在 2019年1月15日星期二 UTC+8上午8:58:30,David E. Ross写道: > On 1/14/2019 4:18 PM, Wayne Thayer wrote: > > This request is for inclusion of the Government of Hong Kong, Hongkong > > Post, Certizen Hongkong Post Root CA 3 trust anchor as documented in the > > following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1464306 > > > > * BR Self Assessment is here: > > https://bug1464306.bmoattachments.org/attachment.cgi?id=8980480 > > > > * Summary of Information Gathered and Verified: > > https://bug1464306.bmoattachments.org/attachment.cgi?id=9004396 > > > > * Root Certificate Download URL: > > https://bugzilla.mozilla.org/attachment.cgi?id=8980482 > > > > * CP/CPS: > > CP: there is no CP > > CPS: https://www.ecert.gov.hk/ev/e-Cert%20(Server)%20CPS-Eng-1.7.4.pdf > > > > * This request is to include the root with the websites trust bit enabled > > and EV treatment. > > > > * EV Policy OID: 2.23.140.1.1 > > > > * Test Websites > > https://valid-ev.ecert.gov.hk/ > > https://expired-ev.hongkongpost.gov.hk > > https://revoked-ev.hongkongpost.gov.hk > > > > * CRL URLs: > > http://crl1.hongkongpost.gov.hk/crl/RootCA3ARL.crl > > http://crl1.hongkongpost.gov.hk/crl/eCertESCA3-17CRL1.crl > > > > * OCSP URL: > > http://ocsp1.hongkongpost.gov.hk > > > > * Audit: Annual audits are performed by PricewaterhouseCoopers Hong Kong > > according to the WebTrust for CA, BR, and EV audit criteria. > > WebTrust: https://www.cpacanada.ca/webtrustseal?sealid=2405 > > BR: https://www.cpacanada.ca/webtrustseal?sealid=2406 > > EV: > > https://www.ecert.gov.hk/ev/Webtrust%20EV%20SSL%20Report%2020181219_FINAL%20(with%20Management%20Assertion%20Letter).pdf > > > > I’ve reviewed the CPS, BR Self Assessment, and related information for > > inclusion of the Certizen Hongkong Post Root CA 3 that is being tracked in > > this bug and have the following comments: > > > > ==Good== > > This root is relatively new, has continuous BR audit coverage, and appears > > to have only signed certificates for the required test websites. > > > > ==Meh== > > * The first EV audit was a point-in-time dated March 31, 2018 [1]. Given > > that EV certificates for the test sites were issued in May 2018, one can > > argue that EVGL section 17.4 required a period-of-time audit to have been > > completed in October rather than December as was the case. However, it has > > been common for CAs to argue that certificates for test websites don’t > > count and I have not yet published clear guidance on this issue. > > * There is no document referenced as a CP. Hongkong Post says that the > > document is a combined CP/CPS. > > * In 2016, it was discovered that Hongkong Post was issuing SHA-1 > > certificates with non-random serial numbers that could be used for TLS in > > Firefox [2] [3]. The problem was resolved by adding the problematic > > intermediate certificate to OneCRL. > > * The CPS permits external RAs, but according to Appendix E, there are none > > at present. I would prefer that the CPS clearly state that domain > > validation functions are never delegated. > > * Hongkong Post has attached unpublished versions 2 and 3 of their CPS to > > the bug that differ from the published versions 2 and 3 in their > > repository. The latest version “4” is marked as a “Pre-production CPS”. > > They state that “…we cannot issue EV certificate to customers until > > Mozilla, or at least some other root certificate programs, have granted EV > > treatment to our root certificate. So, we do not yet publish the CPS in > > order to avoid confusion to customers.” > > > > ==Bad== > > * Fairly recent misissuance under the currently included Hong Kong Post > > Root CA 1: O and OU fields too long [4]. These certificates have all been > > revoked, but no incident report was ever filed. > > * CPS section 3.4 indicates that certificates may be suspended. This would > > violate BR 4.9.13. This has been corrected in the “Pre-production” CPS but > > not the current CPS for their existing root [5]. > > * CPS section 4.9.1 does not appear to include all the revocation reasons > > required by BR 4.9.1.1. This has been corrected in the “Pre-production” CPS > > but not the current CPS for their existing root [5]. > > > > This begins the 3-week comment period for this request [6]. > > > > I will greatly appreciate your thoughtful and constructive feedback on the > > acceptance of this root into the Mozilla CA program. > > > > - Wayne > > > > [1] https://bug1464306.bmoattachments.org/attachment.cgi?id=8980478 > > [2] > > https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/Ng99HcqhZtI/bkcimGlECAAJ > > [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1267332 > > [4] > > https://crt.sh/?caid=7319&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01 > > [5] https://www.ecert.gov.hk/product/cps/ecert/img/server_cps_en3.pdf > > [6] https://wiki.mozilla.org/CA/Application_Process > > > > I would think that lack of a CP alone would disqualify this root.
I think it is ok to combine CP/CPS document instead of maintaining two separate documents. The following is from webtrust for ca 2.1: Together, the CP and CPS represent a CA’s business practice disclosures. It is leading practice for the CP at a minimum be publically available to relying parties, and most CAs also make their CPS publically available. Many CAs also publish a combined CP/CPS document instead of maintaining two separate documents. > Furthermore, the the "Meh" issues should be resolved before approval. > > -- > David E. Ross > > Trump again proves he is a major source of fake news. He wants > to cut off disaster funds to repair the damage caused by the > Woolsey Fire in southern California because he claims the state > fails to manage its forests properly. The Woolsey Fire was NOT > a forest fire. Starting in an industrial tract, it did not burn > through any forests. > > See <http://www.rossde.com/fire.html>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy