在 2016年9月17日星期六 UTC+8上午5:38:29，Percy写道：
> On Wednesday, August 3, 2016 at 2:45:23 PM UTC-7, Kathleen Wilson wrote:
> > This request from Guangdong Certificate Authority (GDCA) is to include the
> > "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and
> > enabled EV treatment.
> > GDCA is a nationally recognized CA that operates under China’s Electronic
> > Signature Law. GDCA’s customers are business corporations registered in
> > mainland China, government agencies of China, individuals or mainland China
> > citizens, servers of business corporations which have been registered in
> > mainland China, and software developers.
> > The request is documented in the following bug:
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1128392
> > And in the pending certificates list:
> > https://wiki.mozilla.org/CA:PendingCAs
> > Summary of Information Gathered and Verified:
> > https://bugzilla.mozilla.org/attachment.cgi?id=8749437
> > Noteworthy points:
> > * Root Certificate Download URL:
> > https://bugzilla.mozilla.org/attachment.cgi?id=8748933
> > https://www.gdca.com.cn/cert/GDCA_TrustAUTH_R5_ROOT.der
> > * The primary documents are provided in Chinese.
> > CA Document Repository:
> > https://www.gdca.com.cn/customer_service/knowledge_universe/cp_cps/
> > http://www.gdca.com.cn/cp/cp
> > http://www.gdca.com.cn/cps/cps
> > http://www.gdca.com.cn/cp/ev-cp
> > http://www.gdca.com.cn/cps/ev-cps
> > Translations into English:
> > CP: https://bugzilla.mozilla.org/attachment.cgi?id=8650346
> > CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8688749
> > * CA Hierarchy: This root certificate has internally-operated subordinate
> > CAs
> > - GDCA TrustAUTH R4 SSL CA (issues 2048-bit SSL certs)
> > - GDCA TrustAUTH R4 Generic CA (issues 2048-bit individual certs)
> > - GDCA TrustAUTH R4 CodeSigning CA (issues 2048-bit CodeSigning certs)
> > - GDCA TrustAUTH R4 Extended Validation SSL CA (issues 2048-bit EV SSL
> > certs)
> > - GDCA TrustAUTH R4 Extended Validation Code Signing CA (issues 2048-bit EV
> > CodeSigning certs)
> > * This request is to turn on the Websites trust bit.
> > CPS section 3.2.5: For domain verification, GDCA needs to check the written
> > materials which can be used to prove the ownership of corresponding domain
> > provided by applicant. Meanwhile, GDCA should ensure the ownership of
> > domain from corresponding registrant or other authoritative third-party
> > databases. During the verification, GDCA needs to perform the following
> > procedures:
> > 1. GDCA should confirm that the domain's owner is certificate applicant
> > based on the information queried from corresponding domain registrant or
> > authoritative third-party database and provided by applicant.
> > 2. GDCA should confirm that the significant information (such as document
> > information of applicant) in application materials are consistent with the
> > reply of domain's owner by sending email or making phone call based on the
> > contact information (such as email, registrar, administrator's email
> > published at this domain's website, etc.) queried from corresponding domain
> > registrant or authoritative third-party database.
> > If necessary, GDCA also need to take other review measures to confirm the
> > ownership of the domain name. Applicant can't refuse to the request for
> > providing appropriate assistance.
> > * EV Policy OID: 22.214.171.1245126.96.36.199.1
> > * Test Website: https://ev-ssl-test-1.95105813.cn/
> > * CRL URLs:
> > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R5_ROOT.crl
> > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_SSL_CA.crl
> > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_Extended_Validation_SSL_CA.crl
> > * OCSP URL:
> > http://www.gdca.com.cn/TrustAUTH/ocsp
> > * Audit: Annual audits are performed by PricewaterhouseCoopers Zhong Tian
> > LLP according to the WebTrust criteria.
> > WebTrust CA: https://cert.webtrust.org/SealFile?seal=2024&file=pdf
> > WebTrust BR: https://cert.webtrust.org/SealFile?seal=2025&file=pdf
> > WebTrust EV: https://cert.webtrust.org/SealFile?seal=2026&file=pdf
> > * Potentially Problematic Practices: None Noted
> > (http://wiki.mozilla.org/CA:Problematic_Practices)
> > This begins the discussion of the request from Guangdong Certificate
> > Authority (GDCA) to include the "GDCA TrustAUTH R5 ROOT" certificate, turn
> > on the Websites trust bit, and enabled EV treatment. At the conclusion of
> > this discussion I will provide a summary of issues noted and action items.
> > If there are outstanding issues, then an additional discussion may be
> > needed as follow-up. If there are no outstanding issues, then I will
> > recommend approval of this request in the bug.
> > Kathleen
> This server is vulnerable to the OpenSSL Padding Oracle vulnerability
> (CVE-2016-2107) and insecure. Grade set to F.
> Maybe someone who has more expertise than me could take a look at this?
Thank you for your review of our server. We had fixed this issue. Now the
server returns "If trust issues are ignored: A". Please make a validation.
dev-security-policy mailing list