在 2016年10月21日星期五 UTC+8下午12:15:07,[email protected]写道: > 在 2016年10月21日星期五 UTC+8上午12:15:00,Han Yuwei写道: > > 在 2016年10月20日星期四 UTC+8上午5:27:42,Andrew R. Whalley写道: > > > Hello, > > > > > > Thank you for the links. I note, however, that there's at least one > > > difference between the native language version and the English > > > translation: > > > > > > http://www.gdca.com.cn/cps/cps version 4.3 has a section 4.2.4 covering > > > CAA. > > > https://bug1128392.bmoattachments.org/attachment.cgi?id=8795091 version > > > 4.3 > > > in English has no such section. > > > > > > The fact there's a discrepancy is rather worrying. Could you please check > > > and let me know if there are any other substantive differences between the > > > Chinese and English versions? > > > > > > Cheers, > > > > > > Andrew > > > > > > On Mon, Sep 26, 2016 at 7:17 PM, <[email protected]> wrote: > > > > > > > 在 2016年9月27日星期二 UTC+8上午4:15:00,Andrew R. Whalley写道: > > > > > Hello, > > > > > > > > > > I have completed a read through of the English translations of the CP > > > > > (v1.2) and CPS (v4.1). Before I post my comments I wanted to see if > > > > > there > > > > > were any more recent translations? It looks like the local language > > > > > versions are 1.4 and 4.3 respectively. > > > > > > > > > > Many thanks, > > > > > > > > > > Andrew > > > > > > > > > > On Wed, Aug 3, 2016 at 2:45 PM, Kathleen Wilson <[email protected]> > > > > wrote: > > > > > > > > > > > This request from Guangdong Certificate Authority (GDCA) is to > > > > > > include > > > > the > > > > > > "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust > > > > > > bit, > > > > and > > > > > > enabled EV treatment. > > > > > > > > > > > > GDCA is a nationally recognized CA that operates under China’s > > > > Electronic > > > > > > Signature Law. GDCA’s customers are business corporations > > > > > > registered in > > > > > > mainland China, government agencies of China, individuals or > > > > > > mainland > > > > China > > > > > > citizens, servers of business corporations which have been > > > > > > registered > > > > in > > > > > > mainland China, and software developers. > > > > > > > > > > > > The request is documented in the following bug: > > > > > > https://bugzilla.mozilla.org/show_bug.cgi?id=1128392 > > > > > > > > > > > > And in the pending certificates list: > > > > > > https://wiki.mozilla.org/CA:PendingCAs > > > > > > > > > > > > Summary of Information Gathered and Verified: > > > > > > https://bugzilla.mozilla.org/attachment.cgi?id=8749437 > > > > > > > > > > > > Noteworthy points: > > > > > > > > > > > > * Root Certificate Download URL: > > > > > > https://bugzilla.mozilla.org/attachment.cgi?id=8748933 > > > > > > https://www.gdca.com.cn/cert/GDCA_TrustAUTH_R5_ROOT.der > > > > > > > > > > > > * The primary documents are provided in Chinese. > > > > > > > > > > > > CA Document Repository: https://www.gdca.com.cn/ > > > > > > customer_service/knowledge_universe/cp_cps/ > > > > > > http://www.gdca.com.cn/cp/cp > > > > > > http://www.gdca.com.cn/cps/cps > > > > > > http://www.gdca.com.cn/cp/ev-cp > > > > > > http://www.gdca.com.cn/cps/ev-cps > > > > > > > > > > > > Translations into English: > > > > > > CP: https://bugzilla.mozilla.org/attachment.cgi?id=8650346 > > > > > > CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8688749 > > > > > > > > > > > > * CA Hierarchy: This root certificate has internally-operated > > > > subordinate > > > > > > CAs > > > > > > - GDCA TrustAUTH R4 SSL CA (issues 2048-bit SSL certs) > > > > > > - GDCA TrustAUTH R4 Generic CA (issues 2048-bit individual certs) > > > > > > - GDCA TrustAUTH R4 CodeSigning