Does any part of CNNIC's CPS cover issuing external subCAs at all? When did CNNIC start issuing external subCAs? I am afraid we don't have issuing external subCAs in CPS. This is the first time we try to issueing an external subCAs just for testing propose. We decided to discuss external SUBCAs authorization with our audit team in this year WebTrust audit in April.
Did CNNIC take steps suggesting they planned to comply with Mozilla's subCA policy for this CA: - Did they have a CPS for this subCA? Not yet. - Is there evidence that any auditing of this subCA took place/was planned? As we discussed with MCS Holding, we will issue a 2 weeks period intermediate cert for testing propose, as we only define the EKU, no name constrains in the intermediate cert, we made items in agreement that MCS must issue cert to domains only MCS registered. We decided to discuss the audit request on the formal cooperation regarding intermediate root authorized. Regards, An Yin CA Product Manager --------------------------------------------------- = =Profession • Responsibility • Service= = China Internet Network Information Center (CNNIC) Tel: (8610)-58812432 mobile:13683527697 Fax: (8610)-58812666-168 Web: http://www.cnnic.cn Add: 4 South 4th Street, Zhongguancun, Haidian district, 100190 Beijing, China POB: Beijing 349, Branch 6 --------------------------------------------------- -----邮件原件----- 发件人: dev-security-policy-bounces+anyin=cnnic...@lists.mozilla.org [mailto:dev-security-policy-bounces+anyin=cnnic...@lists.mozilla.org] 代表 Charles Reiss 发送时间: 2015年3月24日 15:16 收件人: mozilla-dev-security-pol...@lists.mozilla.org 主题: Re: Consequences of mis-issuance under CNNIC On 03/23/15 22:47, Richard Barnes wrote: > Dear dev.security.policy, > > It has been discovered that an intermediate CA under the CNNIC root > has mis-issued certificates for some Google domains. Full details can > be found in blog posts by Google [0] and Mozilla [1]. We would like > to discuss what further action might be necessary in order to maintain > the integrity of the Mozilla root program, and the safety of its users. > > There have been incidents of this character before. When ANSSI issued > an intermediate that was used for MitM, name constraints were added to > limit its scope to French government domains. When TurkTrust > mis-issued intermediate certificates, they changed their procedures > and then they were required to be re-audited in order to confirm their > adherence to those procedures. > > We propose to add name constraints to the CNNIC root in NSS to > minimize the impact of any future mis-issuance incidents. The “update > procedures and re-audit” approach taken with TurkTrust is not suitable for > this scenario. > Because the mis-issuance was done by a customer of CNNIC, it’s not > clear that updates to CNNIC’s procedures would address the risks that > led to this mis-issuance. We will follow up this post soon with a > specific list of proposed constraints. > > Please send comments to this mailing list. We would like to have a > final plan by around 1 April. Does any part of CNNIC's CPS cover issuing external subCAs at all? When did CNNIC start issuing external subCAs? Did CNNIC take steps suggesting they planned to comply with Mozilla's subCA policy for this CA: - Did they have a CPS for this subCA? - Is there evidence that any auditing of this subCA took place/was planned? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
