在 2016年10月21日星期五 UTC+8上午12:15:00,Han Yuwei写道:
> 在 2016年10月20日星期四 UTC+8上午5:27:42,Andrew R. Whalley写道:
> > Hello,
> >
> > Thank you for the links. I note, however, that there's at least one
> > difference between the native language version and the English translation:
> >
> > http://www.gdca.com.cn/cps/cps version 4.3 has a section 4.2.4 covering
> > CAA.
> > https://bug1128392.bmoattachments.org/attachment.cgi?id=8795091 version 4.3
> > in English has no such section.
> >
> > The fact there's a discrepancy is rather worrying. Could you please check
> > and let me know if there are any other substantive differences between the
> > Chinese and English versions?
> >
> > Cheers,
> >
> > Andrew
> >
> > On Mon, Sep 26, 2016 at 7:17 PM, <wangsn1...@gmail.com> wrote:
> >
> > > 在 2016年9月27日星期二 UTC+8上午4:15:00,Andrew R. Whalley写道:
> > > > Hello,
> > > >
> > > > I have completed a read through of the English translations of the CP
> > > > (v1.2) and CPS (v4.1). Before I post my comments I wanted to see if
> > > > there
> > > > were any more recent translations? It looks like the local language
> > > > versions are 1.4 and 4.3 respectively.
> > > >
> > > > Many thanks,
> > > >
> > > > Andrew
> > > >
> > > > On Wed, Aug 3, 2016 at 2:45 PM, Kathleen Wilson <kwil...@mozilla.com>
> > > wrote:
> > > >
> > > > > This request from Guangdong Certificate Authority (GDCA) is to include
> > > the
> > > > > "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit,
> > > and
> > > > > enabled EV treatment.
> > > > >
> > > > > GDCA is a nationally recognized CA that operates under China’s
> > > Electronic
> > > > > Signature Law. GDCA’s customers are business corporations registered
> > > > > in
> > > > > mainland China, government agencies of China, individuals or mainland
> > > China
> > > > > citizens, servers of business corporations which have been registered
> > > in
> > > > > mainland China, and software developers.
> > > > >
> > > > > The request is documented in the following bug:
> > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1128392
> > > > >
> > > > > And in the pending certificates list:
> > > > > https://wiki.mozilla.org/CA:PendingCAs
> > > > >
> > > > > Summary of Information Gathered and Verified:
> > > > > https://bugzilla.mozilla.org/attachment.cgi?id=8749437
> > > > >
> > > > > Noteworthy points:
> > > > >
> > > > > * Root Certificate Download URL:
> > > > > https://bugzilla.mozilla.org/attachment.cgi?id=8748933
> > > > > https://www.gdca.com.cn/cert/GDCA_TrustAUTH_R5_ROOT.der
> > > > >
> > > > > * The primary documents are provided in Chinese.
> > > > >
> > > > > CA Document Repository: https://www.gdca.com.cn/
> > > > > customer_service/knowledge_universe/cp_cps/
> > > > > http://www.gdca.com.cn/cp/cp
> > > > > http://www.gdca.com.cn/cps/cps
> > > > > http://www.gdca.com.cn/cp/ev-cp
> > > > > http://www.gdca.com.cn/cps/ev-cps
> > > > >
> > > > > Translations into English:
> > > > > CP: https://bugzilla.mozilla.org/attachment.cgi?id=8650346
> > > > > CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8688749
> > > > >
> > > > > * CA Hierarchy: This root certificate has internally-operated
> > > subordinate
> > > > > CAs
> > > > > - GDCA TrustAUTH R4 SSL CA (issues 2048-bit SSL certs)
> > > > > - GDCA TrustAUTH R4 Generic CA (issues 2048-bit individual certs)
> > > > > - GDCA TrustAUTH R4 CodeSigning CA (issues 2048-bit CodeSigning certs)
> > > > > - GDCA TrustAUTH R4 Extended Validation SSL CA (issues 2048-bit EV SSL
> > > > > certs)
> > > > > - GDCA TrustAUTH R4 Extended Validation Code Signing CA (issues
> > > 2048-bit
> > > > > EV CodeSigning certs)
> > > > >
> > > > > * This request is to turn on the Websites trust bit.
