On Wed, Aug 3, 2016 at 2:45 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: > This request from Guangdong Certificate Authority (GDCA) is to include the > "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and > enabled EV treatment. > > * CA Hierarchy: This root certificate has internally-operated subordinate CAs > - GDCA TrustAUTH R4 SSL CA (issues 2048-bit SSL certs) > - GDCA TrustAUTH R4 Generic CA (issues 2048-bit individual certs) > - GDCA TrustAUTH R4 CodeSigning CA (issues 2048-bit CodeSigning certs) > - GDCA TrustAUTH R4 Extended Validation SSL CA (issues 2048-bit EV SSL certs) > - GDCA TrustAUTH R4 Extended Validation Code Signing CA (issues 2048-bit EV > CodeSigning certs) > > * Audit: Annual audits are performed by PricewaterhouseCoopers Zhong Tian LLP > according to the WebTrust criteria. > WebTrust CA: https://cert.webtrust.org/SealFile?seal=2024&file=pdf > WebTrust BR: https://cert.webtrust.org/SealFile?seal=2025&file=pdf > WebTrust EV: https://cert.webtrust.org/SealFile?seal=2026&file=pdf
Kathleen and team, I reviewed the annual audit reports linked in your email, including the auditor's opinion and the management assertions. Good: - The reports and management assertion include an English language version - The English versions are authoritative (no qualification the Chinese language version holds in case of conflict) - The reports clearly state they use the International Standard on Assurance Engagements (ISAE) 3000 standard - The report and assertion use the current version of the criteria - The assertions include details of each CA in the appendix, including an indication of whether it is a Root CA and a cryptographic hash (fingerprint) associated with each CA Opportunties for Improvement: - The basic WebTrust Report and assertion do not specify location(s) where services are provided. Other reports do indicate the services are provided in/from China. - The opinions do not specify the list of Certification Authorities in scope - The reports and asssertions do not specify the versions of the CP and CPS - The management assertion appendixes mix keys and certificates. The certificate is not the interesting part; the CA Distinguished Name (DN), type (Root or not), Key, and Key ID are the interesting parts. - The BR report repeats a bullet under "Maintained effective controls to provide reasonable assurance that:" Bad: - The basic WebTrust for CA Report does not cover controls that provide assurance that subordinate CA certificate requests are accurate, authenticated, and approved (the management assertion does, so this indicates the auditor might have found issues with the controls) - The basic WebTrust for CA Management assertion does not include Subordinate CA [cross-]certification in the list of CA services - The basic WebTrust for CA Management assertion does not include "Subordinate CA Certificate Lifecycle Management Controls" in the list of portions of criteria used - After the reporting period ended, GDCA issued at least two new subordinate CA certificates from the R5 root. These use the organization name of "Global Digital Cybersecurity Authority Co., Ltd." and have keys and key IDs that are identical to those found in CA certificates for GUANG DONG CERTIFICATE AUTHORITY CO.,LTD. This is problematic as re-use of key IDs with different issuer names causes problems on some platforms. Additionally the separate DN means it is out of scope for the submitted report. Combined with the lack of audited controls around subordinate CA management, CAs outside of the scope of the report may be a significant concern. - The Baseline + Network Security Requirements report and management assertion only covers two of the CAs. However the cross-certs issued by the root to the subordinate CAs do not include EKU constraints, so the subordinate CAs are capable of issuing server authentication ("SSL") certificates. The assertion and report should include all CAs that are capable of issuing ser authentication certificates. - The Baseline report does not provide an option that GDCA "maintained effective controls to provide reasonable assurance that it meets the Network and Certificate System Security Requirements as set forth by the CA/Browser Forum" - The Extended Validation report and management assertion attempts to merge the Extended Validation SSL and Extended Validation Code Signing criteria. These should be distinct reports. As writtten, the report fails to adequately cover the EVCS critera. The WebTrust/PKI Task Force has published a draft set of illustrative reports to use as a basis (http://www.webtrust.org/practitioner-qualifications/item83253.pdf), so it should be faily easy to resolve the missing bits. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy