Hello,

I have completed a read through of the English translations of the CP
(v1.2) and CPS (v4.1). Before I post my comments I wanted to see if there
were any more recent translations?  It looks like the local language
versions are 1.4 and 4.3 respectively.

Many thanks,

Andrew

On Wed, Aug 3, 2016 at 2:45 PM, Kathleen Wilson <kwil...@mozilla.com> wrote:

> This request from Guangdong Certificate Authority (GDCA) is to include the
> "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and
> enabled EV treatment.
>
> GDCA is a nationally recognized CA that operates under China’s Electronic
> Signature Law. GDCA’s customers are business corporations registered in
> mainland China, government agencies of China, individuals or mainland China
> citizens, servers of business corporations which have been registered in
> mainland China, and software developers.
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=1128392
>
> And in the pending certificates list:
> https://wiki.mozilla.org/CA:PendingCAs
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=8749437
>
> Noteworthy points:
>
> * Root Certificate Download URL:
> https://bugzilla.mozilla.org/attachment.cgi?id=8748933
> https://www.gdca.com.cn/cert/GDCA_TrustAUTH_R5_ROOT.der
>
> * The primary documents are provided in Chinese.
>
> CA Document Repository: https://www.gdca.com.cn/
> customer_service/knowledge_universe/cp_cps/
> http://www.gdca.com.cn/cp/cp
> http://www.gdca.com.cn/cps/cps
> http://www.gdca.com.cn/cp/ev-cp
> http://www.gdca.com.cn/cps/ev-cps
>
> Translations into English:
> CP: https://bugzilla.mozilla.org/attachment.cgi?id=8650346
> CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8688749
>
> * CA Hierarchy: This root certificate has internally-operated subordinate
> CAs
> - GDCA TrustAUTH R4 SSL CA (issues 2048-bit SSL certs)
> - GDCA TrustAUTH R4 Generic CA (issues 2048-bit individual certs)
> - GDCA TrustAUTH R4 CodeSigning CA (issues 2048-bit CodeSigning certs)
> - GDCA TrustAUTH R4 Extended Validation SSL CA (issues 2048-bit EV SSL
> certs)
> - GDCA TrustAUTH R4 Extended Validation Code Signing CA (issues 2048-bit
> EV CodeSigning certs)
>
> * This request is to turn on the Websites trust bit.
>
> CPS section 3.2.5: For domain verification, GDCA needs to check the
> written materials which can be used to prove the ownership of corresponding
> domain provided by applicant. Meanwhile, GDCA should ensure the ownership
> of domain from corresponding registrant or other authoritative third-party
> databases. During the verification, GDCA needs to perform the following
> procedures:
> 1. GDCA should confirm that the domain's owner is certificate applicant
> based on the information queried from corresponding domain registrant or
> authoritative third-party database and provided by applicant.
> 2. GDCA should confirm that the significant information (such as document
> information of applicant) in application materials are consistent with the
> reply of domain's owner by sending email or making phone call based on the
> contact information (such as email, registrar, administrator's email
> published at this domain's website, etc.) queried from corresponding domain
> registrant or authoritative third-party database.
> If necessary, GDCA also need to take other review measures to confirm the
> ownership of the domain name. Applicant can't refuse to the request for
> providing appropriate assistance.
>
>
> * EV Policy OID: 1.2.156.112559.1.1.6.1
>
> * Test Website: https://ev-ssl-test-1.95105813.cn/
>
> * CRL URLs:
> http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R5_ROOT.crl
> http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_SSL_CA.crl
> http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_Extended_
> Validation_SSL_CA.crl
>
> * OCSP URL:
> http://www.gdca.com.cn/TrustAUTH/ocsp
>
> * Audit: Annual audits are performed by PricewaterhouseCoopers Zhong Tian
> LLP according to the WebTrust criteria.
> WebTrust CA: https://cert.webtrust.org/SealFile?seal=2024&file=pdf
> WebTrust BR: https://cert.webtrust.org/SealFile?seal=2025&file=pdf
> WebTrust EV: https://cert.webtrust.org/SealFile?seal=2026&file=pdf
>
> * Potentially Problematic Practices: None Noted
> (http://wiki.mozilla.org/CA:Problematic_Practices)
>
> This begins the discussion of the request from Guangdong Certificate
> Authority (GDCA) to include the "GDCA TrustAUTH R5 ROOT" certificate, turn
> on the Websites trust bit, and enabled EV treatment. At the conclusion of
> this discussion I will provide a summary of issues noted and action items.
> If there are outstanding issues, then an additional discussion may be
> needed as follow-up. If there are no outstanding issues, then I will
> recommend approval of this request in the bug.
>
> Kathleen
>
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to