Mozilla

CA Program

Case Information

Subject
Include Notarius Root
Link to Bugzilla Bug
https://bugzilla.mozilla.org/show_bug.cgi?id=1431811
Case Number
00000256
Case Record Type
CA Root Inclusion Request
CA Owner/Certificate Name
Notarius
Request Status
Information Verification In Process

CA Address Information

Street
465 McGill Street, Suite 300
City
Montreal
State/Province
QUEBEC
Zip/Postal Code
Country
Canada

General information about CA's associated organization

CA Email Alias 1
CA Owner Information Verified?
Data Verified
Company Website
https://notarius.com
Organizational Type
 
Geographic Focus
USA, Global
Primary Market / Customer Base
Issues certificates to the public for S/MIME, document signing, and user authentication.
https://notarius.com/en/industry
Recognized CAA Domains
Problem Reporting Mechanism

Audit Statements

Auditor
Auditor Verified?
Not Verified
Auditor Location
Standard Audit Verified?
Not Verified
Standard Audit Type
ETSI EN 319 411
Standard Audit Deviation
true
Standard Audit Statement Date
1/13/2020
Standard Audit Comments
Standard Audit Period Start Date
12/17/2018
Standard Audit ALV Comments
Standard Audit Period End Date
12/19/2019
BR Audit Statement (Link)
BR Audit Verified?
Not Verified
BR Audit Type
 
BR Audit Deviation
false
BR Audit Statement Date
 
BR Audit Comments
BR Audit Period Start Date
 
BR Audit ALV Comments
BR Audit Period End Date
 
EV SSL Audit Statement (Link)
EV SSL Audit Verified?
Not Verified
EV SSL Audit Type
 
EV SSL Audit Deviation
false
EV SSL Audit Statement Date
 
EV SSL Audit Comments
EV SSL Audit Period Start Date
 
EV SSL Audit ALV Comments
EV SSL Audit Period End Date
 

Policy Documents

Document Repository Description

Policy Document Record # 1

Document Type
CP
Document Verified?
Not Verified
Document Last Updated Date
 
Associated Trust Bits
Secure Email
Policy Identifiers
Additional Policy Identifiers
Comments
Associated Root Certificates
Notarius Root Certificate Authority

Policy Document Record # 2

Document Type
CP
Document Verified?
Not Verified
Document Last Updated Date
12/4/2019
Associated Trust Bits
Secure Email
Policy Identifiers
Additional Policy Identifiers
Comments
Associated Root Certificates
Notarius Root Certificate Authority

Policy Document Record # 3

Document Type
CPS
Document Verified?
Not Verified
Document Last Updated Date
12/4/2019
Associated Trust Bits
Secure Email
Policy Identifiers
Additional Policy Identifiers
Comments
Associated Root Certificates
Notarius Root Certificate Authority

Policy Document Record # 4

Document Type
CP
Document Verified?
Not Verified
Document Last Updated Date
10/7/2020
Associated Trust Bits
Secure Email; Document Signing; OCSP Signing; Time Stamping
Policy Identifiers
Additional Policy Identifiers
Comments
Associated Root Certificates
Notarius Root Certificate Authority

Policy Document Record # 5

Document Type
CPS
Document Verified?
Not Verified
Document Last Updated Date
10/26/2020
Associated Trust Bits
Secure Email; Document Signing; OCSP Signing; Time Stamping
Policy Identifiers
Additional Policy Identifiers
Comments
Associated Root Certificates
Notarius Root Certificate Authority

Required and Recommended Practices

BR Self Assessment
N/A
Required Practices
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices
Required Practices Verified?
Not Verified
CA's Response to Required Practices
1. Publicly Available CP and CPS: CP section 2.2
1.1 Revision Table, updated annually: CP Version tracking table
1.2 CAA Domains listed in CP/CPS: N/A
2. Audit Criteria: CP section 8
3. Revocation of Compromised Certificates: CP section 4.5
4. Verifying Domain Name Ownership: N/A

5. Verifying Email Address Control: ??? (NEED -- I did not find description in the CP of how the CA/LRA verifies that the email address to be included in the certificate is owned/controlled by the certificate subscriber.)

6. DNS names go in SAN: N/A
7. OCSP: CP section 7
8. Network Security Controls: CP section 6.7

Forbidden and Potentially Problematic Practices

Forbidden Practices
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices
Forbidden Practices Verified?
Data Verified
CA's Response to Forbidden Practices
1. Long-lived Certificates: CP sections 3.2.4, 4.2.2
2. Non-Standard Email Address Prefixes for Domain Ownership Validation: N/A
3. Issuing End Entity Certificates Directly From Roots: No
4. Distributing Generated Private Keys in PKCS#12 Files: CP section 6.1.2
5. Certificates Referencing Local Names or Private IP Addresses: N/A
6. Issuing SSL Certificates for .int Domains: N /A
7. OCSP Responses Signed by a Certificate Under a Different Root: No
8. Issuance of SHA-1 Certificates: CP section 7
9. Delegation of Domain / Email Validation to Third Parties: CP section 1.6.3
Root Case Record # 1

Root Case Information

Root Certificate Name
Notarius Root Certificate Authority
Root Case No
R00000509
Request Status
Information Verification In Process
Case Number
00000256

Certificate Data Extracted from PEM

Subject
CN=Notarius Root Certificate Authority; O=Notarius Inc; C=CA
Issuer
CN=Notarius Root Certificate Authority; O=Notarius Inc; C=CA
Valid From
2014 Dec 17
Valid To
2034 Dec 17
Certificate Serial Number
5491A8B0
SHA-1 Fingerprint
1F3F1486B531882802E87B624D420295A0FC721A
SHA-256 Fingerprint
C7B8948FECCAACE5B509A343F38D0301D07901885604B3F267270E1EBBEF0FE7
Signature Hash Algorithm
SHA256WithRSA
Public Key Algorithm
RSA 4096 bits
SPKI SHA256
5E6E52E50B5B9012817E63178BCB63BDE23CF1CC1F9458CED9B93A2BBA7DC4C6
Subject + SPKI SHA256
8C3F6AB9CDA2A3E08B9462504D8FE00250B19FF6E3DD05B7298BA557623641BD

Audits that apply to this Root Certificate

Standard Audit
Checked
Applicable Audits Verified?
Not Verified
BR Audit
Not Checked
EV SSL Audit
Not Checked

Application Information

Explanation
Application Information Verified?
Data Verified
Role
This request is to include the 'Notarius Root Certificate Authority' certificate and only enable the email trust bit.
Root Certificate Download URL
https://download.notarius.com/certifio/public-root/notarius-root-certificate-authority.cer

Mozilla Fields

Mozilla Trust Bits
Email
Mozilla Fields Verified?
Data Verified
SSL Validation Type
 
Mozilla EV Policy OID(s)
Not EV
Mozilla Applied Constraints

CA Hierarchy Information

Cross-Signed by another Root Cert?
Not Checked
PKI Hierarchy Verified?
Not Verified
Has Externally Operated SubCAs?
Not Checked
CP/CPS allows Ext Operated SubCAs?
Not Checked
Has External Registration Authorities?
Not Checked
CP/CPS allows External RAs?
Not Checked
Description of PKI Hierarchy
DUE TO SYSTEM UPGRADE ON OCT 15, 2018 - Hierarchy checkboxes not checked.

CP section 1.1
Root CA and all Subordinate CA are operated by Solutions Notarius.

Notarius Certificate Authority : Subordinate CA of Notarius Root Certificate Authority. This subordinate is currently included in the Adobe Approved Trust List, and every user certificate issue by this subordinate CA are AATL approved in Adobe Software. Every certificate issue by this subordinate CA must be generated on Crypto Token.

Notarius Certificate Authority 2 : Subordinate CA of Notarius Root Certificate Authority. User certificate issue by this subordinate CA is recognized by Microsoft Trust Store, since our Root CA is also trusted by Microsoft Trusted Root Program. User certificate issue by this subordinate is generated on software crypto-vault.
Constraints on External SubCAs and RAs
NEED: It's not clear to me if/when LRA's are audited. Or how it is regularly checked that the LRA is only issuing certs that it should be issuing, and following the CP.

CP section 1.6.3:
All LRAs have signed contractual agreements with the C/RSP, or with a delegated representative of the C/RSP authorized to do so.
LRA roles and responsibilities:
- Make available at all times at least two people (or one person in the case of legal entities)
to act as an Affiliation Verification Agent (AVA), and take all actions necessary to fulfill this
requirement;
- Manage AVA appointments;
- Ensure that at least one (1) AVA is available to fulfill this function on any given business
day;
- Ensure AVAs comply with all obligations set out in the CP.

Test Websites or Example Cert

Test Website - Valid
Test Websites Verified?
Data Verified
Test Website - Expired
Test Website - Revoked
Test Notes

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested
Test Results Verified?
Data Verified
CA/Browser Forum Lint Test
Test Website Lint Test
EV Tested