> > > > >
> > > > > CPS section 3.2.5: For domain verification, GDCA needs to check the
> > > > > written materials which can be used to prove the ownership of
> > > corresponding
> > > > > domain provided by applicant. Meanwhile, GDCA should ensure the
> > > ownership
> > > > > of domain from corresponding registrant or other authoritative
> > > third-party
> > > > > databases. During the verification, GDCA needs to perform the
> > > > > following
> > > > > procedures:
> > > > > 1. GDCA should confirm that the domain's owner is certificate
> > > > > applicant
> > > > > based on the information queried from corresponding domain registrant
> > > or
> > > > > authoritative third-party database and provided by applicant.
> > > > > 2. GDCA should confirm that the significant information (such as
> > > document
> > > > > information of applicant) in application materials are consistent with
> > > the
> > > > > reply of domain's owner by sending email or making phone call based on
> > > the
> > > > > contact information (such as email, registrar, administrator's email
> > > > > published at this domain's website, etc.) queried from corresponding
> > > domain
> > > > > registrant or authoritative third-party database.
> > > > > If necessary, GDCA also need to take other review measures to confirm
> > > the
> > > > > ownership of the domain name. Applicant can't refuse to the request
> > > > > for
> > > > > providing appropriate assistance.
> > > > >
> > > > >
> > > > > * EV Policy OID: 1.2.156.112559.1.1.6.1
> > > > >
> > > > > * Test Website: https://ev-ssl-test-1.95105813.cn/
> > > > >
> > > > > * CRL URLs:
> > > > > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R5_ROOT.crl
> > > > > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_SSL_CA.crl
> > > > > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_Extended_
> > > > > Validation_SSL_CA.crl
> > > > >
> > > > > * OCSP URL:
> > > > > http://www.gdca.com.cn/TrustAUTH/ocsp
> > > > >
> > > > > * Audit: Annual audits are performed by PricewaterhouseCoopers Zhong
> > > Tian
> > > > > LLP according to the WebTrust criteria.
> > > > > WebTrust CA: https://cert.webtrust.org/SealFile?seal=2024&file=pdf
> > > > > WebTrust BR: https://cert.webtrust.org/SealFile?seal=2025&file=pdf
> > > > > WebTrust EV: https://cert.webtrust.org/SealFile?seal=2026&file=pdf
> > > > >
> > > > > * Potentially Problematic Practices: None Noted
> > > > > (http://wiki.mozilla.org/CA:Problematic_Practices)
> > > > >
> > > > > This begins the discussion of the request from Guangdong Certificate
> > > > > Authority (GDCA) to include the "GDCA TrustAUTH R5 ROOT" certificate,
> > > turn
> > > > > on the Websites trust bit, and enabled EV treatment. At the conclusion
> > > of
> > > > > this discussion I will provide a summary of issues noted and action
> > > items.
> > > > > If there are outstanding issues, then an additional discussion may be
> > > > > needed as follow-up. If there are no outstanding issues, then I will
> > > > > recommend approval of this request in the bug.
> > > > >
> > > > > Kathleen
> > > > >
> > > > > _______________________________________________
> > > > > dev-security-policy mailing list
> > > > > dev-security-policy@lists.mozilla.org
> > > > > https://lists.mozilla.org/listinfo/dev-security-policy
> > > > >
> > >
> > > Yes, we have new version translations. We have uploaded to Bug 1128392.
> > > CP V1.4: https://bug1128392.bmoattachments.org/attachment.cgi?id=8795090
> > > CPS V4.3: https://bug1128392.bmoattachments.org/attachment.cgi?id=8795091
> > > EV CP V1.2: https://bug1128392.bmoattachments.org/attachment.
> > > cgi?id=8795093
> > > EV CPS V1.3: https://bug1128392.bmoattachments.org/attachment.
> > > cgi?id=8795094
> > > _______________________________________________
> > > dev-security-policy mailing list
> > > dev-security-policy@lists.mozilla.org
> > > https://lists.mozilla.org/listinfo/dev-security-policy
> > >
>
> My English is not good enough, maybe my translation can't represent the
> original Chinese meaning accurately.
> Any question would be answered about the meaning.
> All information are based on version 4.3
> I will only note the translation of Chinese version which is different from
> English version.
