On Wednesday, August 3, 2016 at 2:45:23 PM UTC-7, Kathleen Wilson wrote: > This request from Guangdong Certificate Authority (GDCA) is to include the > "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and > enabled EV treatment. > > GDCA is a nationally recognized CA that operates under China’s Electronic > Signature Law. GDCA’s customers are business corporations registered in > mainland China, government agencies of China, individuals or mainland China > citizens, servers of business corporations which have been registered in > mainland China, and software developers. > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1128392 > > And in the pending certificates list: > https://wiki.mozilla.org/CA:PendingCAs > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8749437 > > Noteworthy points: > > * Root Certificate Download URL: > https://bugzilla.mozilla.org/attachment.cgi?id=8748933 > https://www.gdca.com.cn/cert/GDCA_TrustAUTH_R5_ROOT.der > > * The primary documents are provided in Chinese. > > CA Document Repository: > https://www.gdca.com.cn/customer_service/knowledge_universe/cp_cps/ > http://www.gdca.com.cn/cp/cp > http://www.gdca.com.cn/cps/cps > http://www.gdca.com.cn/cp/ev-cp > http://www.gdca.com.cn/cps/ev-cps > > Translations into English: > CP: https://bugzilla.mozilla.org/attachment.cgi?id=8650346 > CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8688749 > > * CA Hierarchy: This root certificate has internally-operated subordinate CAs > - GDCA TrustAUTH R4 SSL CA (issues 2048-bit SSL certs) > - GDCA TrustAUTH R4 Generic CA (issues 2048-bit individual certs) > - GDCA TrustAUTH R4 CodeSigning CA (issues 2048-bit CodeSigning certs) > - GDCA TrustAUTH R4 Extended Validation SSL CA (issues 2048-bit EV SSL certs) > - GDCA TrustAUTH R4 Extended Validation Code Signing CA (issues 2048-bit EV > CodeSigning certs) > > * This request is to turn on the Websites trust bit. > > CPS section 3.2.5: For domain verification, GDCA needs to check the written > materials which can be used to prove the ownership of corresponding domain > provided by applicant. Meanwhile, GDCA should ensure the ownership of domain > from corresponding registrant or other authoritative third-party databases. > During the verification, GDCA needs to perform the following procedures: > 1. GDCA should confirm that the domain's owner is certificate applicant based > on the information queried from corresponding domain registrant or > authoritative third-party database and provided by applicant. > 2. GDCA should confirm that the significant information (such as document > information of applicant) in application materials are consistent with the > reply of domain's owner by sending email or making phone call based on the > contact information (such as email, registrar, administrator's email > published at this domain's website, etc.) queried from corresponding domain > registrant or authoritative third-party database. > If necessary, GDCA also need to take other review measures to confirm the > ownership of the domain name. Applicant can't refuse to the request for > providing appropriate assistance. > > > * EV Policy OID: 1.2.156.112559.1.1.6.1 > > * Test Website: https://ev-ssl-test-1.95105813.cn/ > > * CRL URLs: > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R5_ROOT.crl > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_SSL_CA.crl > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_Extended_Validation_SSL_CA.crl > > * OCSP URL: > http://www.gdca.com.cn/TrustAUTH/ocsp > > * Audit: Annual audits are performed by PricewaterhouseCoopers Zhong Tian LLP > according to the WebTrust criteria. > WebTrust CA: https://cert.webtrust.org/SealFile?seal=2024&file=pdf > WebTrust BR: https://cert.webtrust.org/SealFile?seal=2025&file=pdf > WebTrust EV: https://cert.webtrust.org/SealFile?seal=2026&file=pdf > > * Potentially Problematic Practices: None Noted > (http://wiki.mozilla.org/CA:Problematic_Practices) > > This begins the discussion of the request from Guangdong Certificate > Authority (GDCA) to include the "GDCA TrustAUTH R5 ROOT" certificate, turn on > the Websites trust bit, and enabled EV treatment. At the conclusion of this > discussion I will provide a summary of issues noted and action items. If > there are outstanding issues, then an additional discussion may be needed as > follow-up. If there are no outstanding issues, then I will recommend approval > of this request in the bug. > > Kathleen
https://www.ssllabs.com/ssltest/analyze.html?d=www.gdca.com.cn This server is vulnerable to the OpenSSL Padding Oracle vulnerability (CVE-2016-2107) and insecure. Grade set to F. Maybe someone who has more expertise than me could take a look at this? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy