China Financial Certification Authority (CFCA) has applied to include
the “CFCA GT CA” and “CFCA EV ROOT” root certificates, turn on all three
trust bits for the “CFCA GT CA” root certificate, turn on the websites
trust bit for the “CFCA EV ROOT” root certificate, and enable EV
treatment for the ““CFCA EV ROOT” certificate.
CFCA is a national authority of security authentication approved by the
People’s Bank of China and state information security administration.
CFCA is a critical national infrastructure of financial information
security and one of the first certification service suppliers granted a
certification service license after the release of the Electronic
Signature Law of the People’s Republic of China. There are more than 200
Chinese banks that are using CFCA’s certificates to ensure the security
of online banking trade.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=926029
And in the pending certificates list:
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8423345
Noteworthy points:
* The primary documents are the CPS and CP, which are provided in
Chinese, and the CPS has been translated into English.
Document repository: http://www.cfca.com.cn/us/us-12.htm
CPS (Chinese) http://www.cfca.com.cn/file/qqfwq-cps.zip
CP (Chinese): http://www.cfca.com.cn/file/qqfwq-cp.zip
CPS (English): http://www.cfca.com.cn/file/CFCA-1403-CPS-en.rar
* CA Hierarchy: The “CFCA GT CA” root has two internally-operated
subordinate CAs: The “CFCA OCA2” subCA issues SSL, Code Signing, Email,
VPN, and Device certificates. The “CFCA GT OCA21” subCA issues
pre-generated certificates, individual certificates, and organization
certificates. The “CFCA EV ROOT” root has one internally-operated
subordinate CA, “CFCA EV OCA”, which issues EV SSL certificates.
* This request is to turn on all three trust bits for the “CFCA GT CA”
root certificate, turn on the websites trust bit for the “CFCA EV ROOT”
root certificate, and enable EV treatment for the ““CFCA EV ROOT”
certificate.
** CPS section 3.2.2.3: Applications for SSL Certificates can only be
submitted to CFCA, who accepts applications from both organizations and
individuals.
** CPS section 3.2.2.3: CFCA verifies not only the ID, address, and
country of the applicant, but also the IP and the compliance of CSR. The
procedures are as follows:
CFCA performs a WHOIS inquiry on the internet for the domain name
supplied by the applicant, to verify that the applicant is the entity to
whom the domain name is registered. Where the WHOIS record indicates
otherwise, CFCA will ask for a letter of authorization, or email to the
register to inquiry whether the applicant has been authorized to use the
domain name.
To verify the public IP, the subscriber can supply a sealed paper
document or email from the ISP showing the IP is allocated by the ISP to
the applicant.
** CPS section 3.2.2.4: Applications for EV SSL Certificates can only be
submitted to CFCA. The subject must be the domain name of the web
server, not the IP address. The domain name must not contain wildcards.
The applicants can only be private organizations, business entities,
government entities and non-commercial entities and should meet the
following requirements: … [verification of identity, organization, and
authority of the certificate subscriber]
** CPS section 3.2.2.4 part 6, Domain Name of the Applicant:
(1) The Applicant is the registered holder of the domain name or has
been granted the exclusive right to use the domain name by the
registered holder of the domain name
(2) Domain registration information in the WHOIS database SHOULD be
public and SHOULD show the name, physical address, and administrative
contact information for the organization.
(3) The Applicant is aware of its registration or exclusive control of
the domain name.
** CPS section 3.2.2.5: For Email Certificate, CFCA only issue
certificates to domain name email that can be verified through WHOIS.
CFCA verifies the validity of the email address and determines whether
it’s legitimate through appropriate channels including but not limited
to verification E-mails.
** CPS section 3.1.2: For Code-signing certificates, the DN must be the
subscriber’s real name, and the CN can be the code name or name on the
valid ID. CFCA would verify the ID provided.
** CPS section 3.2.2.5: For Code-signing certificates, CFCA would verify
the code issuer’s identity, address, and country. … Standards of
verification for identity are the same as listed in 3.2.2.1 and 3.2.2.2.
*** CPS section 3.2.2.1, Authentication of Individual Identity: The
following materials should be submitted: 1. Certificate applicationForm;
2. Copies of ID; 3. Authorization of the organization (applicable only
to the individuals in organizations).
The investigators verify the completeness and authenticity of the
materials. Reliable data source would be used to validate the
applicant’s identity, address, country and etc.
*** CPS section 3.2.2.2, Authentication of Corporate (Organization)
Identity: First, CFCA designates a staff to receive the application
materials, and carry out initial examiniation of the completeness. This
is to ensure that the materials meet the demands for identity verification.
Second, CFCA designates an investigator to verify the application materials:
(1) Verify the organization identity, address, country and other
information through third party channels or the identity repository of
CFCA to ensure that the organization is an authentic existence.
(2) Verify the authorization through phone calls or official letters.
* EV Policy OID: 2.16.156.112554.3
* Root Certs:
https://bugzilla.mozilla.org/attachment.cgi?id=816416
https://bugzilla.mozilla.org/attachment.cgi?id=8356494
* Test Websites:
https://cs.cfca.com.cn/cgi-bin/
https://pub.cebnet.com.cn
* OCSP
http://ocsp.cfca.com.cn/ocsp/
CPS 4.8.9: The maximum validity period for OCSP response does not exceed
7 days.
* Audit: Annual audits are performed by PricewaterhouseCoopers according
to the WebTrust criteria.
WebTrust CA: https://cert.webtrust.org/SealFile?seal=1606&file=pdf
WebTrust EV: https://cert.webtrust.org/SealFile?seal=1607&file=pdf
WebTrust BR: http://www.cfca.com.cn/file/PwC_CFCA(en).rar
* Potentially Problematic Practices
(http://wiki.mozilla.org/CA:Problematic_Practices)
** Delegation of Domain / Email validation to third parties
CPS section 1.3.2: The RA function of the OCA2 and EV OCA system under
the CFCA Global Trust System is performed by CFCA internally. The RA
function of the OCA21 can be delegated to other organizations according
to relevant norms.
CPS section 1.4.1: The table shows that OCA21 cannot sign server (SSL)
or code-signing certs.
This begins the discussion of the request from CFCA to include the “CFCA
GT CA” and “CFCA EV ROOT” root certificates, turn on all three trust
bits for the “CFCA GT CA” root certificate, turn on the websites trust
bit for the “CFCA EV ROOT” root certificate, and enable EV treatment for
the ““CFCA EV ROOT” certificate. At the conclusion of this discussion I
will provide a summary of issues noted and action items. If there are
outstanding issues, then an additional discussion may be needed as
follow-up. If there are no outstanding issues, then I will recommend
approval of this request in the bug.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