>
> 1.1.1
>
> Chinese version have a additional statement:
>
> After rename of GDCA, The property, debt, rights, and business of "Guangdong
> Digital Certificate Authority Co. LTD" would be transfered to "Global Digital
> Cyversecurity Authority CO., LTD." Any contracts signed by "Guangdong Digital
> Certificate Authority Co. LTD" would also be transfered to "Global Digital
> Cyversecurity Authority CO., LTD."
>
> 1.1.2
> Para.2 have a link http://www.gdca.com.cn/TrustAUTH/ returned 404 at
> 20OCT2016 13:50Z, so I can't verify the CP.
> Chinese version missed the detail of Object identifier section
>
> 1.1.3
> Chinese version: Currently, GDCA has 6 root certificates, including ROOTCA
> (RSA), GDCA ROOT CA, ROOTCA(SM2), GDCA TrustAUTH R5 ROOT, 数安时代 R5 ROOT (CN is
> Chinese), GDCA TrustAUTH E5 ROOT
>
> 1) About GDCA TrustAUTH R2 CA which will expire at 15DEC2018, from 15DEC2016,
> GDCA will no longer use it to issue subscriber certificates.
> 2) GDCA ROOT CA will expire on 11DEC2024.
> 4) GDCA TrustAUTH R5 would issue EV certficates
> 4) 5) 6) section is totally different from English version. I can't translate
> it all.
>
> 1.2
> Chinese version missed the OID section.
>
> 1.3
> The Chinese version's word is different. I think PKI should refer to Public
> Key Infrastructure. Am I right?
>
> 1.4.1
> Chinses version have addtional statements.it said something about EV SSL
> Certificates.But I think it is not important.
>
> 1.4.1.1
> Addtional type of individual certficates: Type III and Type IV which require
> more validations.
>
> 1.4.1.2
> GDCA will NOT issue any Type I and II Organization certificate, only issue
> Type III and IV.
>
> 1.4.1.4
> 4 types: EV,OV,IV,DV. EV SSL would follow another CPS.
>
> 1.4.1.5
> Some differences.Not important
>
> 3.1.1
> For SSL cerificate......and a primary domain name or IP address shall be used
> as CN.
>
> issuer's DN: O: Global Digital Cyversecurity Authority CO., LTD. or GDCA
> Certificate Authority
>
> 3.1.5
>
> The first applicant of this DN shall govern, later applicant would be
> distinguished by addtional information.
>
> 3.2.2 Title: Authentication of Individual Identity which should be 3.2.3's
> title.
> 3.2.2 and 3.2.3 cannot be compared because Chinese version depends on
> different type of certificates.
>
> 3.2 is totally a mess.
>
> 4.2.4
> Not availabe. GDCA don't do CAA validation.
>
> 4.7.1
> not allowed to update key: Type I & II individual certificate,Equipment
> certificate,SSL certificate, Code Signing certficate.
>
> 6.3.3
> - For RSA2048 SSL cert and Code Signing cert,ECC 256bit SSL and Code Signing
> cert, max period of keypair usage is 39 months
>
> 7.1.3
> sha1RSA,sha256RSA and sha256ECDSA
>
> 7.2.2
> Signing algorithm: sha1RSA sha256RSA sha256ECDSA SM2 ECC
>
> Section 9 which is about law is too hard for me. I would only pick up
> something I can understand.
>
> 9.2.1
> compensation will not exceed:
> 800CNY for Individual cert.
> 4,000CNY for Organzation cert.
> 8,000CNY for Equipment cert.
> 200,000CNY for Code Signing cert.
> 500,000CNY for SSL cert.
>
>
> Appendix:
> GDCA TrushAUTH R4 EV SSL CA & GDCA TrustAUTH R4 EV CodeSigning CA's
> information will be discloused in GDCA EV CPS
> GDCA TrustAUTH R4 IV SSL CA (SHA1=78AEA851A31B0F049AF02CD0F2AD9140604FA7A3)
> GDCA TrustAUTH R4 DV SSL CA (SHA1=30184A5B924E679E7A91329317D0560F587E697B)
> GDCA TrustAUTH R4 Primer CA (SHA1=14C2B33BBF6EBD84FCA7015413EBD0433E171A98)
> some Chinese CN CAs
> some E5 CAs
Thanks again for Yuwei to list the major differences between the Chinese
version and the English version.