CA (issues 2048-bit CodeSigning > > > > > > certs) > > > > > > - GDCA TrustAUTH R4 Extended Validation SSL CA (issues 2048-bit EV > > > > > > SSL > > > > > > certs) > > > > > > - GDCA TrustAUTH R4 Extended Validation Code Signing CA (issues > > > > 2048-bit > > > > > > EV CodeSigning certs) > > > > > > > > > > > > * This request is to turn on the Websites trust bit. > > > > > > > > > > > > CPS section 3.2.5: For domain verification, GDCA needs to check the > > > > > > written materials which can be used to prove the ownership of > > > > corresponding > > > > > > domain provided by applicant. Meanwhile, GDCA should ensure the > > > > ownership > > > > > > of domain from corresponding registrant or other authoritative > > > > third-party > > > > > > databases. During the verification, GDCA needs to perform the > > > > > > following > > > > > > procedures: > > > > > > 1. GDCA should confirm that the domain's owner is certificate > > > > > > applicant > > > > > > based on the information queried from corresponding domain > > > > > > registrant > > > > or > > > > > > authoritative third-party database and provided by applicant. > > > > > > 2. GDCA should confirm that the significant information (such as > > > > document > > > > > > information of applicant) in application materials are consistent > > > > > > with > > > > the > > > > > > reply of domain's owner by sending email or making phone call based > > > > > > on > > > > the > > > > > > contact information (such as email, registrar, administrator's email > > > > > > published at this domain's website, etc.) queried from corresponding > > > > domain > > > > > > registrant or authoritative third-party database. > > > > > > If necessary, GDCA also need to take other review measures to > > > > > > confirm > > > > the > > > > > > ownership of the domain name. Applicant can't refuse to the request > > > > > > for > > > > > > providing appropriate assistance. > > > > > > > > > > > > > > > > > > * EV Policy OID: 1.2.156.112559.1.1.6.1 > > > > > > > > > > > > * Test Website: https://ev-ssl-test-1.95105813.cn/ > > > > > > > > > > > > * CRL URLs: > > > > > > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R5_ROOT.crl > > > > > > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_SSL_CA.crl > > > > > > http://www.gdca.com.cn/crl/GDCA_TrustAUTH_R4_Extended_ > > > > > > Validation_SSL_CA.crl > > > > > > > > > > > > * OCSP URL: > > > > > > http://www.gdca.com.cn/TrustAUTH/ocsp > > > > > > > > > > > > * Audit: Annual audits are performed by PricewaterhouseCoopers Zhong > > > > Tian > > > > > > LLP according to the WebTrust criteria. > > > > > > WebTrust CA: https://cert.webtrust.org/SealFile?seal=2024&file=pdf > > > > > > WebTrust BR: https://cert.webtrust.org/SealFile?seal=2025&file=pdf > > > > > > WebTrust EV: https://cert.webtrust.org/SealFile?seal=2026&file=pdf > > > > > > > > > > > > * Potentially Problematic Practices: None Noted > > > > > > (http://wiki.mozilla.org/CA:Problematic_Practices) > > > > > > > > > > > > This begins the discussion of the request from Guangdong Certificate > > > > > > Authority (GDCA) to include the "GDCA TrustAUTH R5 ROOT" > > > > > > certificate, > > > > turn > > > > > > on the Websites trust bit, and enabled EV treatment. At the > > > > > > conclusion > > > > of > > > > > > this discussion I will provide a summary of issues noted and action > > > > items. > > > > > > If there are outstanding issues, then an additional discussion may > > > > > > be > > > > > > needed as follow-up. If there are no outstanding issues, then I will > > > > > > recommend approval of this request in the bug. > > > > > > > > > > > > Kathleen > > > > > > > > > > > > _______________________________________________ > > > > > > dev-security-policy mailing list > > > > > > [email protected] > > > > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > > > > > > > > > Yes, we have new version translations. We have uploaded to Bug 1128392. > > > > CP V1.4: https://bug1128392.bmoattachments.org/attachment.cgi?id=8795090 > > > > CPS V4.3: > > > > https://bug1128392.bmoattachments.org/attachment.cgi?id=8795091 > > > > EV CP V1.2: https://bug1128392.bmoattachments.org/attachment. > > > > cgi?id=8795093 > > > > EV CPS V1.3: https://bug1128392.bmoattachments.org/attachment. > > > > cgi?id=8795094 > > > > _______________________________________________ > > > > dev-security-policy mailing list > > > > [email protected] > > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > > > My English is not good enough, maybe my translation can't represent the > > original Chinese meaning accurately. > > Any question would be answered about the meaning. > > All information are based on version 4.3 > > I will only note the translation of Chinese version which is different from > > English version. > > > > 1.1.1 > > > > Chinese version have a additional statement: > > > > After rename of GDCA, The property, debt, rights, and business of > > "Guangdong Digital Certificate Authority Co. LTD" would be transfered to > > "Global Digital Cyversecurity Authority CO., LTD." Any contracts signed by > > "Guangdong Digital Certificate Authority Co. LTD" would also be transfered > > to "Global Digital Cyversecurity Authority CO., LTD." > > > > 1.1.2 > > Para.2 have a link http://www.gdca.com.cn/TrustAUTH/ returned 404 at > > 20OCT2016 13:50Z, so I can't verify the CP. > > Chinese version missed the detail of Object identifier section > > > > 1.1.3 > > Chinese version: Currently, GDCA has 6 root certificates, including ROOTCA > > (RSA), GDCA ROOT CA, ROOTCA(SM2), GDCA TrustAUTH R5 ROOT, 数安时代 R5 ROOT (CN > > is Chinese), GDCA TrustAUTH E5 ROOT > > > > 1) About GDCA TrustAUTH R2 CA which will expire at 15DEC2018, from > > 15DEC2016, GDCA will no longer use it to issue subscriber certificates. > > 2) GDCA ROOT CA will expire on 11DEC2024. > > 4) GDCA TrustAUTH R5 would issue EV certficates > > 4) 5) 6) section is totally different from English version. I can't > > translate it all. > > > > 1.2 > > Chinese version missed the OID section. > > > > 1.3 > > The Chinese version's word is different. I think PKI should refer to Public > > Key Infrastructure. Am I right? > > > > 1.4.1 > > Chinses version have addtional statements.it said something about EV SSL > > Certificates.But I think it is not important. > > > > 1.4.1.1 > > Addtional type of individual certficates: Type III and Type IV which > > require more validations. > > > > 1.4.1.2 > > GDCA will NOT issue any Type I and II Organization certificate, only issue > > Type III and IV. > > > > 1.4.1.4 > > 4 types: EV,OV,IV,DV. EV SSL would follow another CPS. > > > > 1.4.1.5 > > Some differences.Not important > > > > 3.1.1 > > For SSL cerificate......and a primary domain name or IP address shall be > > used as CN. > > > > issuer's DN: O: Global Digital Cyversecurity Authority CO., LTD. or GDCA > > Certificate Authority > > > > 3.1.5 > > > > The first applicant of this DN shall govern, later applicant would be > > distinguished by addtional information. > > > > 3.2.2 Title: Authentication of Individual Identity which should be 3.2.3's > > title. > > 3.2.2 and 3.2.3 cannot be compared because Chinese version depends on > > different type of certificates. > > > > 3.2 is totally a mess. > > > > 4.2.4 > > Not availabe. GDCA