1, It’s not true. CFCA's RSA root that included in Mozilla is not able to
issue sm2 certificate with sm3 hash. CFCA do have sm2 root that issue sm2
certificate but that root is not included in Mozilla or any other root store
such as Apple, Microsoft or Google. And our CPS never indicate that our RSA
root is able to issue sm2 certificate. It is impossible.
2, The signing key and encrypting key issue is a standard relate to
Chinese double certificate, which is different from ssl, codesigning and email
certificate. CFCA's root that included in Mozilla, Google and Apple is never
able to issue this kind of certificate.
3, CFCA OV certificate have a longest valid period of 3 years. EV
certificate have a longest valid of 2 years. There is no root of CFCA that
included in Mozilla, Google and Apple can issue 5 year long certificate. Please
note that the sub root that use to be able to issue 5 year long certificate is
the GT root, which is a sha1 root that we already turned off. This root issue 0
certificate after 2016 Jan 1, and this root is never included in Mozilla, Apple
and Google.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