>1.1.2
>Para.2 have a link http://www.gdca.com.cn/TrustAUTH/ returned 404 at
20OCT2016 13:50Z, so I can't verify the CP.
>Chinese version missed the detail of Object identifier section
The link is now http://www.gdca.com.cn/cp/cp
>1.1.3
>Chinese version: Currently, GDCA has 6 root certificates, including
ROOTCA (RSA), GDCA ROOT CA, ROOTCA(SM2), GDCA TrustAUTH R5 ROOT, 数安时代 R5 ROOT
(CN is Chinese), GDCA TrustAUTH E5 ROOT
>1) About GDCA TrustAUTH R2 CA which will expire at 15DEC2018, from
15DEC2016, GDCA will no longer use it to issue subscriber certificates.
>2) GDCA ROOT CA will expire on 11DEC2024.
>4) GDCA TrustAUTH R5 would issue EV certficates
>4) 5) 6) section is totally different from English version. I can't
translate it all.
The 4) section is about the GDCA TrustAUTH R5 ROOT and sub-CAs
The 5) section is about the 数安时代 R5 ROOT and sub-CAs
The 6) section is about the GDCA TrustAUTH E5 ROOT and sub-CAs
>1.2
>Chinese version missed the OID section.
1.2. Document Name and Identification
In this document called "Global Digital Cybersecurity Authority CO.,
LTD. Certification Practice Statement" (abbreviated as “GDCA CPS”), CPS is
equivalent to the document name and applicable name defined in this section.
The object identifier (OID) of certificates applied to the project of
Hong Kong-Guangdong mutual recognition in this CPS are consistent with
"Certificate Policy for Hong Kong-Guangdong mutual recognition of electronic
signature certificates” while other are consistent with “GDCA Certificate
Policy” (abbreviated as “GDCA CP”).
>3.2 is totally a mess.
The 3.2 section of the Chinese version is different from the English
version now. Please see it in the new English version next week.
>Appendix:
>GDCA TrushAUTH R4 EV SSL CA & GDCA TrustAUTH R4 EV CodeSigning CA's
information will be discloused in GDCA EV CPS
>GDCA TrustAUTH R4 IV SSL CA
(SHA1=78AEA851A31B0F049AF02CD0F2AD9140604FA7A3)
>GDCA TrustAUTH R4 DV SSL CA
(SHA1=30184A5B924E679E7A91329317D0560F587E697B)
>GDCA TrustAUTH R4 Primer CA
(SHA1=14C2B33BBF6EBD84FCA7015413EBD0433E171A98)
>some Chinese CN CAs
>some E5 CAs
GDCA TrustAUTH R5 ROOT SHA1 digest = 0f 36 38 5b 81 1a 25 c3 9b 31 4e
83 ca e9 34 66 70 cc 74 b4
GDCA TrustAUTH R4 EV SSL CA See “GDCA EV CPS”
GDCA TrustAUTH R4 EV CodeSigning CA See “GDCA EV CPS”
GDCA TrustAUTH R4 OV SSL CA SHA1 digest = c3 4a d6 45 d5 79 1c 5f
22 e7 33 d7 53 47 08 15 85 75 6c 2d
GDCA TrustAUTH R4 IV SSL CA SHA1 digest = 78 ae a8 51 a3 1b
0f 04 9a f0 2c d0 f2 ad 91 40 60 4f a7 a3
GDCA TrustAUTH R4 DV SSL CA SHA1 digest = 30 18 4a 5b 92 4e
67 9e 7a 91 32 93 17 d0 56 0f 58 7e 69 7b
GDCA TrustAUTH R4 CodeSigning CA SHA1 digest = fc 6d cb 06 a5 5b
ff 76 83 64 27 5b 29 d6 4f 7c 3a a9 cf b4
GDCA TrustAUTH R4 Generic CA SHA1 digest =6f ed 83 eb e1 83 cc 71 d0