don't do CAA validation. > > > > 4.7.1 > > not allowed to update key: Type I & II individual certificate,Equipment > > certificate,SSL certificate, Code Signing certficate. > > > > 6.3.3 > > - For RSA2048 SSL cert and Code Signing cert,ECC 256bit SSL and Code > > Signing cert, max period of keypair usage is 39 months > > > > 7.1.3 > > sha1RSA,sha256RSA and sha256ECDSA > > > > 7.2.2 > > Signing algorithm: sha1RSA sha256RSA sha256ECDSA SM2 ECC > > > > Section 9 which is about law is too hard for me. I would only pick up > > something I can understand. > > > > 9.2.1 > > compensation will not exceed: > > 800CNY for Individual cert. > > 4,000CNY for Organzation cert. > > 8,000CNY for Equipment cert. > > 200,000CNY for Code Signing cert. > > 500,000CNY for SSL cert. > > > > > > Appendix: > > GDCA TrushAUTH R4 EV SSL CA & GDCA TrustAUTH R4 EV CodeSigning CA's > > information will be discloused in GDCA EV CPS > > GDCA TrustAUTH R4 IV SSL CA (SHA1=78AEA851A31B0F049AF02CD0F2AD9140604FA7A3) > > GDCA TrustAUTH R4 DV SSL CA (SHA1=30184A5B924E679E7A91329317D0560F587E697B) > > GDCA TrustAUTH R4 Primer CA (SHA1=14C2B33BBF6EBD84FCA7015413EBD0433E171A98) > > some Chinese CN CAs > > some E5 CAs > > Thanks again for Yuwei to list the major differences between the Chinese > version and the English version. > >1.1.2 > >Para.2 have a link http://www.gdca.com.cn/TrustAUTH/ returned 404 at > 20OCT2016 13:50Z, so I can't verify the CP. > >Chinese version missed the detail of Object identifier section > > The link is now http://www.gdca.com.cn/cp/cp > > >1.1.3 > >Chinese version: Currently, GDCA has 6 root certificates, including > ROOTCA (RSA), GDCA ROOT CA, ROOTCA(SM2), GDCA TrustAUTH R5 ROOT, 数安时代 R5 ROOT > (CN is Chinese), GDCA TrustAUTH E5 ROOT > > >1) About GDCA TrustAUTH R2 CA which will expire at 15DEC2018, from > 15DEC2016, GDCA will no longer use it to issue subscriber certificates. > >2) GDCA ROOT CA will expire on 11DEC2024. > >4) GDCA TrustAUTH R5 would issue EV certficates > >4) 5) 6) section is totally different from English version. I can't > translate it all. > > The 4) section is about the GDCA TrustAUTH R5 ROOT and sub-CAs > The 5) section is about the 数安时代 R5 ROOT and sub-CAs > The 6) section is about the GDCA TrustAUTH E5 ROOT and sub-CAs > > >1.2 > >Chinese version missed the OID section. > > 1.2. Document Name and Identification > In this document called "Global Digital Cybersecurity Authority CO., > LTD. Certification Practice Statement" (abbreviated as “GDCA CPS”), CPS is > equivalent to the document name and applicable name defined in this section. > The object identifier (OID) of certificates applied to the project of > Hong Kong-Guangdong mutual recognition in this CPS are consistent with > "Certificate Policy for Hong Kong-Guangdong mutual recognition of electronic > signature certificates” while other are consistent with “GDCA Certificate > Policy” (abbreviated as “GDCA CP”). > > >3.2 is totally a mess. > > The 3.2 section of the Chinese version is different from the English > version now. Please see it in the new English version next week. > > >Appendix: > >GDCA TrushAUTH R4 EV SSL CA & GDCA TrustAUTH R4 EV CodeSigning CA's > information will be discloused in GDCA EV CPS > >GDCA TrustAUTH R4 IV SSL CA > (SHA1=78AEA851A31B0F049AF02CD0F2AD9140604FA7A3) > >GDCA TrustAUTH R4 DV SSL CA > (SHA1=30184A5B924E679E7A91329317D0560F587E697B) > >GDCA TrustAUTH R4 Primer CA > (SHA1=14C2B33BBF6EBD84FCA7015413EBD0433E171A98) > >some Chinese CN CAs > >some E5 CAs > > GDCA TrustAUTH R5 ROOT SHA1 digest = 0f 36 38 5b 81 1a 25 c3 9b 31 4e > 83 ca e9 34 66 70 cc 74 b4 > GDCA TrustAUTH R4 EV SSL