在 2016年10月20日星期四 UTC+8上午5:27:42,Andrew R. Whalley写道: > Hello, > > Thank you for the links. I note, however, that there's at least one > difference between the native language version and the English translation: > > http://www.gdca.com.cn/cps/cps version 4.3 has a section 4.2.4 covering > CAA. > https://bug1128392.bmoattachments.org/attachment.cgi?id=8795091 version 4.3 > in English has no such section. > > The fact there's a discrepancy is rather worrying. Could you please check > and let me know if there are any other substantive differences between the > Chinese and English versions? > > Cheers, > > Andrew > > On Mon, Sep 26, 2016 at 7:17 PM, <[email protected]> wrote: > > > 在 2016年9月27日星期二 UTC+8上午4:15:00,Andrew R. Whalley写道: > > > Hello, > > > > > > I have completed a read through of the English translations of the CP > > > (v1.2) and CPS (v4.1). Before I post my comments I wanted to see if there > > > were any more recent translations? It looks like the local language > > > versions are 1.4 and 4.3 respectively. > > > > > > Many thanks, > > > > > > Andrew > > > > > > On Wed, Aug 3, 2016 at 2:45 PM, Kathleen Wilson <[email protected]> > > wrote: > > > > > > > This request from Guangdong Certificate Authority (GDCA) is to include > > the > > > > "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, > > and > > > > enabled EV treatment. > > > > > > > > GDCA is a nationally recognized CA that operates under China’s > > Electronic > > > > Signature Law. GDCA’s customers are business corporations registered in > > > > mainland China, government agencies of China, individuals or mainland > > China > > > > citizens, servers of business corporations which have been registered > > in > > > > mainland China, and software developers. > > > > > > > > The request is documented in the following bug: > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1128392 > > > > > > > > And in the pending certificates list: > > > > https://wiki.mozilla.org/CA:PendingCAs > > > > > > > > Summary of Information Gathered and Verified: > > > > https://bugzilla.mozilla.org/attachment.cgi?id=8749437 > > > > > > > > Noteworthy points: > > > > > > > > * Root Certificate Download URL: > > > > https://bugzilla.mozilla.org/attachment.cgi?id=8748933 > > > > https://www.gdca.com.cn/cert/GDCA_TrustAUTH_R5_ROOT.der > > > > > > > > * The primary documents are provided in Chinese. > > > > > > > > CA Document Repository: https://www.gdca.com.cn/ > > > > customer_service/knowledge_universe/cp_cps/ > > > > http://www.gdca.com.cn/cp/cp > > > > http://www.gdca.com.cn/cps/cps > > > > http://www.gdca.com.cn/cp/ev-cp > > > > http://www.gdca.com.cn/cps/ev-cps > > > > > > > > Translations into English: > > > > CP: https://bugzilla.mozilla.org/attachment.cgi?id=8650346 > > > > CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8688749 > > > > > > > > * CA Hierarchy: This root certificate has internally-operated > > subordinate > > > > CAs > > > > - GDCA TrustAUTH R4 SSL CA (issues 2048-bit SSL certs) > > > > - GDCA TrustAUTH R4 Generic CA (issues 2048-bit individual certs) > > > > - GDCA TrustAUTH R4 CodeSigning CA (issues 2048-bit CodeSigning certs) > > > > - GDCA TrustAUTH R4 Extended Validation SSL CA (issues 2048-bit EV SSL > > > > certs) > > > > - GDCA TrustAUTH R4 Extended Validation Code Signing CA (issues > > 2048-bit > > > > EV CodeSigning certs) > > > > > > > > * This request is to turn on the Websites trust bit. > > > > > > > > CPS section 3.2.5: For domain verification, GDCA needs to check the > > > > written materials which can be used to prove the ownership of > > corresponding > > > > domain provided by applicant. Meanwhile, GDCA should ensure the > > ownership > > > > of domain from corresponding registrant or other authoritative > > third-party > > > > databases. During the verification, GDCA needs to perform the following > > > > procedures: > > > > 1. GDCA should confirm that the domain's owner is certificate applicant > > > > based on the information queried from corresponding domain registrant > > or > > > > authoritative third-party database and provided by applicant. > > > > 2. GDCA should confirm that the significant information (such as > > document > > > > information of applicant) in application materials are consistent with > > the > > > > reply of domain's owner by sending email or making phone call based on > > the > > > > contact information (such as email, registrar, administrator's email > > > > published at this domain's website, etc.) queried from corresponding > > domain > > > > registrant or authoritative third-party database. > > > > If necessary, GDCA also need to take other review measures to confirm > > the > > > > ownership of the domain name. Applicant can't refuse to the request for > > > > providing appropriate assistance. > > > > > > > > > > > > * EV Policy OID: 1.2.156.112559.1.1.6.1 > > > > > > > > * Test Website: https://ev-ssl-test-1.95105813.cn/ > > > > > > > > * CRL URLs: > > > > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R5_ROOT.crl > > > > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_SSL_CA.crl > > > > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_Extended_ > > > > Validation_SSL_CA.crl > > > > > > > > * OCSP URL: > > > > http://www.gdca.com.cn/TrustAUTH/ocsp > > > > > > > > * Audit: Annual audits are performed by PricewaterhouseCoopers Zhong > > Tian > > > > LLP according to the WebTrust criteria. > > > > WebTrust CA: https://cert.webtrust.org/SealFile?seal=2024&file=pdf > > > > WebTrust BR: https://cert.webtrust.org/SealFile?seal=2025&file=pdf > > > > WebTrust EV: https://cert.webtrust.org/SealFile?seal=2026&file=pdf > > > > > > > > * Potentially Problematic Practices: None Noted > > > > (http://wiki.mozilla.org/CA:Problematic_Practices) > > > > > > > > This begins the discussion of the request from Guangdong Certificate > > > > Authority (GDCA) to include the "GDCA TrustAUTH R5 ROOT" certificate, > > turn > > > > on the Websites trust bit, and enabled EV treatment. At the conclusion > > of > > > > this discussion I will provide a summary of issues noted and action > > items. > > > > If there are outstanding issues, then an additional discussion may be > > > > needed as follow-up. If there are no outstanding issues, then I will > > > > recommend approval of this request in the bug. > > > > > > > > Kathleen > > > > > > > > _______________________________________________ > > > > dev-security-policy mailing list > > > > [email protected] > > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > > > Yes, we have new version translations. We have uploaded to Bug 1128392. > > CP V1.4: https://bug1128392.bmoattachments.org/attachment.cgi?id=8795090 > > CPS V4.3: https://bug1128392.bmoattachments.org/attachment.cgi?id=8795091 > > EV CP V1.2: https://bug1128392.bmoattachments.org/attachment. > > cgi?id=8795093 > > EV CPS V1.3: https://bug1128392.bmoattachments.org/attachment. > > cgi?id=8795094 > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > >
My English is not good enough, maybe my translation can't represent the original Chinese meaning accurately. Any question would be answered about the meaning. All information are based on version 4.3 I will only note the translation of Chinese version which is different from English version. 1.1.1 Chinese version have a additional statement: After rename of GDCA, The property, debt, rights, and business of "Guangdong Digital Certificate Authority Co. LTD" would be transfered to "Global Digital Cyversecurity Authority CO., LTD." Any contracts signed by "Guangdong Digital Certificate Authority Co. LTD" would also be transfered to "Global Digital Cyversecurity Authority CO., LTD." 1.1.2 Para.2 have a link http://www.gdca.com.cn/TrustAUTH/ returned 404 at 20OCT2016 13:50Z, so I can't verify the CP. Chinese version missed the detail of Object identifier section 1.1.3 Chinese version: Currently, GDCA has 6 root certificates, including ROOTCA (RSA), GDCA ROOT CA, ROOTCA(SM2), GDCA TrustAUTH R5 ROOT, 数安时代 R5 ROOT (CN is Chinese), GDCA TrustAUTH E5 ROOT 1) About GDCA TrustAUTH R2 CA which will expire at 15DEC2018, from 15DEC2016, GDCA will no longer use it to issue subscriber certificates. 2) GDCA ROOT CA will expire on 11DEC2024. 4) GDCA TrustAUTH R5 would issue EV certficates 4) 5) 6) section is totally different from English version. I can't translate it all. 1.2 Chinese version missed the OID section. 1.3 The Chinese version's word is different. I think PKI should refer to Public Key Infrastructure. Am I right? 1.4.1 Chinses version have addtional statements.it said something about EV SSL Certificates.But I think it is not important. 1.4.1.1 Addtional type of individual certficates: Type III and Type IV which require more validations. 1.4.1.2 GDCA will NOT issue any Type I and II Organization certificate, only issue Type III and IV. 1.4.1.4 4 types: EV,OV,IV,DV. EV SSL would follow another CPS. 1.4.1.5 Some differences.Not important 3.1.1 For SSL cerificate......and a primary domain name or IP address shall be used as CN. issuer's DN: O: Global Digital Cyversecurity Authority CO., LTD. or GDCA Certificate Authority 3.1.5 The first applicant of this DN shall govern, later applicant would be distinguished by addtional information. 3.2.2 Title: Authentication of Individual Identity which should be 3.2.3's title. 3.2.2 and 3.2.3 cannot be compared because Chinese version depends on different type of certificates. 3.2 is totally a mess. 4.2.4 Not availabe. GDCA don't do CAA validation. 4.7.1 not allowed to update key: Type I & II individual certificate,Equipment certificate,SSL certificate, Code Signing certficate. 6.3.3 - For RSA2048 SSL cert and Code Signing cert,ECC 256bit SSL and Code Signing cert, max period of keypair usage is 39 months 7.1.3 sha1RSA,sha256RSA and sha256ECDSA 7.2.2 Signing algorithm: sha1RSA sha256RSA sha256ECDSA SM2 ECC Section 9 which is about law is too hard for me. I would only pick up something I can understand. 9.2.1 compensation will not exceed: 800CNY for Individual cert. 4,000CNY for Organzation cert. 8,000CNY for Equipment cert. 200,000CNY for Code Signing cert. 500,000CNY for SSL cert. Appendix: GDCA TrushAUTH R4 EV SSL CA & GDCA TrustAUTH R4 EV CodeSigning CA's information will be discloused in GDCA EV CPS GDCA TrustAUTH R4 IV SSL CA (SHA1=78AEA851A31B0F049AF02CD0F2AD9140604FA7A3) GDCA TrustAUTH R4 DV SSL CA (SHA1=30184A5B924E679E7A91329317D0560F587E697B) GDCA TrustAUTH R4 Primer CA (SHA1=14C2B33BBF6EBD84FCA7015413EBD0433E171A98) some Chinese CN CAs some E5 CAs _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
