Mozilla

CA Program

Case Information

Subject
Include Dubai PKI root certificate
Link to Bugzilla Bug
https://bugzilla.mozilla.org/show_bug.cgi?id=1474556
Case Number
00000318
Case Record Type
CA Root Inclusion Request
CA Owner/Certificate Name
Dubai Electronic Security Center (DESC)
Request Status
In Detailed CP/CPS Review

CA Address Information

Street
City
State/Province
Zip/Postal Code
Country

General information about CA's associated organization

CA Email Alias 1
CA Owner Information Verified?
Data Verified
Company Website
http://desc.dubai.ae/
Organizational Type
Government Agency
Geographic Focus
United Arab Emirates
Primary Market / Customer Base
Citizens, residents, and organizations in the UAE
Recognized CAA Domains
Problem Reporting Mechanism

CP/CPS and Audit Statements

Policy Documentation
CP/CPS documents provided in English

Audit History: https://ca-repository.desc.gov.ae/
CP/CPS Verified?
Data Verified
CA Document Repository
Auditor
Auditor Verified?
Data Verified
Auditor Location
Standard Audit Verified?
Data Verified
Standard Audit Type
WebTrust
Standard Audit Deviation
false
Standard Audit Statement Date
6/7/2019
Standard Audit Comments
Previous audit: https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=221263 Statement date: 5/18/2018 Audit Period Start: 2/26/2018 Audit Period End: 5/10/2018
Standard Audit Period Start Date
5/11/2018
Standard Audit ALV Comments
Standard Audit Period End Date
5/10/2019
BR Audit Verified?
Data Verified
BR Audit Type
WebTrust
BR Audit Deviation
false
BR Audit Statement Date
6/7/2019
BR Audit Comments
Previous audit: https://www.cpacanada.ca/GenericHandlers/AptifyAttachmentHandler.ashx?AttachmentID=221262 Statement date: 5/18/2018 Audit Period Start: 2/26/2018 Audit Period End: 5/10/2018
BR Audit Period Start Date
5/11/2018
BR Audit ALV Comments
BR Audit Period End Date
5/10/2019
EV SSL Audit Statement (Link)
EV SSL Audit Verified?
Not Applicable
EV SSL Audit Type
 
EV SSL Audit Deviation
false
EV SSL Audit Statement Date
 
EV SSL Audit Comments
EV SSL Audit Period Start Date
 
EV SSL Audit ALV Comments
EV SSL Audit Period End Date
 

Required and Recommended Practices

Required Practices
https://wiki.mozilla.org/CA/Required_or_Recommended_Practices
Required Practices Verified?
Data Verified
CA's Response to Required Practices
1. Publicly Available CP and CPS: CP/CPS sections 2.2, 2.3
1.1 Revision Table, updated annually: CP/CPS Document History section
1.2 CAA Domains listed in CP/CPS: SubCA and Devices CPS section 4.2.1, desc.gov.ae
1.3 BR Commitment to Comply statement in CP/CPS: Devices CPS section 1.6.3
2. Audit Criteria: CP/CPS section 8
3. Revocation of Compromised Certificates: CP/CPS section 4.9
4. Verifying Domain Name Ownership: SubCA and Devices CPS section 3.2.4
5. Verifying Email Address Control: SubCA and Corporate CPS section 3.2.3
6. DNS names go in SAN: Devices CP sections 3.1.5, 7.1.2
7. OCSP: SubCA and Devices CP section 4.9.9, CPS section 7.3
- OCSP SHALL NOT respond "Good" for unissued certs: OCSP responds 'Revoked' for unissued certs.
https://certificate.revocationcheck.com/good.pki.desc.gov.ae
8. Network Security Controls: CP/CPS section 6.7

Forbidden and Potentially Problematic Practices

Forbidden Practices
https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices
Forbidden Practices Verified?
Data Verified
CA's Response to Forbidden Practices
1. Long-lived Certificates: Devices CPS section 7.1.2
2. Non-Standard Email Address Prefixes for Domain Ownership Validation: Devices CPS section 3.2.4
3. Issuing End Entity Certificates Directly From Roots: CP/CPS sections 1.1.1, 1.3
4. Distributing Generated Private Keys in PKCS#12 Files: CPS section 6.1.2.2
5. Certificates Referencing Local Names or Private IP Addresses: Devices CPS section 3.1.5
6. Issuing SSL Certificates for .int Domains: Devices CPS section 3.1.5
7. OCSP Responses Signed by a Certificate Under a Different Root: SubCA and Devices CPS section 4.9.9, CPS section 7.3
8. Issuance of SHA-1 Certificates: CP/CPS section 7.1
9. Delegation of Domain / Email Validation to Third Parties: CP/CPS section 1.3
Root Case Record # 1

Root Case Information

Root Certificate Name
UAE Global Root CA G4 E2
Root Case No
R00000625
Request Status
In Detailed CP/CPS Review
Case Number
00000318

