China Financial Certification Authority (CFCA) has applied to include
the “CFCA EV ROOT” root certificate, turn on the websites trust bit, and
enable EV treatment.
The first discussion resulted in CA action items, which have been completed.
https://groups.google.com/d/msg/mozilla.dev.security.policy/2G6KuAT9Ekk/GyakphSLS5EJ
https://bugzilla.mozilla.org/show_bug.cgi?id=926029#c26
For your convenience, and because the request has been changed to be
just for the EV root, I will re-summarize the request below.
CFCA is a national authority of security authentication approved by the
People’s Bank of China and state information security administration.
CFCA is a critical national infrastructure of financial information
security and one of the first certification service suppliers granted a
certification service license after the release of the Electronic
Signature Law of the People’s Republic of China. There are more than 200
Chinese banks that are using CFCA’s certificates to ensure the security
of online banking trade.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=926029
And in the pending certificates list:
http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/pending/
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8545426
Noteworthy points:
* The primary documents are the CPS and CP, which are provided in
Chinese, and the CPS has been translated into English.
Document repository: http://www.cfca.com.cn/us/us-12.htm
CPS (Chinese) http://www.cfca.com.cn/file/qqfwq-cps.zip
CP (Chinese): http://www.cfca.com.cn/file/qqfwq-cp.zip
CPS (English): http://www.cfca.com.cn/file/CFCA-1403-CPS-en.rar
* CA Hierarchy: The “CFCA EV ROOT” root has one internally-operated
subordinate CA, “CFCA EV OCA”, which issues EV SSL certificates.
* This request is to turn on the websites trust bit for the “CFCA EV
ROOT” root certificate, and enable EV treatment.
** CPS section 3.2.2.3: Applications for SSL Certificates can only be
submitted to CFCA, who accepts applications from both organizations and
individuals.
** CPS section 3.2.2.3: CFCA verifies not only the ID, address, and
country of the applicant, but also the IP and the compliance of CSR. The
procedures are as follows:
CFCA performs a WHOIS inquiry on the internet for the domain name
supplied by the applicant, to verify that the applicant is the entity to
whom the domain name is registered. Where the WHOIS record indicates
otherwise, CFCA will ask for a letter of authorization, or email to the
register to inquiry whether the applicant has been authorized to use the
domain name.
To verify the public IP, the subscriber can supply a sealed paper
document or email from the ISP showing the IP is allocated by the ISP to
the applicant.
** CPS section 3.2.2.4: Applications for EV SSL Certificates can only be
submitted to CFCA. The subject must be the domain name of the web
server, not the IP address. The domain name must not contain wildcards.
The applicants can only be private organizations, business entities,
government entities and non-commercial entities and should meet the
following requirements: … [verification of identity, organization, and
authority of the certificate subscriber]
** CPS section 3.2.2.4 part 6, Domain Name of the Applicant:
(1) The Applicant is the registered holder of the domain name or has
been granted the exclusive right to use the domain name by the
registered holder of the domain name
(2) Domain registration information in the WHOIS database SHOULD be
public and SHOULD show the name, physical address, and administrative
contact information for the organization.
(3) The Applicant is aware of its registration or exclusive control of
the domain name.
* EV Policy OID: 2.16.156.112554.3
* Root Cert: https://bugzilla.mozilla.org/attachment.cgi?id=8356494
* Test Website: https://pub.cebnet.com.cn
* OCSP
http://ocsp.cfca.com.cn/ocsp/
CPS 4.8.9: The maximum validity period for OCSP response does not exceed
7 days.
* Audit: Annual audits are performed by PricewaterhouseCoopers according
to the WebTrust criteria.
WebTrust CA: https://cert.webtrust.org/SealFile?seal=1788&file=pdf
WebTrust EV: https://cert.webtrust.org/SealFile?seal=1786&file=pdf
WebTrust BR: https://cert.webtrust.org/SealFile?seal=1787&file=pdf
* Potentially Problematic Practices – None noted for this EV root and
hierarchy.
(http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the second discussion of the request from CFCA to include
the “CFCA EV ROOT” root certificate, turn on the websites trust bit, and
enable EV treatment. At the conclusion of this discussion I will provide
a summary of issues noted and action items. If there are outstanding
issues, then an additional discussion may be needed as follow-up. If
there are no outstanding issues, then I will recommend approval of this
request in the bug.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
