Case Information
Subject
Include Notarius Root
Link to Bugzilla Bug
https://bugzilla.mozilla.org/show_bug.cgi?id=1431811
Case Number
00000256
Case Record Type
CA Root Inclusion Request
CA Owner/Certificate Name
Notarius
Request Status
Information Verification In Process
CA Address Information
Street
465 McGill Street, Suite 300
City
Montreal
State/Province
QUEBEC
Zip/Postal Code
Country
Canada
General information about CA's associated organization
CA Email Alias 1
CA Owner Information Verified?
Data Verified
Company Website
https://notarius.com
Organizational Type
Geographic Focus
USA, Global
Primary Market / Customer Base
Issues certificates to the public for S/MIME, document signing, and user authentication.
https://notarius.com/en/industry
https://notarius.com/en/industry
Recognized CAA Domains
Problem Reporting Mechanism
Audit Statements
Auditor
Auditor Verified?
Not Verified
Auditor Location
Standard Audit Statement (Link)
Standard Audit Verified?
Not Verified
Standard Audit Type
ETSI EN 319 411
Standard Audit Deviation
true
Standard Audit Statement Date
1/13/2020
Standard Audit Comments
Standard Audit Period Start Date
12/17/2018
Standard Audit ALV Comments
Standard Audit Period End Date
12/19/2019
BR Audit Statement (Link)
BR Audit Verified?
Not Verified
BR Audit Type
BR Audit Deviation
false
BR Audit Statement Date
BR Audit Comments
BR Audit Period Start Date
BR Audit ALV Comments
BR Audit Period End Date
EV SSL Audit Statement (Link)
EV SSL Audit Verified?
Not Verified
EV SSL Audit Type
EV SSL Audit Deviation
false
EV SSL Audit Statement Date
EV SSL Audit Comments
EV SSL Audit Period Start Date
EV SSL Audit ALV Comments
EV SSL Audit Period End Date
Policy Documents
Document Repository
Document Repository Description
Policy Document Record # 1
Document Type
CP
Document Verified?
Not Verified
Document Last Updated Date
Associated Trust Bits
Secure Email
Policy Identifiers
Additional Policy Identifiers
Comments
Notarius Root Certificate Authority
Policy Document Record # 2
Document Type
CP
Document Verified?
Not Verified
Document Last Updated Date
12/4/2019
Associated Trust Bits
Secure Email
Policy Identifiers
Additional Policy Identifiers
Comments
Notarius Root Certificate Authority
Policy Document Record # 3
Document Type
CPS
Document Verified?
Not Verified
Document Last Updated Date
12/4/2019
Associated Trust Bits
Secure Email
Policy Identifiers
Additional Policy Identifiers
Comments
Notarius Root Certificate Authority
Policy Document Record # 4
Document Type
CP
Document Verified?
Not Verified
Document Last Updated Date
10/7/2020
Associated Trust Bits
Secure Email; Document Signing; OCSP Signing; Time Stamping
Policy Identifiers
Additional Policy Identifiers
Comments
Notarius Root Certificate Authority
Policy Document Record # 5
Document Type
CPS
Document Verified?
Not Verified
Document Last Updated Date
10/26/2020
Associated Trust Bits
Secure Email; Document Signing; OCSP Signing; Time Stamping
Policy Identifiers
Additional Policy Identifiers
Comments
Notarius Root Certificate Authority
Required and Recommended Practices
BR Self Assessment
N/A
Required Practices
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices
Required Practices Verified?
Not Verified
CA's Response to Required Practices
1. Publicly Available CP and CPS: CP section 2.2
1.1 Revision Table, updated annually: CP Version tracking table
1.2 CAA Domains listed in CP/CPS: N/A
2. Audit Criteria: CP section 8
3. Revocation of Compromised Certificates: CP section 4.5
4. Verifying Domain Name Ownership: N/A
5. Verifying Email Address Control: ??? (NEED -- I did not find description in the CP of how the CA/LRA verifies that the email address to be included in the certificate is owned/controlled by the certificate subscriber.)
6. DNS names go in SAN: N/A
7. OCSP: CP section 7
8. Network Security Controls: CP section 6.7
1.1 Revision Table, updated annually: CP Version tracking table
1.2 CAA Domains listed in CP/CPS: N/A
2. Audit Criteria: CP section 8
3. Revocation of Compromised Certificates: CP section 4.5
4. Verifying Domain Name Ownership: N/A
5. Verifying Email Address Control: ??? (NEED -- I did not find description in the CP of how the CA/LRA verifies that the email address to be included in the certificate is owned/controlled by the certificate subscriber.)
6. DNS names go in SAN: N/A
7. OCSP: CP section 7
8. Network Security Controls: CP section 6.7
Forbidden and Potentially Problematic Practices
Forbidden Practices
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices
Forbidden Practices Verified?
Data Verified
CA's Response to Forbidden Practices
1. Long-lived Certificates: CP sections 3.2.4, 4.2.2
2. Non-Standard Email Address Prefixes for Domain Ownership Validation: N/A
3. Issuing End Entity Certificates Directly From Roots: No
4. Distributing Generated Private Keys in PKCS#12 Files: CP section 6.1.2
5. Certificates Referencing Local Names or Private IP Addresses: N/A
6. Issuing SSL Certificates for .int Domains: N /A
7. OCSP Responses Signed by a Certificate Under a Different Root: No
8. Issuance of SHA-1 Certificates: CP section 7
9. Delegation of Domain / Email Validation to Third Parties: CP section 1.6.3
2. Non-Standard Email Address Prefixes for Domain Ownership Validation: N/A
3. Issuing End Entity Certificates Directly From Roots: No
4. Distributing Generated Private Keys in PKCS#12 Files: CP section 6.1.2
5. Certificates Referencing Local Names or Private IP Addresses: N/A
6. Issuing SSL Certificates for .int Domains: N /A
7. OCSP Responses Signed by a Certificate Under a Different Root: No
8. Issuance of SHA-1 Certificates: CP section 7
9. Delegation of Domain / Email Validation to Third Parties: CP section 1.6.3
Root Case Information
Root Certificate Name
Notarius Root Certificate Authority
Root Case No
R00000509
Request Status
Information Verification In Process
Case Number
00000256
Certificate Data Extracted from PEM
Subject
CN=Notarius Root Certificate Authority; O=Notarius Inc; C=CA
Issuer
CN=Notarius Root Certificate Authority; O=Notarius Inc; C=CA
Valid From
2014 Dec 17
Valid To
2034 Dec 17
Certificate Serial Number
5491A8B0
SHA-1 Fingerprint
1F3F1486B531882802E87B624D420295A0FC721A
SHA-256 Fingerprint
C7B8948FECCAACE5B509A343F38D0301D07901885604B3F267270E1EBBEF0FE7
Signature Hash Algorithm
SHA256WithRSA
Public Key Algorithm
RSA 4096 bits
SPKI SHA256
5E6E52E50B5B9012817E63178BCB63BDE23CF1CC1F9458CED9B93A2BBA7DC4C6
Subject + SPKI SHA256
8C3F6AB9CDA2A3E08B9462504D8FE00250B19FF6E3DD05B7298BA557623641BD
Audits that apply to this Root Certificate
Standard Audit
Applicable Audits Verified?
Not Verified
BR Audit
EV SSL Audit
Application Information
Explanation
Application Information Verified?
Data Verified
Role
This request is to include the 'Notarius Root Certificate Authority' certificate and only enable the email trust bit.
Root Certificate Download URL
https://download.notarius.com/certifio/public-root/notarius-root-certificate-authority.cer
Mozilla Fields
Mozilla Trust Bits
Email
Mozilla Fields Verified?
Data Verified
SSL Validation Type
Mozilla EV Policy OID(s)
Not EV
Mozilla Applied Constraints
CA Hierarchy Information
Cross-Signed by another Root Cert?
PKI Hierarchy Verified?
Not Verified
Has Externally Operated SubCAs?
CP/CPS allows Ext Operated SubCAs?
Has External Registration Authorities?
CP/CPS allows External RAs?
Description of PKI Hierarchy
DUE TO SYSTEM UPGRADE ON OCT 15, 2018 - Hierarchy checkboxes not checked.
CP section 1.1
Root CA and all Subordinate CA are operated by Solutions Notarius.
Notarius Certificate Authority : Subordinate CA of Notarius Root Certificate Authority. This subordinate is currently included in the Adobe Approved Trust List, and every user certificate issue by this subordinate CA are AATL approved in Adobe Software. Every certificate issue by this subordinate CA must be generated on Crypto Token.
Notarius Certificate Authority 2 : Subordinate CA of Notarius Root Certificate Authority. User certificate issue by this subordinate CA is recognized by Microsoft Trust Store, since our Root CA is also trusted by Microsoft Trusted Root Program. User certificate issue by this subordinate is generated on software crypto-vault.
CP section 1.1
Root CA and all Subordinate CA are operated by Solutions Notarius.
Notarius Certificate Authority : Subordinate CA of Notarius Root Certificate Authority. This subordinate is currently included in the Adobe Approved Trust List, and every user certificate issue by this subordinate CA are AATL approved in Adobe Software. Every certificate issue by this subordinate CA must be generated on Crypto Token.
Notarius Certificate Authority 2 : Subordinate CA of Notarius Root Certificate Authority. User certificate issue by this subordinate CA is recognized by Microsoft Trust Store, since our Root CA is also trusted by Microsoft Trusted Root Program. User certificate issue by this subordinate is generated on software crypto-vault.
Constraints on External SubCAs and RAs
NEED: It's not clear to me if/when LRA's are audited. Or how it is regularly checked that the LRA is only issuing certs that it should be issuing, and following the CP.
CP section 1.6.3:
All LRAs have signed contractual agreements with the C/RSP, or with a delegated representative of the C/RSP authorized to do so.
LRA roles and responsibilities:
- Make available at all times at least two people (or one person in the case of legal entities)
to act as an Affiliation Verification Agent (AVA), and take all actions necessary to fulfill this
requirement;
- Manage AVA appointments;
- Ensure that at least one (1) AVA is available to fulfill this function on any given business
day;
- Ensure AVAs comply with all obligations set out in the CP.
CP section 1.6.3:
All LRAs have signed contractual agreements with the C/RSP, or with a delegated representative of the C/RSP authorized to do so.
LRA roles and responsibilities:
- Make available at all times at least two people (or one person in the case of legal entities)
to act as an Affiliation Verification Agent (AVA), and take all actions necessary to fulfill this
requirement;
- Manage AVA appointments;
- Ensure that at least one (1) AVA is available to fulfill this function on any given business
day;
- Ensure AVAs comply with all obligations set out in the CP.
Test Websites or Example Cert
Test Website - Valid
Test Websites Verified?
Data Verified
Test Website - Expired
Test Website - Revoked
Test Notes
Test Results (When Requesting the SSL/TLS Trust Bit)
Revocation Tested
Test Results Verified?
Data Verified
CA/Browser Forum Lint Test
Test Website Lint Test
EV Tested