Certificate Data Extracted from PEM

Subject
CN=UAE Global Root CA G4 E2; O=UAE Government; C=AE
Issuer
CN=UAE Global Root CA G4 E2; O=UAE Government; C=AE
Valid From
2018 Feb 06
Valid To
2043 Feb 06
Certificate Serial Number
1FD880704BC71C38000000005A79686B
SHA-1 Fingerprint
097AE284F58D0ABBC39AC671F48CE683F86DCB2F
SHA-256 Fingerprint
51A7ECB93ACB55FF0E34CD0ECFD1578978B37E9EDB82FD06F23F6CEC005B986D
Signature Hash Algorithm
SHA256WithRSA
Public Key Algorithm
RSA 4096 bits
SPKI SHA256
BF5FCE111485F21CC9149A5693A0F6B89FEC8DE67F2AC928AB3F129921DC8088
Subject + SPKI SHA256
B1F55190ED1B31A51AFF6F1461DB4D4C695E0133ED7749A673BAFDCE80666B36

Audits that apply to this Root Certificate

Standard Audit
Checked
Applicable Audits Verified?
Data Verified
BR Audit
Checked
EV SSL Audit
Not Checked

Application Information

Explanation
New CA
Application Information Verified?
Data Verified
Role
This root issues internally and externally operated subCAs. The externally operated subCAs are technically constrained.
Root Certificate Download URL
https://ca-repository.desc.gov.ae/Repository/source/certs/Dubai_Root_CA.crt

Mozilla Fields

Mozilla Trust Bits
Email; Websites
Mozilla Fields Verified?
Data Verified
SSL Validation Type
OV
Mozilla EV Policy OID(s)
Not EV
Mozilla Applied Constraints

CA Hierarchy Information

Cross-Signed by another Root Cert?
Not Checked
PKI Hierarchy Verified?
Data Verified
Has Externally Operated SubCAs?
Not Checked
CP/CPS allows Ext Operated SubCAs?
Checked
Has External Registration Authorities?
Not Checked
CP/CPS allows External RAs?
Checked
Description of PKI Hierarchy
The CCADB has been updated with the current CA hierarchy.

The Root CAs for Government entities will be operated by DESC and not by other entities.

Root CPS section 1.1, 1.3.1, 1.3.3
"CAs belonging to other Dubai government entities come at the second level of the Dubai PKI hierarchy, being signed by the Dubai Root CA. There are two options for issuing these CAs: Option 1 is to directly issue a Dubai Government entity issuing CA from the Dubai Root CA, which is a technically constrained subordinate CA owned and operated by a Dubai Government entity. Option 2 is for entities requiring more scalable hierarchy, met by issuing them two hierarchical levels of subordinate CAs -- an unconstrained Dubai Government entity Root CA that comes directly under the Dubai Root CA, and a technically constrained Dubai Government entity issuing CA(s) that comes under the Dubai Government entity Root CA.
Unconstrained Dubai government entity Root CAs … are operated and maintained by DESC in accordance with section 5 and 6 of this CPS."
Constraints on External SubCAs and RAs
All the Subordinate CAs to be issued under the government Root CAs will be technically constrained as mentioned in the CPS.
All the subordinate CAs (issuing CAs) that will be operated by other Dubai entities will be technically constrained.

SubCA CPS and Devices CPS section 1.3.2:
"DESC shall set up an RA organization for the Corporate and Devices CA. The RA shall comprise the individuals and systems involved in validating the identity of individuals requesting certificates, as well as in issuing and managing these certificates."

Test Websites or Example Cert

Test Website - Valid
https://good.pki.desc.gov.ae/
Test Websites Verified?
Data Verified
Test Website - Expired
https://expired.pki.desc.gov.ae/
Test Website - Revoked
https://revoked.pki.desc.gov.ae/
Test Notes

Test Results (When Requesting the SSL/TLS Trust Bit)

Revocation Tested
https://certificate.revocationcheck.com/good.pki.desc.gov.ae revocationcheck complains about OCSP response for non-issued certificate returning “Revoked” instead of "Unknown", but CA pointed out that RFC 6960 recommends using "Revoked".
Test Results Verified?
Data Verified
CA/Browser Forum Lint Test
From the CA: Since we have not yet issued public certificates,we are using the toolhttps://crt.sh/linttbscert as advised in the following link https://wiki.mozilla.org/CA/Information_Checklist, We test the TLS certificates and the CA certificates capable of issuing TLS certificates. As per the test results, the certificates are compliant with BRs.
Test Website Lint Test
From the CA: Since we have not yet issued public certificates, we are using the too lhttps://crt.sh/linttbscert as advised in the following link https://wiki.mozilla.org/CA/Information_Checklist, We test the TLS certificates and the CA certificates capable of issuing TLS certificates. As per the test results, the certificates arecompliant with X.509 rules.
EV Tested
Not applicable