Ubuntu
firefox package

Bug #1271513
Comment #124

Comment 124 for bug 1271513

Revision history for this message

In Mozilla Bugzilla #435736, Rafamdn (rafamdn) wrote on 2013-01-15:

#124

(In reply to Brian Smith (:bsmith) from comment #99)
> (In reply to Kathleen Wilson from comment #98)
> > (In reply to Rafa from comment #97)
> > > Regarding #3, I agree with you. This inclusion request is only for de new
> > > "AC RAIZ FNMT-RCM" root. How we modify this inclusion request?

I answer your questions:

> Before you modify the inclusion request:
>
> 1. How many websites are chaining to the old root? How many are chaining to
> the new root? If there are many websites chaining to the old root then we
> should find a way to get the old root working.

Currently most of SSL certificates issued by FNMT are chaining to the old root. We expect this change during 2013.

> 2. Does the new "AC RAIZ FNMT-RCM" root cross-sign the older root? Would it
> make sense to create such a cross-signing so that we could include only the
> "AC RAIZ FNMT-RCM" root? Would that be sufficient to address the concern
> that the old root issued EE certificates directly?

No, new root is not going to cross-sign the older root.

> 3. Is FNMT still issuing certificates from the Class 2 certificate, or is
> FNMT currently only issuing new certificates from the "AC RAIZ FNMT-RCM"
> root?

Currently we issue certificates with the "old root". We plan to stop issuing SSL certificates with old root by mid-year or 3Q 2013

> The fact that https://www.cert.fnmt.es/ itself uses a certificate that was
> directly issued by the Class 2 certificate, combined with the fact that
> Chrome and IE trust that certificate, indicates to me that adding only the
> "AC RAIZ FNMT-RCM" certificate is not going to solve the problems we are
> trying to solve.
>
> The process for revoking trust in a sub-CA certificate is the same process
> we would use for revoking trust in a root CA certificate. Consequently, I am
> not sure there's much practical benefit in avoiding adding the Class 2
> certificate on that basis.
>
> Another question: How common is it for FNMT to issue certificates for
> domains outside of *.es? Would it be reasonable to limit the trust of FNMT
> to .es domains, at least in the short-term?

Most of SSL certificates we issue are for .es domains. In fact most of them are issued to Public Administration entities or associated organizations.

So it would be reasonable solution limit trust to .es domains.

I answer your questions:

> Before you modify the inclusion request:
> 
> 1. How many websites are chaining to the old root? How many are chaining to
> the new root? If there are many websites chaining to the old root then we
> should find a way to get the old root working.

Currently most of SSL certificates issued by FNMT are chaining to the old root. We expect this change during 2013.

No, new root is not going to cross-sign the older root.
 
> 3. Is FNMT still issuing certificates from the Class 2 certificate, or is
> FNMT currently only issuing new certificates from the "AC RAIZ FNMT-RCM"
> root?

Currently we issue certificates with the "old root". We plan to stop issuing SSL certificates with old root by mid-year or 3Q 2013

> The fact that https://www.cert.fnmt.es/ itself uses a certificate that was
> directly issued by the Class 2 certificate, combined with the fact that
> Chrome and IE trust that certificate, indicates to me that adding only the
> "AC RAIZ FNMT-RCM" certificate is not going to solve the problems we are
> trying to solve.
> 
> The process for revoking trust in a sub-CA certificate is the same process
> we would use for revoking trust in a root CA certificate. Consequently, I am
> not sure there's much practical benefit in avoiding adding the Class 2
> certificate on that basis.
> 
> Another question: How common is it for FNMT to issue certificates for
> domains outside of *.es? Would it be reasonable to limit the trust of FNMT
> to .es domains, at least in the short-term?

Most of SSL certificates we issue are for .es domains. In fact most of them are issued to Public Administration entities or associated organizations.

So it would be reasonable solution limit trust to .es domains.

Ubuntufirefox package

Comment 124 for bug 1271513

Ubuntu
firefox package