CA See “GDCA EV CPS” > GDCA TrustAUTH R4 EV CodeSigning CA See “GDCA EV CPS” > GDCA TrustAUTH R4 OV SSL CA SHA1 digest = c3 4a d6 45 d5 79 1c 5f > 22 e7 33 d7 53 47 08 15 85 75 6c 2d > GDCA TrustAUTH R4 IV SSL CA SHA1 digest = 78 ae a8 51 a3 1b > 0f 04 9a f0 2c d0 f2 ad 91 40 60 4f a7 a3 > GDCA TrustAUTH R4 DV SSL CA SHA1 digest = 30 18 4a 5b 92 4e > 67 9e 7a 91 32 93 17 d0 56 0f 58 7e 69 7b > GDCA TrustAUTH R4 CodeSigning CA SHA1 digest = fc 6d cb 06 a5 5b > ff 76 83 64 27 5b 29 d6 4f 7c 3a a9 cf b4 > GDCA TrustAUTH R4 Generic CA SHA1 digest =6f ed 83 eb e1 83 cc 71 d0 > ed e1 2a e8 77 e0 df 98 96 1f 24 > GDCA TrustAUTH R4 Primer CA SHA1 digest =14 c2 b3 3b bf 6e > bd 84 fc a7 01 54 13 eb d0 43 3e 17 1a 98 > > 2 New Root: > > 数安时代R5根CA证书 SHA1 digest = 23 eb 1b a4 64 71 a1 e7 e9 f2 db > 57 01 fe f8 f2 f8 0c aa e9 > 数安时代R4 EV 服务器 See “GDCA EV CPS” > 数安时代R4 OV 服务器证书 CA SHA1 digest = 93 92 5b 05 17 30 05 86 > fd 2c 45 eb 18 6e 00 9e b9 75 a5 d0 > 数安时代R4 IV 服务器证书 CA SHA1 digest = 10 b8 fb 9a d2 50 32 6a > ee fb 05 ad da 9d 3a 2b bb bd 5d bf > 数安时代R4 DV 服务器证书 CA SHA1 digest = 01 ad 04 cd e1 05 56 23 > 4a f6 6f a0 e6 64 f3 a6 18 80 4d f5 > 数安时代R4 代码签名证书 CA SHA1 digest = 4f be 54 bc 70 8e b1 2a > 11 86 dd 79 aa ff e7 95 f8 ad c6 e9 > 数安时代R4 普通订户证书 CA SHA1 digest = 07 33 29 cb 53 b1 86 36 > 25 38 1b fb 48 a0 43 a7 b1 fe 28 6f > 数安时代R4 基础订户证书 CA SHA1 digest = e5 da 52 2d 5f 38 7a 6e > 72 49 5e 66 a4 be ba 0f 24 f2 59 dc > > GDCA TrustAUTH E5 ROOT SHA1 digest = eb 46 6c d3 75 65 f9 3c > de 10 62 cd 8d 98 26 ed 23 73 0f 12 > GDCA TrustAUTH E4 EV SSL CA See “GDCA EV CPS” > GDCA TrustAUTH E4 OV SSL CA SHA1 digest = 50 15 62 d8 1b a2 > 40 27 1b ee 06 d2 b3 7f 5b 35 cb 9d 8c b8 > GDCA TrustAUTH E4 IV SSL CA SHA1 digest = a8 45 2b fc 20 f9 > de b6 9b 8b 3f 29 73 e0 a3 b3 6f 82 eb 5b > GDCA TrustAUTH E4 DV SSL CA SHA1 digest = 8e 9b 9a db f5 ec > c4 6b 05 76 82 2e de 5e 80 d1 57 6b 5d 7c > GDCA TrustAUTH E4 CodeSigning CA SHA1 digest = 10 6a 4e 5d ca 05 > 92 28 e4 ff 89 52 66 53 a4 64 7d 57 ee 63 > GDCA TrustAUTH E4 Generic CA SHA1 digest = fd 63 ba 6e e7 89 f6 0a > 16 72 b5 b3 3a 29 7d 71 71 65 54 ee > GDCA TrustAUTH E4 Primer CA SHA1 digest =5f 42 a4 4d c8 ca > 12 df ae 1c 29 92 1f 47 3e 3b be 8b d4 2c > > There are also other changes: > > Section 1.4.1.6. CP Object Identifiers of Certificates > Type I individual certificate policy: (1.2.156.112559.1.1.1.1) > Type II individual certificate policy: (1.2.156.112559.1.1.1.2) > Type III individual certificate policy: (1.2.156.112559.1.1.1.3) > Type IV individual certificate policy: (1.2.156.112559.1.1.1.4) > Type III organization certificate policy: > (1.2.156.112559.1.1.2.1) > Type IV organization certificate policy: > (1.2.156.112559.1.1.2.2) > Equipment certificate policy: (1.2.156.112559.1.1.3.1) > OV SSL server certificate policy: (1.2.156.112559.1.1.4.1) > IV SSL server certificate policy: (1.2.156.112559.1.1.4.2) > DV SSL server certificate policy: (1.2.156.112559.1.1.4.3) > EV SSL server certificate policy: (1.2.156.112559.1.1.6.1) > General CodeSigning certificate policy: (1.2.156.112559.1.1.5.1) > EV CodeSigning certificate policy: (1.2.156.112559.1.1.7.1) > Hong Kong-Guangdong mutual recognition individual certificates: > 2.16.156.339.1.1.1.2.1 > Hong Kong-Guangdong mutual recognition organization > certificates: 2.16.156.339.1.1.2.2.1 > > Section 1.5.2. Contact Person > Contact: Ms Wang
I think this is a major mistake and a investgation should be conducted for CPS is a critical document about CA. This is not just a translation problem but a version control problem. Sometimes it can be lying. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
