This request from Government of Taiwan, Government Root Certification Authority (GRCA), is to include their Government Root Certification Authority root certificate, and turn on the Websites and Email trust bits. This root cert will eventually replace the previous GRCA root certificate that was included via Bugzilla Bug #274106.
The request is documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1065896 And in the pending certificates list: https://wiki.mozilla.org/CA:PendingCAs Summary of Information Gathered and Verified: https://bugzilla.mozilla.org/attachment.cgi?id=8708619 * Root Certificate Download URL: http://grca.nat.gov.tw/repository/Certs/GRCA2.cer * The primary documents are provided in Chinese. The CP and CPS have been translated into English. CA Document Repository: http://grca.nat.gov.tw/01-06.html GCA CPS(intermediate that can issue SSL certs): http://gca.nat.gov.tw/download/Government_Certification_Authority_Certification_Practice_Statement_V1.8.pdf GPKI CP: http://grca.nat.gov.tw/download/GPKI_CP_eng_v1.7.pdf GRCA (Root) CPS: http://grca.nat.gov.tw/download/GRCA_CPS_eng_v1.4.pdf * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/ All subordinate CAs are operated by Taiwan Government organizations. GCA is responsible for signing certificates for government agencies. This is the only intermediate cert that can issue SSL certs. XCA is responsible for signing certificates for organizations; MOICA is responsible for signing certificates for citizens; MOEACA is responsible for signing certificates for corporations; and HCA is responsible for signing certificates for health agencies. * This request is to turn on the Email and Websites trust bits. ** GCA CPS section 3.1.11 (1) IC card certificate Upon obtaining the certificate IC card, subscriber may propose writing its email address onto the certificate. Upon filing application online with certificate IC card by subscriber, the GCA will check its digital signature as authentication of subscriber’s identity, and send the email verification letter to the certificate email address. Subscriber shall use the verification letter content reply system to verify it truly owns and controls the email address. (2) Non-IC card certificate If required, subscriber may jointly apply for non-IC card certificate and simultaneously writing email address onto certificate. Aside from checking certificate application information, the GCA shall also send the email verification letter on writing the email address onto the certificate. Subscriber shall use the verification letter content reply system to verify it truly owns and controls the email address. ** GCA CPS section 3.1.12 The GCA should follow the General Application procedure as set forth in section 3.1.8 for authenticating the organization is true when subscriber applies for SSL Certificate. Also, the GCA may use following method to check that the host domain name truly exists and belongs to the registered under the applicant. - Government WHOIS host-government Chinese/English domain name registration systems (hhtps://rs.gsn.gov.tw) - TWNIC Whois Database (http://whois.twnic.net.tw) * EV Policy OID: Not Requesting EV treatment * Test Website: https://gcaweb.nat.gov.tw/GCAEE/GCAPriApply/GCAPriApply.html * CRL URLs: http://grca.nat.gov.tw/repository/CRL2/CA.crl http://gca.nat.gov.tw/repository/GCA4/CRL2/complete.crl The value of nextUpdate is set to 24 hours later than the issuing time (thisUpdate). CP section 4.4.9: For Level 2, CRL issued at least every 3 days. For level 3 and level 4, CRL issued at least once a day. For Test Level and Level 1 CRL Issuance Frequency is not specified. * OCSP URL: http://gca.nat.gov.tw/cgi-bin/OCSP2/ocsp_server.exe OCSP responses from this service have a maximum expiration time of two hours * Audit: Annual audits are performed by KPMG according to the WebTrust criteria. WebTrust CA: https://cert.webtrust.org/SealFile?seal=2050&file=pdf WebTrust BR: https://cert.webtrust.org/SealFile?seal=2051&file=pdf * Potentially Problematic Practices: None Noted (http://wiki.mozilla.org/CA:Problematic_Practices) This begins the discussion of this request from the Government of Taiwan to include their Government Root Certification Authority root certificate, and turn on the Websites and Email trust bits. At the conclusion of this discussion I will provide a summary of issues noted and action items. If there are outstanding issues, then an additional discussion may be needed as follow-up. If there are no outstanding issues, then I will recommend approval of this request in the bug. Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy