On Thu, Sep 22, 2016 at 12:57 AM, <horn...@gmail.com> wrote: > Peter Bowen於 2016年9月20日星期二 UTC+8下午11時53分29秒寫道: >> On Fri, Sep 16, 2016 at 2:00 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: >> > >> > * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/ >> > All subordinate CAs are operated by Taiwan Government organizations. >> > GCA is responsible for signing certificates for government agencies. This >> > is the only intermediate cert that can issue SSL certs. >> > XCA is responsible for signing certificates for organizations; >> > MOICA is responsible for signing certificates for citizens; >> > MOEACA is responsible for signing certificates for corporations; and >> > HCA is responsible for signing certificates for health agencies. >> > >> > * Audit: Annual audits are performed by KPMG according to the WebTrust >> > criteria. >> > WebTrust CA: https://cert.webtrust.org/SealFile?seal=2050&file=pdf >> > WebTrust BR: https://cert.webtrust.org/SealFile?seal=2051&file=pdf >> >> I'm having trouble matching up the audits with the subordinate CAs. >> There are two different CAs with the same Distinguished Name but >> different SubjectPublicKeyInfo and KeyIDs (https://crt.sh/?caid=186 >> and https://crt.sh/?caid=1330) which makes it trickier than normal, >> but either way I'm not seeing all of these subordinates covered in the >> audit reports. Can someone please provide a link to each audit report >> for each subordinate? >> >> Thanks, >> Peter > > GRCA WebTrust CA > (http://grca.nat.gov.tw/download/Audit/GRCA_Audit_Report_2016.pdf) > > GCA WebTrust CA > (http://grca.nat.gov.tw/download/Audit/GCA_WTCA_Report_2016.pdf) > GCA BR (http://grca.nat.gov.tw/download/Audit/GCA_BR_Audit_Report_2015.pdf) > > XCA WebTrust CA (http://grca.nat.gov.tw/download/Audit/XCA_Report_2016.pdf) > > HCA WebTrust CA > (http://grca.nat.gov.tw/download/Audit/HCA_WTCA_Audit_Report_2015.pdf) > > MOEACA WebTrust CA > (http://grca.nat.gov.tw/download/Audit/MOEACA_Audit_Report_2015.pdf) > > MOICA WebTrust CA > (http://grca.nat.gov.tw/download/Audit/MOICA_Audit_Report_2015.pdf)
I see the following subordinate CAs under the two Government Root CAs: C=TW, O=行政院, OU=內政部憑證管理中心 C=TW, O=行政院, OU=工商憑證管理中心 C=TW, O=行政院, OU=政府憑證管理中心 C=TW, O=行政院, OU=政府測試憑證管理中心 C=TW, O=行政院, OU=組織及團體憑證管理中心 C=TW, O=行政院, OU=醫事憑證管理中心 C=TW, O=行政院, OU=內政部憑證管理中心 C=TW, O=行政院, OU=內政部憑證管理中心 C=TW, O=行政院, OU=工商憑證管理中心 C=TW, O=行政院, OU=政府憑證管理中心 C=TW, O=行政院, OU=組織及團體憑證管理中心 None of the CA certificates have an EKU extension, so all are capable of issuing server authentication certificates. Therefore each of these should have a BR audit if the websites bit is going to be enabled. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy