This request is for inclusion of the Chunghwa Telecom eCA as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1341604
* BR Self Assessment is here: https://bugzilla.mozilla.org/attachment.cgi?id=8963172 * Summary of Information Gathered and Verified: https://bug1341604.bmoattachments.org/attachment.cgi?id=8960397 * Root Certificate Download URL: http://eca.hinet.net/download/eCA2.cer * CP/CPS: ** Root CP: http://eca.hinet.net/download/ePKI_CP_v1.5(Eng).pdf ** Root CPS: https://bug1341604.bmoattachments.org/attachment.cgi?id=8961804 ** Public (DV, OV) intermediate CPS: https://bug1341604.bmoattachments.org/attachment.cgi?id=8961805 ** EV intermediate CPS: https://bug1341604.bmoattachments.org/attachment.cgi?id=8961812 * This request is to turn on the Websites and Email trust bits. EV treatment is requested. * EV Policy OID: 2.23.140.1.1 * Test Websites: ** Valid: https://ev.hinet.net/ ** Expired: https://ra.testev.hinet.net/ ** Revoked: https://testev.hinet.net/ * CRL URL: http://repository.ev.hinet.net/crl/EVSSL/complete.crl * OCSP URL: http://ocsp.ev.hinet.net/OCSP/ocsp * Audit: Annual audits are performed by SunRise CPAs / DFK International according to the WebTrust for CA, BR, and EV audit criteria. ** WebTrust: https://cert.webtrust.org/SealFile?seal=2306&file=pdf ** BR: https://cert.webtrust.org/SealFile?seal=2307&file=pdf ** EV: https://cert.webtrust.org/SealFile?seal=2279&file=pdf I’ve reviewed the CPS, BR Self Assessment, and related information for the Chunghwa Telecom eCA inclusion request that is being tracked in this bug and have the following comments: ==Good== * Clean WebTrust & BR audit statements cover periods back to the creation of this root in 2015. * The CPSs properly document 825 day maximum validity periods, and change logs were recently added. ==Meh== * Both of the domain validation methods that will be deprecated on 1-August are currently listed as in-use in the root CP/CPS * CAA Issuer Domain Names are only specified in the root CP, in section 1.3.2.2 rather than 2.2. * For domain validation, each CPS does not state which subsection of BR 3.2.2.4 it is complying with as recommended by our policy. * There is, in my opinion, an excessive amount of duplication of information between the CP and 3 CPSs (over 600 pages in total), making the review of these docs difficult and tedious. ==Bad== * A large number of certificates have been misissued from the “Public Certification Authority - G2” intermediate [4] (recent example: [2]). Many of these certificates remain valid. Chunghwa Telecom has published a response to these errors [3] in the inclusion bug. My main concern with the response is the assertion that some of these are not SSL certificates bound to follow the BRs because they do not contain the CAB Forum OV OID in the certificate policies extension. This assertion contradicts section 1.1 of Mozilla policy. This begins the 3-week comment period for this request [4]. I will greatly appreciate your thoughtful and constructive feedback on the acceptance of this root into the Mozilla CA program. - Wayne [1] https://crt.sh/?CAID=1770&opt=cablint,zlint,x509lint&minNotBefore=2015-01-01 [2] https://crt.sh/?id=290793483&opt=zlint,cablint,x509lint [3] https://bug1341604.bmoattachments.org/attachment.cgi?id=8974418 [4] https://wiki.mozilla.org/CA/Application_Process _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy