On 2016-09-23 13:38, Richard Wang wrote:
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA
finished the PKI/CA system upgrade that all licensed CA MUST be able to issue
SM2 certificate to subscribers.
As I said in last year CABF face to face meeting in Switzerland, WebTrust is
USA standard, ESTI is Europe standard, I think China have its own standard
also. This a problem for global CA that have business in worldwide countries
that maybe need to setup many roots to manage for complying with different
standard.
We know issuing SM2 cert is not complied with BR, but you can treat it as
"compelled" by regulations, so we need to test the gateway installed RSA
certificate and SM2 certificate in the public Internet, to test the auto-negotiation from
browser to gateway, if the browser like Firefox don't support SM2, then the gateway will
use RSA certificate for communication, if the browser like 360 browser that support SM2,
then use SM2 certificate.
There seem to be several governments that define their own standard,
like GOST in Russia, SEED in South Korea, and the SM2/SM3/SM4 in China.
I guess you could also see AES as a USA standard and Camellia as a
Japanese standard.
Internationally we do not want to support all such standards, which is
why we select some. I think this selection is mostly based on the trust
that there is in that algorithm based on international review of them.
The only suggestion I have is that if the government requires you to use
those algorithm for certain certificates that you use a separate CA root
for that.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy