All, Here is my summary of iTrusChina's value justification. Please provide any clarifications or additional comments you may have.
*Ownership-Management Structure* iTrusChina (iTC) was established in 2000 as the Beijing Tianwei Chengxin Electronic Commerce Service Co., Ltd. (https://m.itrus.com.cn/about/history/). It was approved by the Chinese Ministry of Industry and Information Technology and State Cryptography Administration. The company is owned by four natural persons and one partnership. Here is what I have been able to glean about the governance structure from iTC's value justification - https://bugzilla.mozilla.org/attachment.cgi?id=9229617: Board of Directors | Security Policy Administration Committee | | | | | | Compliance R&D Authentication Business O&M Product Dept. The Security Policy Administration Committee (SPAC) is the lead department for security and compliance issues, and is responsible for the overall coordination of the iTC's internal resources. It determines priorities for the product and R&D departments and reviews and approves rectification results. The SPAC conducts two-person review of all operations performed by operating team. *User Base* iTC users account for more than half of Chinese market of personal and corporate certificates (480 million). Main customers are Alibaba, Tencent, JD.com, Industrial and Commercial Bank of China, Bank of China, and China Construction Bank. *Finances - Budgeting* iTC originally invested $3.09 million in 2001. It invested 2 million yuan in 2017 for WebTrust audits and compliance transformations of its facilities. Continuous investment in fixed assets and operating expenses is about US$310,000 per year. iTC's compliance budget includes personnel costs, audit costs, infrastructure construction and renovation costs, and is determined annually based on factors such as risk assessment, audit status, and software improvement plans for R&D. With the increase in the number of certificates issued each year, iTC will increase the investment in compliance each year, including the investment budget for the training of personnel familiar with CABF and IETF standards and legal-related training. When faced with compliance issues, if the overall budget set at the beginning of the year is exceeded, it will be approved by the board. Personnel Expense (R&D/O&M/security/verification/customer service/compliance teams) 2018 2019 2020 2021 (5 months) $0.83M $1.07M $1.17M $0.68M R&D team consists of 66 people (incl. 18 for CA system development, 3 for testing, and 6 for WebTrust business and authentication system development). *CA System and System Development* iTC operates a fully self-developed CA software system with a replica test environment for development and testing to ensure compliance. iTC’s CA system is designed based on CA/Browser Forum requirements and the RFCs and conforms to the Specification of cryptograph and related security technology for certificate authentication systems of the National Cryptographic Standards Committee of China (GB/T 25056-2018 Information Security Technology) and "GM/T 0037-2014 Certificate authority system test specification". iTC designs product and system changes in accordance with privacy, security, and compliance requirements. iTC uses an agile (scrum) development process. Each iteration cycle is generally 1-4 weeks. *Compliance Team and Personnel* iTC’s Compliance team follows domestic and foreign compliance standards and specifications, and regularly updates internal documentation. There are two bilingual persons who follow changes in the CA industry requirements on a daily basis. The compliance team summarizes Bugzilla CA incidents quarterly and circulates an industry dynamic tracking report to relevant personnel every month. iTC conducts self-inspections and trains personnel to avoid similar errors. Going forward, iTC will train more compliance personnel and conduct more regular training for team members of authentication, R&D, and business departments. iTC has 20 years of risk compliance experience and personnel with comparable management experience and appears to have a sufficient number of key personnel familiar with CABF and IETF standards. *Authentication Team* This team conducts monthly training on authentication procedures and industry standards, and conducts compliance audits on internal documents, certificate issuance and revocation records on a monthly basis. *R&D Team* This team integrates lint tests in the CA system for certificate issuance compliance inspection. R&D team inspects CA system at design level and performs unit testing and examines results of other testing processes. *Operation Team* This team operates and monitors the availability of all CA-related services. *Monitoring and Alerting* iTC has continuous automatic monitoring to detect and alert on any changes to the CA/RA system, and it responds to and solves the problem within 24 hours after receiving the alert. iTC uses three kinds of lint tests: zlint, certlint, x509lint. iTC conducts automatic inspection of CAA, blacklist, and high-risk list before the issuance of the certificate. The fortress machine records operations, and operation records are reviewed on a monthly basis. *Logs and backups* iTC logs/backs up: 1. Any CA operation and maintenance process in a bastion machine log. The log server backs up and archives every day and saves 2 backups, 1 remote backup, and 1 different device backup. 