Kathleen Wilson於 2016年9月17日星期六 UTC+8上午5時00分39秒寫道: > This request from Government of Taiwan, Government Root Certification > Authority (GRCA), is to include their Government Root Certification Authority > root certificate, and turn on the Websites and Email trust bits. This root > cert will eventually replace the previous GRCA root certificate that was > included via Bugzilla Bug #274106. > > The request is documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1065896 > > And in the pending certificates list: > https://wiki.mozilla.org/CA:PendingCAs > > Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8708619 > > * Root Certificate Download URL: > http://grca.nat.gov.tw/repository/Certs/GRCA2.cer > > * The primary documents are provided in Chinese. The CP and CPS have been > translated into English. > > CA Document Repository: http://grca.nat.gov.tw/01-06.html > GCA CPS(intermediate that can issue SSL certs): > http://gca.nat.gov.tw/download/Government_Certification_Authority_Certification_Practice_Statement_V1.8.pdf > GPKI CP: http://grca.nat.gov.tw/download/GPKI_CP_eng_v1.7.pdf > GRCA (Root) CPS: http://grca.nat.gov.tw/download/GRCA_CPS_eng_v1.4.pdf > > * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/ > All subordinate CAs are operated by Taiwan Government organizations. > GCA is responsible for signing certificates for government agencies. This is > the only intermediate cert that can issue SSL certs. > XCA is responsible for signing certificates for organizations; > MOICA is responsible for signing certificates for citizens; > MOEACA is responsible for signing certificates for corporations; and > HCA is responsible for signing certificates for health agencies. > > * This request is to turn on the Email and Websites trust bits. > > ** GCA CPS section 3.1.11 > (1) IC card certificate > Upon obtaining the certificate IC card, subscriber may propose writing its > email address onto the certificate. > Upon filing application online with certificate IC card by subscriber, the > GCA will check its digital signature as authentication of subscriber’s > identity, and send the email verification letter to the certificate email > address. > Subscriber shall use the verification letter content reply system to verify > it truly owns and controls the email address. > (2) Non-IC card certificate > If required, subscriber may jointly apply for non-IC card certificate and > simultaneously writing email address onto certificate. > Aside from checking certificate application information, the GCA shall also > send the email verification letter on writing the email address onto the > certificate. > Subscriber shall use the verification letter content reply system to verify > it truly owns and controls the email address. > > ** GCA CPS section 3.1.12 > The GCA should follow the General Application procedure as set forth in > section 3.1.8 for authenticating the organization is true when subscriber > applies for SSL Certificate. Also, the GCA may use following method to check > that the host domain name truly exists and belongs to the registered under > the applicant. > - Government WHOIS host-government Chinese/English domain name registration > systems (hhtps://rs.gsn.gov.tw) ^^^^^the correct URL is https://rs.gsn.gov.tw
> - TWNIC Whois Database (http://whois.twnic.net.tw) > > * EV Policy OID: Not Requesting EV treatment > > * Test Website: https://gcaweb.nat.gov.tw/GCAEE/GCAPriApply/GCAPriApply.html > > * CRL URLs: > http://grca.nat.gov.tw/repository/CRL2/CA.crl > http://gca.nat.gov.tw/repository/GCA4/CRL2/complete.crl > The value of nextUpdate is set to 24 hours later than the issuing time > (thisUpdate). > CP section 4.4.9: For Level 2, CRL issued at least every 3 days. For level 3 > and level 4, CRL issued at least once a day. For Test Level and Level 1 CRL > Issuance Frequency is not specified. > > * OCSP URL: > http://gca.nat.gov.tw/cgi-bin/OCSP2/ocsp_server.exe > OCSP responses from this service have a maximum expiration time of two hours > > * Audit: Annual audits are performed by KPMG according to the WebTrust > criteria. > WebTrust CA: https://cert.webtrust.org/SealFile?seal=2050&file=pdf > WebTrust BR: https://cert.webtrust.org/SealFile?seal=2051&file=pdf > > * Potentially Problematic Practices: None Noted > (http://wiki.mozilla.org/CA:Problematic_Practices) > > This begins the discussion of this request from the Government of Taiwan to > include their Government Root Certification Authority root certificate, and > turn on the Websites and Email trust bits. At the conclusion of this > discussion I will provide a summary of issues noted and action items. If > there are outstanding issues, then an additional discussion may be needed as > follow-up. If there are no outstanding issues, then I will recommend approval > of this request in the bug. > > Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
