sede.fnmt.gob.es/normativa/declaracion-de-practicas-de-certificacion CP: https://www.sede.fnmt.gob.es/documents/11614/67070/dpc_componentes_english.pdf/ CPS: https://www.sede.fnmt.gob.es/documents/11614/137578/dpc_english.pdf/ Updated CPS attached to bug February 2015: https://bug435736.bugzilla.mozilla.org/attachment.cgi?id=8565442 Certificate Revocation OCSP URL(s): http://ocspape.cert.fnmt.es/ocspape/OcspResponder http://ocspap.cert.fnmt.es/ocspap/OcspResponder Inclusion Policy Section 7 [Validation]. FNMT appears to meet the minimum requirements for subscriber verification, as follows: * SSL Verification Procedures: According to section 6.1.3 of dpc_componentes_english.pdf, if the Certificate is associated with one or more Internet domains, the Registry Office will check, on the authorized domain registrars' databases, that the title holder of the domain and the Certificate Subscriber match, and will keep proof of the inquiry. * EV SSL Verification Procedures: Not requesting EV treatment * Email Verification Procedures: Not requesting Email trust bit * Code Signing Subscriber Verification Procedure: Not requesting Code Signing trust bit Inclusion Policy Sections 11-14 [Audit]. See Comment #165 for details about FNMT's audits. Inclusion Policy Section 18 [Certificate Hierarchy] There are internally-operated subCAs in this CA hierarchy, and there is no plan to allow for externally-operated subCAs. The internally-operated subCAs are as follows: + AC Administración Pública - Issues: SSL certs, QCP certs - Audits: WebTrust for CAs, WebTrust SSL BRs, ETSI 101 456 + AC Componentes Informáticos - Issues: SSL certs - Audits: WebTrust for CAs, WebTrust SSL BRs + AC FNMT Usuarios - Issues: issues QCP certs, not restricted by EKU extension - Audits: (ETSI 101 456 or WebTrust for CAS) and audit of non-existence of SSL certs + ISA CA - revoked, being added to OneCRL via Bug #1263949 + AC APE - revoked, being added to OneCRL via Bug #1263949 Based on this assessment I intend to approve this request from FNMT to include the “AC RAIZ FNMT-RCM” root certificate and enable the Websites trust bit. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1271513 Title: www.cert.fnmt.es certificates are not included in Mozilla products To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/1271513/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
