All, Are there any additional comments? Thanks, Ben On Sun, Jul 4, 2021 at 7:11 PM yutian zheng <[email protected]> wrote:
> Hi All, > > iTrusChina submitted a document to answer a series of questions in > Quantifying Value: > > attachment.cgi (bug1554846.bmoattachments.org) > <https://bug1554846.bmoattachments.org/attachment.cgi?id=9229617> > > Regards, > vTrus team > > 在2021年4月21日星期三 UTC+8 上午2:19:41<[email protected]> 写道: > >> Hi Ryan, >> Kathleen and I discussed iTrusChina's and TunTrust's root inclusion >> applications this morning and agreed that we should extend the public >> discussion period and leave them open for discussion beyond April 30th. >> Meanwhile, I will work on follow-up questions for them regarding their >> added value to users vs. added risk. >> Thanks, >> Ben >> >> On Wed, Apr 7, 2021 at 1:52 PM Ryan Sleevi <[email protected]> wrote: >> >>> Thanks for clarifying. >>> >>> In a personal capacity, while I can understand that Mozilla may have >>> reached a level of confidence that they can handle processing these >>> requests in parallel, I don't believe it's reasonable to expect the same of >>> the community, since these public discussions may be the first time a >>> number of members of the community are examining CAs in depth. This >>> practically impacts both the quality and depth of review, as it effectively >>> requires the community make larger and larger time commitments to handle >>> all such reviews, or reduces the amount of time and effort focused on an >>> individual CA. >>> >>> Wearing a Google hat, Honestly, I don't think we'll be able to offer >>> feedback here for both CAs in a parallel (time-gated) review. We'll examine >>> the available data to help prioritize against our own stated policies, but >>> I think realistically, we may request that the CA that does not align most >>> with the priorities undergoes an additional public discussion when we're >>> ready to proceed. We see significant risk to our users from trying to >>> include CAs too quickly, and so want to make sure as much as possible that >>> all CAs receive the same level of attention and thoroughness by dedicating >>> specific time to focus on just a single CA. >>> >>> It's an entirely reasonable goal, but the effect of running these in >>> parallel does not mean both CAs undergo three weeks of review; it means >>> both CAs undergo a week and a half, or less, since these processes do not >>> linearly scale, nor should they. >>> >>> On Wed, Apr 7, 2021 at 3:39 PM Ben Wilson <[email protected]> wrote: >>> >>>> Ryan, >>>> Yes, I think it is an intentional effort to process multiple >>>> applications simultaneously. As I was moving CA applicants through the >>>> queue these two just seemed to both be ready at about the same time. It was >>>> more efficient for me to handle these two at once. Note that we also have >>>> Asseco/Certum with public discussion closing next week (4/14/2021). I'll >>>> repost that to this list right now so that there is continuity on this >>>> list. Let's see how this goes. If it presents a problem, then we can >>>> adjust. >>>> Ben >>>> >>>> On Wed, Apr 7, 2021 at 1:01 PM Ryan Sleevi <[email protected]> wrote: >>>> >>>>> >>>>> >>>>> On Wed, Apr 7, 2021 at 2:49 PM Ben Wilson <[email protected]> wrote: >>>>> >>>>>> This is to announce the beginning of the public discussion phase of >>>>>> the Mozilla root CA inclusion process for iTrusChina’s vTrus Root CA and >>>>>> its vTrus ECC Root CA. See >>>>>> https://wiki.mozilla.org/CA/Application_Process#Process_Overview, >>>>>> (Steps 4 through 9). >>>>>> >>>>>> These Root CAs are operated by iTrusChina Co., Ltd. >>>>>> >>>>>> This current CA inclusion application has been tracked in the CCADB >>>>>> and in Bugzilla– >>>>>> >>>>>> >>>>>> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000431 >>>>>> >>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1554846 >>>>>> >>>>>> These new root CA certificates are valid from 2018 to 2043, and they >>>>>> are proposed for inclusion with the websites bit and EV enabled. >>>>>> >>>>>> Mozilla is considering approving iTrusChina’s request. This email >>>>>> begins the 3-week comment period, after which, if no concerns are raised, >>>>>> we will close the discussion and the request may proceed to the approval >>>>>> phase (Step 10). >>>>>> >>>>>> *Root Certificate Information:* >>>>>> >>>>>> *vTrus Root CA *(RSA) >>>>>> >>>>>> crt.sh - >>>>>> >>>>>> https://crt.sh/?q=8A71DE6559336F426C26E53880D00D88A18DA4C6A91F0DCB6194E206C5C96387 >>>>>> >>>>>> Download – >>>>>> >>>>>> http://wtca-cafiles.itrus.com.cn/ca/vTrusRootCA.cer >>>>>> >>>>>> *vTrus ECC Root CA *(ECC) >>>>>> >>>>>> crt.sh – >>>>>> >>>>>> >>>>>> https://crt.sh/?q=30FBBA2C32238E2A98547AF97931E550428B9B3F1C8EEB6633DCFA86C5B27DD3 >>>>>> >>>>>> http://wtca-cafiles.itrus.com.cn/ca/vTrusECCRootCA.cer >>>>>> >>>>>> *CP/CPS:* >>>>>> >>>>>> iTrusChina’s current CPS is v.1.4.4 / Dec. 19, 2020 >>>>>> >>>>>> https://www.itrus.com.cn/uploads/soft/201223/2-201223110436.pdf >>>>>> >>>>>> Repository location: >>>>>> >>>>>> https://www.itrus.com.cn/repository >>>>>> >>>>>> *iTrusChina's 2021 BR Self-Assessment* (PDF) is located here: >>>>>> >>>>>> https://bugzilla.mozilla.org/attachment.cgi?id=9209938 >>>>>> >>>>>> *Audits:* >>>>>> >>>>>> iTrusChina’s WebTrust auditor is PricewaterhouseCoopers Zhong Tian >>>>>> LLP, and the most recent audit reports are dated March 24, 2021. These >>>>>> audit reports may be downloaded by clicking on the WebTrust seals at the >>>>>> bottom of iTrusChina’s repository page >>>>>> <https://www.itrus.com.cn/repository/>. >>>>>> >>>>>> *Incidents: * >>>>>> >>>>>> I was not able to find any incidents involving iTrusChina, no >>>>>> misissuances were found under the iTrusChina root CAs, and the issuing >>>>>> CAs >>>>>> appeared to be properly formatted. >>>>>> >>>>>> Thus, this email begins a three-week public discussion period, which >>>>>> I’m scheduling to close on or about 30-April-2021. >>>>>> >>>>>> A representative of iTrusChina must promptly respond directly in the >>>>>> discussion thread to all questions that are posted. >>>>>> >>>>> >>>>> Ben, >>>>> >>>>> I'm not used to parallel discussions for adding CAs. May I request >>>>> that you put this discussion on hold until the conclusion of TunTrust? Or >>>>> is this an intentional attempt to parallelize more, despite the limited >>>>> resources? >>>>> >>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYrgLRXN_K%3DMY1go2_UhmWyDd8W8v87%3D6SsTwJQ%2BiFBiA%40mail.gmail.com.
