On 23/09/16 12:38, Richard Wang wrote: > Please check this news (Feb 25th 2015) in OSCCA website: > http://www.oscca.gov.cn/News/201312/News_1254.htm that all China > licensed CA finished the PKI/CA system upgrade that all licensed CA > MUST be able to issue SM2 certificate to subscribers.
I have only Google Translate to go on, but I can't see how that announcement says that all licensed CAs MUST issue SM2 certificates to subscribers from their _publicly-trusted_ roots. As you know, you can install additional root certificates in any browser for testing purposes. > As I said in last year CABF face to face meeting in Switzerland, > WebTrust is USA standard, ESTI is Europe standard, I think China have > its own standard also. This a problem for global CA that have > business in worldwide countries that maybe need to setup many roots > to manage for complying with different standard. WebTrust is not a USA standard; it would be better to describe it as an everywhere-but-Europe standard - and I believe even some European CAs have WebTrust audits. But anyway, this is nothing to do with audit standards and WebTrust vs. ETSI, this is to do with the Baseline Requirements, which are a global standard for trust in the Web PKI. > We know issuing SM2 cert is not complied with BR, but you can treat > it as "compelled" by regulations, There is a mechanism in the BRs (section 9.16.3) for a CA to explain that they have been compelled by local law to do something violating the BRs. They can then document it and do it, as long as the CAB Forum is notified. That did not happen in this case. I'm fairly sure you know about this section because we've just passed a ballot amending it (which you voted in favour of), and we've debated it several times. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
