This question is somewhat unrelated to the inclusion of CFCA in the root program, but I'm interested to know the answer:
Based on some survey data I've gotten from the University of Michigan, it appears that the CFCA root(s) have been used only within a limited scope (TLDs in issued EE certificates): CFCA OCA2: cn, com, net CFCA EV OCA: com Does CFCA agree with this assessment, or are there certificates that were missed by the UMich survey? Would CFCA be willing to be name constrained by relying party software to names ending in .cn, .com, or .net? (Thus, relying parties would reject certificates for names under other TLDs that chain to CFCA.) This constraint would help bound the risk posed by errors or compromises at CFCA or any subordinates. --Richard On Wed, Jan 7, 2015 at 9:23 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: > China Financial Certification Authority (CFCA) has applied to include the > “CFCA EV ROOT” root certificate, turn on the websites trust bit, and enable > EV treatment. > > The first discussion resulted in CA action items, which have been > completed. > https://groups.google.com/d/msg/mozilla.dev.security.policy/2G6KuAT9Ekk/ > GyakphSLS5EJ > https://bugzilla.mozilla.org/show_bug.cgi?id=926029#c26 > > For your convenience, and because the request has been changed to be just > for the EV root, I will re-summarize the request below. > > CFCA is a national authority of security authentication approved by the > People’s Bank of China and state information security administration. CFCA > is a critical national infrastructure of financial information security and > one of the first certification service suppliers granted a certification > service license after the release of the Electronic Signature Law of the > People’s Republic of China. There are more than 200 Chinese banks that are > using CFCA’s certificates to ensure the security of online banking trade. > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=926029 > > And in the pending certificates list: > http://www.mozilla.org/en-US/about/governance/policies/ > security-group/certs/pending/ > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8545426 > > Noteworthy points: > > * The primary documents are the CPS and CP, which are provided in Chinese, > and the CPS has been translated into English. > > Document repository: http://www.cfca.com.cn/us/us-12.htm > CPS (Chinese) http://www.cfca.com.cn/file/qqfwq-cps.zip > CP (Chinese): http://www.cfca.com.cn/file/qqfwq-cp.zip > > CPS (English): http://www.cfca.com.cn/file/CFCA-1403-CPS-en.rar > > * CA Hierarchy: The “CFCA EV ROOT” root has one internally-operated > subordinate CA, “CFCA EV OCA”, which issues EV SSL certificates. > > * This request is to turn on the websites trust bit for the “CFCA EV ROOT” > root certificate, and enable EV treatment. > > ** CPS section 3.2.2.3: Applications for SSL Certificates can only be > submitted to CFCA, who accepts applications from both organizations and > individuals. > > ** CPS section 3.2.2.3: CFCA verifies not only the ID, address, and > country of the applicant, but also the IP and the compliance of CSR. The > procedures are as follows: > CFCA performs a WHOIS inquiry on the internet for the domain name supplied > by the applicant, to verify that the applicant is the entity to whom the > domain name is registered. Where the WHOIS record indicates otherwise, CFCA > will ask for a letter of authorization, or email to the register to inquiry > whether the applicant has been authorized to use the domain name. > To verify the public IP, the subscriber can supply a sealed paper document > or email from the ISP showing the IP is allocated by the ISP to the > applicant. > > ** CPS section 3.2.2.4: Applications for EV SSL Certificates can only be > submitted to CFCA. The subject must be the domain name of the web server, > not the IP address. The domain name must not contain wildcards. The > applicants can only be private organizations, business entities, government > entities and non-commercial entities and should meet the following > requirements: … [verification of identity, organization, and authority of > the certificate subscriber] > > ** CPS section 3.2.2.4 part 6, Domain Name of the Applicant: > (1) The Applicant is the registered holder of the domain name or has been > granted the exclusive right to use the domain name by the registered holder > of the domain name > (2) Domain registration information in the WHOIS database SHOULD be public > and SHOULD show the name, physical address, and administrative contact > information for the organization. > (3) The Applicant is aware of its registration or exclusive control of the > domain name. > > * EV Policy OID: 2.16.156.112554.3 > > * Root Cert: https://bugzilla.mozilla.org/attachment.cgi?id=8356494 > > * Test Website: https://pub.cebnet.com.cn > > * OCSP > http://ocsp.cfca.com.cn/ocsp/ > CPS 4.8.9: The maximum validity period for OCSP response does not exceed 7 > days. > > * Audit: Annual audits are performed by PricewaterhouseCoopers according > to the WebTrust criteria. > WebTrust CA: https://cert.webtrust.org/SealFile?seal=1788&file=pdf > WebTrust EV: https://cert.webtrust.org/SealFile?seal=1786&file=pdf > WebTrust BR: https://cert.webtrust.org/SealFile?seal=1787&file=pdf > > * Potentially Problematic Practices – None noted for this EV root and > hierarchy. > (http://wiki.mozilla.org/CA:Problematic_Practices) > > This begins the second discussion of the request from CFCA to include the > “CFCA EV ROOT” root certificate, turn on the websites trust bit, and enable > EV treatment. At the conclusion of this discussion I will provide a summary > of issues noted and action items. If there are outstanding issues, then an > additional discussion may be needed as follow-up. If there are no > outstanding issues, then I will recommend approval of this request in the > bug. > > Kathleen > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
