在 2016年10月30日星期日 UTC+8上午5:30:23,Peter Bowen写道: > > On Oct 29, 2016, at 2:23 PM, Han Yuwei <hanyuwe...@gmail.com> wrote: > > > > 在 2016年10月28日星期五 UTC+8下午9:23:01,wangs...@gmail.com写道: > >> We are not intended to cover-up anything since we had disclosed every > >> change to the Chinese version CP/CPS at once after the auditor reviewed. > >> The “ROOTCA(SM2)” CA in $1.1.3 of CPS ver4.3 is equivalent to the “SM2 > >> ROOT Certificate” CA in $1.1.3 of CPS ver4.1. The “Guangdong Certificate > >> Authority(SM2) ” CA in $1.1.3 of CPS ver4.3 is equivalent to the “SM2 CA > >> Certificate” CA in $1.1.3 of CPS ver4.1. We change these names in diagram > >> in this revision in order to show the actual CN of these certificates. > >> Furthermore, we only issue SM2 subscriber certificates from the subCA of > >> “ROOTCA(SM2)” CA. > > > > Is SM2 acceptable in publicy-trusted CAs? I don't think so. > > > > Maybe Gerv could explain more about this. And I am wondering what can CA do > > if government requirement conflicts with Mozilla's policy? > > It is acceptable to have a single CPS that covers CAs that are included the > Mozilla list of trust anchors and CAs that are not trusted by Mozilla. The > CPS should make clear which portions apply to which CA when there are > portions that do not apply to all CAs. > > In this case, I would expect that the ROOTCA(SM2) CA is not proposed for > inclusion in Mozilla. As long as the CPS does not allow issuance of SM2 > signed certificates or certificates with SM2 subject public keys from the CAs > proposed for inclusion in Mozilla, I do not seen an issue. > > Thanks, > Peter
I don't see anything about this in Chinese CPS or Bugzilla. Could someone point out or GDCA explain about this? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy