User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.5) Gecko/20091102 Firefox/3.5.5
Build Identifier: 

ipsCA, a Spanish company in public key technologies applied to digital trust announced the upcoming availability of two new hierarchies of trust will be released during the fourth quarter of this year. Hierarchies have been created during the previous quarter and has been working on improving service quality and security features of the certificates will be issued by the new hierarchy. During this time they have been conducting activities aimed at achieving the maximum dissemination of new roots of trust, which spread to major software vendors require stamps based quality audits, so we would like to apply for including these two new roots within Mozilla Software.

1.	General information about the CA’s associated organization (i.e., the company, nonprofit organization, or government agency operating the CA), including 
1.	Name: ipsCA Main Root
2.	Website URL: http://www.ipsca.com
3.	Organizational type: private
4.	Primary market / customer base: worldwide CA, with special focus on Spain, where there are the headquarters. More than 12.000 Universities and educational entities (in the USA mainly) had obtained without any cost our SSL certificates. 

2.	For each root CA whose certificate is to be included in Mozilla (or whose metadata is to be modified): 

1.	The name of the root CAs. ipsCA Main Root ipsCA Global Root
2.	The root CA certificate. 
http://certs.ipsca.com/store/ipsCAMain.der
http://certs.ipsca.com/store/ipsCAGlobal.der
3.	The X.509 certificate version. Version 3
4.	SHA-1 fingerprint. Respectively:
ipsCA Main Root - cf e4 31 3d ba 05 b8 a7 c3 00 63 99 5a 9e b7 c2 47 ad 8f d5 
ipsCA Global Root - 3c 71 d7 0e 35 a5 da a8 b2 e3 81 2d c3 67 74 17 f5 99 0d f3
5.	Type of signing key. RSA
6.	Signing key parameters. 2048 bits.
EKUs Assigned (check if EKUs apply):
X	Server Authentication EKU=1.3.6.1.5.5.7.3.1
X	Client Authentication EKU=1.3.6.1.5.5.7.3.2
X	Secure E-mail EKU=1.3.6.1.5.5.7.3.4
X	Code Signing EKU=1.3.6.1.5.5.7.3.3
X	Time stamping EKU=1.3.6.1.5.5.7.3.8
X	Encrypting File System EKU=1.3.6.1.4.1.311.10.3.4
	IPSec (Tunnel) EKU=1.3.6.1.5.5.7.3.6
	IPSec (User) EKU=1.3.6.1.5.5.7.3.7
7.	Valid from (YYYY-MM-DD). 07 September 2009
8.	Valid to (YYYY-MM-DD). 25 December 2029 
9.	A description of the PKI hierarchy rooted at or otherwise associated with this root CA certificate, including: 
No subordinated CA exists for the moment. Our plan is to generate new SubCAs for different purposes and all of them will be under our CPS. In the near future we will build up a subCA for SSL certificates issuance by ipsCA to continue our SSL business area where our the currently root certificate IPS SERVIDORES, included in the Mozilla trusted Store, is expiring on 29 December 2009.
10.	Whether certificates are issued for any of the following purposes within the hierarchy rooted at this root CA certificate: 
Only this one ->	Certificates usable for enabling web or other servers to support SSL/TLS connections. 
11.	If SSL certificates are issued within the hierarchy rooted at this root CA certificate: 
Whether or not the domain name referenced in the certificate is verified to be owned/controlled by the certificate subscriber. 
ipsCA will perform verification of certificate information as follows:
-  Limited check of the applicant's domain name against a public domain name registry; 
- Confirmation of applicant's Company name, name, address and phone number against information contained in an independent third party business database. 
- Faxed documentation will be required when applicants company name cannot be validated using available information.  
15.	Example certificate(s) issued within the hierarchy rooted at this root, including the full certificate chain(s) where applicable. (There should be at least one example certificate for each of the major types of certificates issued, e.g., email vs. SSL vs. code signing, or EV vs. OV vs. DV. For SSL certificates this should also include URLs of one or more web servers using the certificate(s).) 
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            10:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:01
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=Madrid, L=Madrid, O=IPS Certification Authority s.l. ipsCA, OU=ipsCA, CN=ipsCA Main CA <email address hidden>
        Validity
            Not Before: Sep 22 11:59:24 2009 GMT
            Not After : Sep 22 11:59:24 2010 GMT
        Subject: C=ES, ST=Madrid, L=Madrid, O=ipsCA, OU=Certificates, CN=sirius.ipsca.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:8e:65:a5:65:f4:77:ae:c5:66:0c:e9:fa:e7:f6:
                    69:bd:d5:88:4d:5a:4d:7e:5f:a3:0d:bf:5b:c5:2b:
                    b1:fb:b4:64:ae:c7:90:d1:1f:42:42:93:67:34:ec:
                    a1:1b:7c:96:94:39:d9:8f:2b:70:bf:36:d6:88:c2:
                    f7:91:1d:bb:91:de:2d:33:e1:3a:15:60:89:e8:62:
                    b5:76:37:d5:13:9a:b9:5c:df:09:37:dc:cb:c7:10:
                    4a:00:7d:64:35:a8:4f:15:61:fc:aa:a3:7c:21:73:
                    25:f5:db:7d:9a:96:1c:12:03:51:16:e7:a7:fd:54:
                    41:89:94:c4:ae:3c:1b:2f:8b
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Cert Type:
                SSL Server
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
            X509v3 Subject Key Identifier:
                D9:FF:8D:8E:0E:27:B2:5A:71:B8:C6:85:03:5B:32:30:89:1E:FC:6E
            X509v3 Authority Key Identifier:
                keyid:61:ED:39:8D:6B:3C:E1:36:C6:CF:DB:41:FC:1B:43:51:57:CB:4D:6B
                DirName:/C=ES/ST=Madrid/L=Madrid/O=IPS Certification Authority s.l. ipsCA/OU=ipsCA/CN=ipsCA Main CA <email address hidden>
                serial:00

