On Wed, Aug 3, 2016 at 2:45 PM, Kathleen Wilson <kwil...@mozilla.com> wrote:
> This request from Guangdong Certificate Authority (GDCA) is to include the 
> "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and 
> enabled EV treatment.
> * CA Hierarchy: This root certificate has internally-operated subordinate CAs
> - GDCA TrustAUTH R4 SSL CA (issues 2048-bit SSL certs)
> - GDCA TrustAUTH R4 Generic CA (issues 2048-bit individual certs)
> - GDCA TrustAUTH R4 CodeSigning CA (issues 2048-bit CodeSigning certs)
> - GDCA TrustAUTH R4 Extended Validation SSL CA (issues 2048-bit EV SSL certs)
> - GDCA TrustAUTH R4 Extended Validation Code Signing CA (issues 2048-bit EV 
> CodeSigning certs)
> * Audit: Annual audits are performed by PricewaterhouseCoopers Zhong Tian LLP 
> according to the WebTrust criteria.
> WebTrust CA: https://cert.webtrust.org/SealFile?seal=2024&file=pdf
> WebTrust BR: https://cert.webtrust.org/SealFile?seal=2025&file=pdf
> WebTrust EV: https://cert.webtrust.org/SealFile?seal=2026&file=pdf

Kathleen and team,

I reviewed the annual audit reports linked in your email, including
the auditor's opinion and the management assertions.

- The reports and management assertion include an English language version
- The English versions are authoritative (no qualification the Chinese
language version holds in case of conflict)
- The reports clearly state they use the International Standard on
Assurance Engagements (ISAE) 3000 standard
- The report and assertion use the current version of the criteria
- The assertions include details of each CA in the appendix, including
an indication of whether it is a Root CA and a cryptographic hash
(fingerprint) associated with each CA

Opportunties for Improvement:
- The basic WebTrust Report and assertion do not specify location(s)
where services are provided.  Other reports do indicate the services
are provided in/from China.
- The opinions do not specify the list of Certification Authorities in scope
- The reports and asssertions do not specify the versions of the CP and CPS
- The management assertion appendixes mix keys and certificates.  The
certificate is not the interesting part; the CA Distinguished Name
(DN), type (Root or not), Key, and Key ID are the interesting parts.
- The BR report repeats a bullet under "Maintained effective controls
to provide reasonable assurance that:"

- The basic WebTrust for CA Report does not cover controls that
provide assurance that subordinate CA certificate requests are
accurate, authenticated, and approved (the management assertion does,
so this indicates the auditor might have found issues with the
- The basic WebTrust for CA Management assertion does not include
Subordinate CA [cross-]certification in the list of CA services
- The basic WebTrust for CA  Management assertion does not include
"Subordinate CA Certificate Lifecycle Management Controls" in the list
of portions of criteria used
- After the reporting period ended, GDCA issued at least two new
subordinate CA certificates from the R5 root.  These use the
organization name of "Global Digital Cybersecurity Authority Co.,
Ltd." and have keys and key IDs that are identical to those found in
problematic as re-use of key IDs with different issuer names causes
problems on some platforms.  Additionally the separate DN means it is
out of scope for the submitted report.  Combined with the lack of
audited controls around subordinate CA management, CAs outside of the
scope of the report may be a significant concern.
- The Baseline + Network Security Requirements report and management
assertion only covers two of the CAs.  However the cross-certs issued
by the root to the subordinate CAs do not include EKU constraints, so
the subordinate CAs are capable of issuing server authentication
("SSL") certificates.  The assertion and report should include all CAs
that are capable of issuing ser authentication certificates.
- The Baseline report does not provide an option that GDCA "maintained
effective controls to provide reasonable assurance that it meets the
Network and Certificate System Security Requirements as set forth by
the CA/Browser Forum"
- The Extended Validation report and management assertion attempts to
merge the Extended Validation SSL and Extended Validation Code Signing
criteria.  These should be distinct reports.  As writtten, the report
fails to adequately cover the EVCS critera.

The WebTrust/PKI Task Force has published a draft set of illustrative
reports to use as a basis
so it should be faily easy to resolve the missing bits.

dev-security-policy mailing list

Reply via email to