在 2016年9月17日星期六 UTC+8上午5:38:29,Percy写道:
> On Wednesday, August 3, 2016 at 2:45:23 PM UTC-7, Kathleen Wilson wrote:
> > This request from Guangdong Certificate Authority (GDCA) is to include the 
> > "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and 
> > enabled EV treatment.
> > 
> > GDCA is a nationally recognized CA that operates under China’s Electronic 
> > Signature Law. GDCA’s customers are business corporations registered in 
> > mainland China, government agencies of China, individuals or mainland China 
> > citizens, servers of business corporations which have been registered in 
> > mainland China, and software developers.
> > 
> > The request is documented in the following bug:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1128392
> > 
> > And in the pending certificates list:
> > https://wiki.mozilla.org/CA:PendingCAs
> > 
> > Summary of Information Gathered and Verified:
> > https://bugzilla.mozilla.org/attachment.cgi?id=8749437
> > 
> > Noteworthy points:
> > 
> > * Root Certificate Download URL:
> > https://bugzilla.mozilla.org/attachment.cgi?id=8748933
> > https://www.gdca.com.cn/cert/GDCA_TrustAUTH_R5_ROOT.der
> > 
> > * The primary documents are provided in Chinese.
> > 
> > CA Document Repository: 
> > https://www.gdca.com.cn/customer_service/knowledge_universe/cp_cps/
> > http://www.gdca.com.cn/cp/cp
> > http://www.gdca.com.cn/cps/cps
> > http://www.gdca.com.cn/cp/ev-cp
> > http://www.gdca.com.cn/cps/ev-cps
> > 
> > Translations into English:
> > CP: https://bugzilla.mozilla.org/attachment.cgi?id=8650346
> > CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8688749
> > 
> > * CA Hierarchy: This root certificate has internally-operated subordinate 
> > CAs
> > - GDCA TrustAUTH R4 SSL CA (issues 2048-bit SSL certs)
> > - GDCA TrustAUTH R4 Generic CA (issues 2048-bit individual certs)
> > - GDCA TrustAUTH R4 CodeSigning CA (issues 2048-bit CodeSigning certs)
> > - GDCA TrustAUTH R4 Extended Validation SSL CA (issues 2048-bit EV SSL 
> > certs)
> > - GDCA TrustAUTH R4 Extended Validation Code Signing CA (issues 2048-bit EV 
> > CodeSigning certs)
> > 
> > * This request is to turn on the Websites trust bit.
> > 
> > CPS section 3.2.5: For domain verification, GDCA needs to check the written 
> > materials which can be used to prove the ownership of corresponding domain 
> > provided by applicant. Meanwhile, GDCA should ensure the ownership of 
> > domain from corresponding registrant or other authoritative third-party 
> > databases. During the verification, GDCA needs to perform the following 
> > procedures:
> > 1. GDCA should confirm that the domain's owner is certificate applicant 
> > based on the information queried from corresponding domain registrant or 
> > authoritative third-party database and provided by applicant.
> > 2. GDCA should confirm that the significant information (such as document 
> > information of applicant) in application materials are consistent with the 
> > reply of domain's owner by sending email or making phone call based on the 
> > contact information (such as email, registrar, administrator's email 
> > published at this domain's website, etc.) queried from corresponding domain 
> > registrant or authoritative third-party database.
> > If necessary, GDCA also need to take other review measures to confirm the 
> > ownership of the domain name. Applicant can't refuse to the request for 
> > providing appropriate assistance.
> > 
> > 
> > * EV Policy OID: 1.2.156.112559.1.1.6.1
> > 
> > * Test Website: https://ev-ssl-test-1.95105813.cn/
> > 
> > * CRL URLs:
> > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R5_ROOT.crl
> > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_SSL_CA.crl
> > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_Extended_Validation_SSL_CA.crl
> > 
> > * OCSP URL:
> > http://www.gdca.com.cn/TrustAUTH/ocsp
> > 
> > * Audit: Annual audits are performed by PricewaterhouseCoopers Zhong Tian 
> > LLP according to the WebTrust criteria.
> > WebTrust CA: https://cert.webtrust.org/SealFile?seal=2024&file=pdf
> > WebTrust BR: https://cert.webtrust.org/SealFile?seal=2025&file=pdf
> > WebTrust EV: https://cert.webtrust.org/SealFile?seal=2026&file=pdf
> > 
> > * Potentially Problematic Practices: None Noted
> > (http://wiki.mozilla.org/CA:Problematic_Practices)
> > 
> > This begins the discussion of the request from Guangdong Certificate 
> > Authority (GDCA) to include the "GDCA TrustAUTH R5 ROOT" certificate, turn 
> > on the Websites trust bit, and enabled EV treatment. At the conclusion of 
> > this discussion I will provide a summary of issues noted and action items. 
> > If there are outstanding issues, then an additional discussion may be 
> > needed as follow-up. If there are no outstanding issues, then I will 
> > recommend approval of this request in the bug.
> > 
> > Kathleen
> 
> https://www.ssllabs.com/ssltest/analyze.html?d=www.gdca.com.cn
> This server is vulnerable to the OpenSSL Padding Oracle vulnerability 
> (CVE-2016-2107) and insecure. Grade set to F.
> 
> Maybe someone who has more expertise than me could take a look at this?
Thank you for your review of our server. We had fixed this issue. Now the 
server returns "If trust issues are ignored: A". Please make a validation.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to