            X509v3 Issuer Alternative Name:
                email:<email address hidden>, URI:http://crlmain01.ipsca.com/crl/crtmain01.crt
            X509v3 CRL Distribution Points:
                URI:http://crlmain01.ipsca.com/crl/crlmain01.crl

            Authority Information Access:
                OCSP - URI:http://ocspmain01.ipsca.com/

    Signature Algorithm: sha1WithRSAEncryption
        06:77:32:2a:f8:dd:1d:4a:85:10:46:ee:8c:a9:cb:cc:f7:27:
        82:d9:70:5e:33:90:ca:1b:ab:31:41:79:86:fc:49:9a:10:64:
        61:38:00:ae:72:ee:9f:bd:b4:5d:85:90:d9:8c:64:ca:bf:b9:
        62:2e:33:93:ed:45:43:52:29:34:2e:da:c5:a6:00:1a:a6:21:
        85:07:6a:95:a9:d0:1a:74:8b:fa:af:6f:7e:aa:83:37:58:0b:
        7e:3b:a7:15:96:16:67:68:37:36:89:ac:12:0b:f5:d4:ea:30:
        b8:ad:82:98:0c:98:ae:90:23:38:d5:6f:14:5e:79:a0:92:d6:
        7b:ef:fd:74:24:59:95:f6:06:63:72:2a:ed:97:3c:94:ec:13:
        a4:ac:29:e5:ef:bc:5d:14:68:d0:d6:2f:e2:d9:77:ce:1b:24:
        d3:d4:d0:06:3d:a8:1b:7c:dc:ce:1f:b0:34:6d:8a:a5:06:4d:
        86:8c:f9:7c:95:20:7c:7d:7c:4e:88:27:41:45:2c:ef:4a:42:
        24:72:67:f0:29:a8:f5:78:b7:4f:f9:18:27:ec:0c:18:72:25:
        82:5f:51:93:76:9e:46:8b:a0:df:fc:13:bd:6e:08:9f:24:55:
        14:82:53:b7:98:31:79:f2:cb:f1:1e:77:4e:c6:cb:85:80:3e:
        d1:c1:c6:ab
-----BEGIN CERTIFICATE-----
MIIFJDCCBAygAwIBAgIUEAAAAAAAAAAAAAAAAAAAAAAAAAEwDQYJKoZIhvcNAQEF
BQAwga4xCzAJBgNVBAYTAkVTMQ8wDQYDVQQIEwZNYWRyaWQxDzANBgNVBAcTBk1h
ZHJpZDEvMC0GA1UEChMmSVBTIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IHMubC4g
aXBzQ0ExDjAMBgNVBAsTBWlwc0NBMRswGQYDVQQDExJpcHNDQSBNYWluIENBIFJv
b3QxHzAdBgkqhkiG9w0BCQEWEG1haW4wMUBpcHNjYS5jb20wHhcNMDkwOTIyMTE1
OTI0WhcNMTAwOTIyMTE1OTI0WjBxMQswCQYDVQQGEwJFUzEPMA0GA1UECBMGTWFk
cmlkMQ8wDQYDVQQHEwZNYWRyaWQxDjAMBgNVBAoTBWlwc0NBMRUwEwYDVQQLEwxD
ZXJ0aWZpY2F0ZXMxGTAXBgNVBAMTEHNpcml1cy5pcHNjYS5jb20wgZ8wDQYJKoZI
hvcNAQEBBQADgY0AMIGJAoGBAI5lpWX0d67FZgzp+uf2ab3ViE1aTX5fow2/W8Ur
sfu0ZK7HkNEfQkKTZzTsoRt8lpQ52Y8rcL821ojC95Edu5HeLTPhOhVgiehitXY3
1ROauVzfCTfcy8cQSgB9ZDWoTxVh/KqjfCFzJfXbfZqWHBIDURbnp/1UQYmUxK48
Gy+LAgMBAAGjggH4MIIB9DAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIGQDAT
BgNVHSUEDDAKBggrBgEFBQcDATAdBgNVHQ4EFgQU2f+Njg4nslpxuMaFA1syMIke
/G4wgdsGA1UdIwSB0zCB0IAUYe05jWs84TbGz9tB/BtDUVfLTWuhgbSkgbEwga4x
CzAJBgNVBAYTAkVTMQ8wDQYDVQQIEwZNYWRyaWQxDzANBgNVBAcTBk1hZHJpZDEv
MC0GA1UEChMmSVBTIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IHMubC4gaXBzQ0Ex
DjAMBgNVBAsTBWlwc0NBMRswGQYDVQQDExJpcHNDQSBNYWluIENBIFJvb3QxHzAd
BgkqhkiG9w0BCQEWEG1haW4wMUBpcHNjYS5jb22CAQAwSQYDVR0SBEIwQIEQbWFp
bjAxQGlwc2NhLmNvbYYsaHR0cDovL2NybG1haW4wMS5pcHNjYS5jb20vY3JsL2Ny
dG1haW4wMS5jcnQwPQYDVR0fBDYwNDAyoDCgLoYsaHR0cDovL2NybG1haW4wMS5p
cHNjYS5jb20vY3JsL2NybG1haW4wMS5jcmwwOAYIKwYBBQUHAQEELDAqMCgGCCsG
AQUFBzABhhxodHRwOi8vb2NzcG1haW4wMS5pcHNjYS5jb20vMA0GCSqGSIb3DQEB
BQUAA4IBAQAGdzIq+N0dSoUQRu6MqcvM9yeC2XBeM5DKG6sxQXmG/EmaEGRhOACu
cu6fvbRdhZDZjGTKv7liLjOT7UVDUik0LtrFpgAapiGFB2qVqdAadIv6r29+qoM3
WAt+O6cVlhZnaDc2iawSC/XU6jC4rYKYDJiukCM41W8UXnmgktZ77/10JFmV9gZj
cirtlzyU7BOkrCnl77xdFGjQ1i/i2XfOGyTT1NAGPagbfNzOH7A0bYqlBk2GjPl8
lSB8fXxOiCdBRSzvSkIkcmfwKaj1eLdP+Rgn7AwYciWCX1GTdp5Gi6Df/BO9bgif
JFUUglO3mDF58svxHndOxsuFgD7Rwcar
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            10:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:03
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=ES, ST=Madrid, L=Madrid, O=IPS Certification Authority s.l. ip
sCA, OU=ipsCA, CN=ipsCA Global CA <email address hidden>
        Validity
            Not Before: Sep 22 11:57:52 2009 GMT
            Not After : Sep 22 11:57:52 2010 GMT
        Subject: C=ES, ST=Madrid, L=Madrid, O=ipsCA, OU=Certificados, CN=orion.i
psca.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:c5:ab:69:2a:c2:f5:2e:39:91:45:76:91:bd:54:
                    6f:aa:27:fb:df:6d:92:07:fc:72:0c:4d:0f:36:70:
                    91:1a:7d:c0:82:30:a1:84:7e:a5:37:61:21:ce:01:
                    2b:85:bb:67:4d:5d:79:d8:76:97:b2:82:d6:5f:f5:
                    57:29:0f:d3:3c:87:84:b8:47:b3:27:da:74:09:cc:
                    8e:95:24:19:8c:b1:8e:af:06:38:c2:7f:47:c4:6c:
                    7e:5f:6c:1b:99:56:89:10:51:07:30:06:b0:eb:54:
                    92:ea:53:c1:cd:f0:32:fc:16:4b:ec:fc:0c:d5:d8:
                    20:74:fb:c1:07:93:bf:0c:31
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
            CA:FALSE
            Netscape Cert Type:
            SSL Server
            X509v3 Extended Key Usage:
            TLS Web Server Authentication
            X509v3 Subject Key Identifier:
            AF:9B:47:C0:2D:07:9E:9A:4C:DF:77:64:1E:2A:65:50:83:AE:CC:CE
            X509v3 Authority Key Identifier:
            keyid:15:A6:96:80:B1:15:4B:31:C3:C2:9C:F6:E7:13:0B:4B:F3:18:CD:86
            DirName:/C=ES/ST=Madrid/L=Madrid/O=IPS Certification Authority s.l.
ipsCA/OU=ipsCA/CN=ipsCA Global CA <email address hidden>
            serial:00

            X509v3 Issuer Alternative Name:
            email:<email address hidden>, URI:http://crlglobal01.ipsca.com/crl/crtgl
obal01.crt
            X509v3 CRL Distribution Points:
            URI:http://crlglobal01.ipsca.com/crl/crlglobal01.crl

            Authority Information Access:
            OCSP - URI:http://ocspglobal01.ipsca.com/

    Signature Algorithm: sha1WithRSAEncryption
        74:97:bf:95:bc:6c:e3:54:98:16:28:92:04:14:44:bc:55:b7:
        99:6e:a6:70:33:95:75:f4:09:d7:fd:e1:ba:29:28:df:be:eb:
        12:d2:22:29:12:8c:ed:9a:cf:9f:c4:93:c0:7d:d1:ec:77:11:
        94:3e:48:06:75:94:5f:c3:d3:80:8a:eb:17:16:0f:69:bf:1e:
        e1:7b:58:fc:11:01:83:45:9e:b3:76:1a:18:c4:ad:bb:9d:63:
        4e:db:29:e7:9d:b6:13:95:3c:f2:8d:14:ac:53:0e:64:0d:d7:
        e2:3a:4c:47:0a:56:c9:5a:d1:1d:53:1c:5f:6b:02:fd:ab:d7:
        8a:7e:3a:37:1c:d7:c7:1c:03:7d:b2:f6:9e:c5:69:8c:7f:b3:
        ab:01:0e:7a:e0:dc:38:30:7e:8e:c7:16:3f:f9:ee:b9:aa:d5:
        f0:8b:ba:85:99:02:63:8d:76:4b:da:ad:4f:2b:f2:3b:98:ab:
        bb:0a:bc:0c:4b:7d:8d:d3:ff:ce:86:ff:fc:4a:e0:a2:1d:af:
        74:97:65:cf:11:f7:19:ff:97:1f:95:3d:6b:2d:ef:f1:12:64:
        9d:f2:d7:ce:75:86:e0:e0:83:68:26:d3:3e:60:64:cf:2d:ed:
        ec:eb:39:1b:c2:fd:22:2c:dc:20:e4:37:2c:71:72:b0:ec:93:
        12:99:71:85

16.	Whether or not the validity of end entity and CA certificates issued within the hierarchy rooted at this root may be verified using Certificate Revocation Lists (CRLs) and, if so, the URL(s) at which the CRL(s) may be obtained
 http://crlmain01.ipsca.com/crl/crlmain01.crl
 http://crlglobal01.ipsca.com/crl/crlmain01.crl

17.	Whether or not the validity of end entity and CA certificates issued within the hierarchy rooted at this root may be verified using the Online Certificate Status Protocol (OCSP) and, if so, the URL(s) for the associated OCSP responder(s). 
http://ocspmain01.ipsca.com
http://ocspglobal01.ipsca.com

18.	The maximum time elapsing from the revocation of an end entity or CA certificate until CRLs and/or OCSP responders are updated to reflect that revocation. 
24 Hours

19.	The published document(s) describing how certificates are issued within the hierarchy rooted at this root, as well as other practices associated with the root CA and other CAs in the hierarchy, including in particular the Certification Practice Statement(s) (CPS) and related documents. (These documents should be available at publicly accessible URLs, and should be in English or available in English translation.) 
http://www.ipsca.com/es/Certificates/CPSIPSCAv31.pdf

20.	The published document(s) relating to independent audit(s) of the root CA and any CAs within the hierarchy rooted at the root. (For example, for WebTrust for CAs audits this would be the "audit report and management assertions" document available from the webtrust.org site or elsewhere.) 
Renewed Webtrust seal: https://cert.webtrust.org/ViewSeal?id=933


Reproducible: Always



Expected Results:  
We would like to have all the steps for inclusion passed in the shortest time possible because we are discontinuing our former root CA which is currently included in Mozilla Products IPS SERVIDORES next 29th of December and on this date we will have issued all our customer's certificates with the new hierarchy.We do know that this time is very shot for this inclusion, but this delay i because we have been working hard in solving some security issues before applying. We are confident our position is solid in order to apply for including with a good product.