ed e1 2a e8 77 e0 df 98 96 1f 24
GDCA TrustAUTH R4 Primer CA SHA1 digest =14 c2 b3 3b bf 6e
bd 84 fc a7 01 54 13 eb d0 43 3e 17 1a 98
2 New Root:
数安时代R5根CA证书 SHA1 digest = 23 eb 1b a4 64 71 a1 e7 e9 f2 db
57 01 fe f8 f2 f8 0c aa e9
数安时代R4 EV 服务器 See “GDCA EV CPS”
数安时代R4 OV 服务器证书 CA SHA1 digest = 93 92 5b 05 17 30 05 86
fd 2c 45 eb 18 6e 00 9e b9 75 a5 d0
数安时代R4 IV 服务器证书 CA SHA1 digest = 10 b8 fb 9a d2 50 32 6a
ee fb 05 ad da 9d 3a 2b bb bd 5d bf
数安时代R4 DV 服务器证书 CA SHA1 digest = 01 ad 04 cd e1 05 56 23
4a f6 6f a0 e6 64 f3 a6 18 80 4d f5
数安时代R4 代码签名证书 CA SHA1 digest = 4f be 54 bc 70 8e b1 2a
11 86 dd 79 aa ff e7 95 f8 ad c6 e9
数安时代R4 普通订户证书 CA SHA1 digest = 07 33 29 cb 53 b1 86 36
25 38 1b fb 48 a0 43 a7 b1 fe 28 6f
数安时代R4 基础订户证书 CA SHA1 digest = e5 da 52 2d 5f 38 7a 6e
72 49 5e 66 a4 be ba 0f 24 f2 59 dc
GDCA TrustAUTH E5 ROOT SHA1 digest = eb 46 6c d3 75 65 f9 3c
de 10 62 cd 8d 98 26 ed 23 73 0f 12
GDCA TrustAUTH E4 EV SSL CA See “GDCA EV CPS”
GDCA TrustAUTH E4 OV SSL CA SHA1 digest = 50 15 62 d8 1b a2
40 27 1b ee 06 d2 b3 7f 5b 35 cb 9d 8c b8
GDCA TrustAUTH E4 IV SSL CA SHA1 digest = a8 45 2b fc 20 f9
de b6 9b 8b 3f 29 73 e0 a3 b3 6f 82 eb 5b
GDCA TrustAUTH E4 DV SSL CA SHA1 digest = 8e 9b 9a db f5 ec
c4 6b 05 76 82 2e de 5e 80 d1 57 6b 5d 7c
GDCA TrustAUTH E4 CodeSigning CA SHA1 digest = 10 6a 4e 5d ca 05
92 28 e4 ff 89 52 66 53 a4 64 7d 57 ee 63
GDCA TrustAUTH E4 Generic CA SHA1 digest = fd 63 ba 6e e7 89 f6 0a
16 72 b5 b3 3a 29 7d 71 71 65 54 ee
GDCA TrustAUTH E4 Primer CA SHA1 digest =5f 42 a4 4d c8 ca
12 df ae 1c 29 92 1f 47 3e 3b be 8b d4 2c
There are also other changes:
Section 1.4.1.6. CP Object Identifiers of Certificates
Type I individual certificate policy: (1.2.156.112559.1.1.1.1)
Type II individual certificate policy: (1.2.156.112559.1.1.1.2)
Type III individual certificate policy: (1.2.156.112559.1.1.1.3)
Type IV individual certificate policy: (1.2.156.112559.1.1.1.4)
Type III organization certificate policy:
(1.2.156.112559.1.1.2.1)
Type IV organization certificate policy:
(1.2.156.112559.1.1.2.2)
Equipment certificate policy: (1.2.156.112559.1.1.3.1)
OV SSL server certificate policy: (1.2.156.112559.1.1.4.1)
IV SSL server certificate policy: (1.2.156.112559.1.1.4.2)
DV SSL server certificate policy: (1.2.156.112559.1.1.4.3)
EV SSL server certificate policy: (1.2.156.112559.1.1.6.1)
General CodeSigning certificate policy: (1.2.156.112559.1.1.5.1)
EV CodeSigning certificate policy: (1.2.156.112559.1.1.7.1)
Hong Kong-Guangdong mutual recognition individual certificates:
2.16.156.339.1.1.1.2.1
Hong Kong-Guangdong mutual recognition organization
certificates: 2.16.156.339.1.1.2.2.1
Section 1.5.2. Contact Person
Contact: Ms Wang
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
