This request from Guangdong Certificate Authority (GDCA) is to include the "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and enabled EV treatment.
GDCA is a nationally recognized CA that operates under China’s Electronic Signature Law. GDCA’s customers are business corporations registered in mainland China, government agencies of China, individuals or mainland China citizens, servers of business corporations which have been registered in mainland China, and software developers. The request is documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1128392 And in the pending certificates list: https://wiki.mozilla.org/CA:PendingCAs Summary of Information Gathered and Verified: https://bugzilla.mozilla.org/attachment.cgi?id=8749437 Noteworthy points: * Root Certificate Download URL: https://bugzilla.mozilla.org/attachment.cgi?id=8748933 https://www.gdca.com.cn/cert/GDCA_TrustAUTH_R5_ROOT.der * The primary documents are provided in Chinese. CA Document Repository: https://www.gdca.com.cn/customer_service/knowledge_universe/cp_cps/ http://www.gdca.com.cn/cp/cp http://www.gdca.com.cn/cps/cps http://www.gdca.com.cn/cp/ev-cp http://www.gdca.com.cn/cps/ev-cps Translations into English: CP: https://bugzilla.mozilla.org/attachment.cgi?id=8650346 CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8688749 * CA Hierarchy: This root certificate has internally-operated subordinate CAs - GDCA TrustAUTH R4 SSL CA (issues 2048-bit SSL certs) - GDCA TrustAUTH R4 Generic CA (issues 2048-bit individual certs) - GDCA TrustAUTH R4 CodeSigning CA (issues 2048-bit CodeSigning certs) - GDCA TrustAUTH R4 Extended Validation SSL CA (issues 2048-bit EV SSL certs) - GDCA TrustAUTH R4 Extended Validation Code Signing CA (issues 2048-bit EV CodeSigning certs) * This request is to turn on the Websites trust bit. CPS section 3.2.5: For domain verification, GDCA needs to check the written materials which can be used to prove the ownership of corresponding domain provided by applicant. Meanwhile, GDCA should ensure the ownership of domain from corresponding registrant or other authoritative third-party databases. During the verification, GDCA needs to perform the following procedures: 1. GDCA should confirm that the domain's owner is certificate applicant based on the information queried from corresponding domain registrant or authoritative third-party database and provided by applicant. 2. GDCA should confirm that the significant information (such as document information of applicant) in application materials are consistent with the reply of domain's owner by sending email or making phone call based on the contact information (such as email, registrar, administrator's email published at this domain's website, etc.) queried from corresponding domain registrant or authoritative third-party database. If necessary, GDCA also need to take other review measures to confirm the ownership of the domain name. Applicant can't refuse to the request for providing appropriate assistance. * EV Policy OID: 1.2.156.112559.1.1.6.1 * Test Website: https://ev-ssl-test-1.95105813.cn/ * CRL URLs: http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R5_ROOT.crl http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_SSL_CA.crl http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_Extended_Validation_SSL_CA.crl * OCSP URL: http://www.gdca.com.cn/TrustAUTH/ocsp * Audit: Annual audits are performed by PricewaterhouseCoopers Zhong Tian LLP according to the WebTrust criteria. WebTrust CA: https://cert.webtrust.org/SealFile?seal=2024&file=pdf WebTrust BR: https://cert.webtrust.org/SealFile?seal=2025&file=pdf WebTrust EV: https://cert.webtrust.org/SealFile?seal=2026&file=pdf * Potentially Problematic Practices: None Noted (http://wiki.mozilla.org/CA:Problematic_Practices) This begins the discussion of the request from Guangdong Certificate Authority (GDCA) to include the "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and enabled EV treatment. At the conclusion of this discussion I will provide a summary of issues noted and action items. If there are outstanding issues, then an additional discussion may be needed as follow-up. If there are no outstanding issues, then I will recommend approval of this request in the bug. Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