2. All business logs of CA, RA, etc. are backed up to the log server in real time. 3. regular CRL generation *Compliance Incidents* When a compliance incident occurs, the compliance team coordinates with the relevant business personnel to quickly initiate the investigation process within 24 hours and submit a problem report to Mozilla. The certificate that needs to be revoked after the investigation will be revoked within 24 hours after the incident. *Vulnerability Assessments* iTC conducts a vulnerability scan of the CA system every 3 months and a penetration test every year. Based on audit results, iTC also conducts vulnerability assessments of the system, physical site, operation management, and takes measures to reduce operational risks. *Risk Assessment* iTC's annual risk assessment is carried out by the operation and maintenance, product, development, and compliance teams. All internal and external audits include risk assessments. iTC's risk control refers to BR Chapter 5, including physical control, program control, personnel control, audit log program and other dimensions, and meets the WT audit requirements. iTC also follows the Chinese Ministry of Industry and Information Technology and the State Cryptography Administration’s formulated risk assessment and inspection standards. Risk Control Team rates the risks, evaluate the impact on the business, and after the approval of the Security Policy Administration Committee, decides whether to undertake the risk and formulates a corresponding commitment plan. *Audits* The internal control team conducts WebTrust internal audits on a quarterly basis. External audits include: · WebTrust audit by pwc · ISO9001 · ISO27001 After reviewing iTrusChina's value justification, I would like to examine the compliance aspects of its budget a little closer, and I am wondering whether iTrustChina can provide something similar (or better) to that provided by TunTrust? See https://bugzilla.mozilla.org/attachment.cgi?id=9228562 Sincerely yours, Ben On Tue, Aug 10, 2021 at 9:20 AM Ben Wilson <[email protected]> wrote: > All, > Are there any additional comments? > Thanks, > Ben > > On Sun, Jul 4, 2021 at 7:11 PM yutian zheng <[email protected]> > wrote: > >> Hi All, >> >> iTrusChina submitted a document to answer a series of questions in >> Quantifying Value: >> >> attachment.cgi (bug1554846.bmoattachments.org) >> <https://bug1554846.bmoattachments.org/attachment.cgi?id=9229617> >> >> Regards, >> vTrus team >> >> 在2021年4月21日星期三 UTC+8 上午2:19:41<[email protected]> 写道: >> >>> Hi Ryan, >>> Kathleen and I discussed iTrusChina's and TunTrust's root inclusion >>> applications this morning and agreed that we should extend the public >>> discussion period and leave them open for discussion beyond April 30th. >>> Meanwhile, I will work on follow-up questions for them regarding their >>> added value to users vs. added risk. >>> Thanks, >>> Ben >>> >>> On Wed, Apr 7, 2021 at 1:52 PM Ryan Sleevi <[email protected]> wrote: >>> >>>> Thanks for clarifying. >>>> >>>> In a personal capacity, while I can understand that Mozilla may have >>>> reached a level of confidence that they can handle processing these >>>> requests in parallel, I don't believe it's reasonable to expect the same of >>>> the community, since these public discussions may be the first time a >>>> number of members of the community are examining CAs in depth. This >>>> practically impacts both the quality and depth of review, as it effectively >>>> requires the community make larger and larger time commitments to handle >>>> all such reviews, or reduces the amount of time and effort focused on an >>>> individual CA. >>>> >>>> Wearing a Google hat, Honestly, I don't think we'll be able to offer >>>> feedback here for both CAs in a parallel (time-gated) review. We'll examine >>>> the available data to help prioritize against our own stated policies, but >>>> I think realistically, we may request that the CA that does not align most >>>> with the priorities undergoes an additional public discussion when we're >>>> ready to proceed. We see significant risk to our users from trying to >>>> include CAs too quickly, and so want to make sure as much as possible that >>>> all CAs receive the same level of attention and thoroughness by dedicating >>>> specific time to focus on just a single CA. >>>> >>>> It's an entirely reasonable goal, but the effect of running these in >>>> parallel does not mean both CAs undergo three weeks of review; it means >>>> both CAs undergo a week and a half, or less, since these processes do not >>>> linearly scale, nor should they. >>>> >>>> On Wed, Apr 7, 2021 at 3:39 PM Ben Wilson <[email protected]> wrote: >>>> >>>>> Ryan, >>>>> Yes, I think it is an intentional effort to process multiple >>>>> applications simultaneously. As I was moving CA applicants through the >>>>> queue these two just seemed to both be ready at about the same time. It >>>>> was >>>>> more efficient for me to handle these two at once. Note that we also have >>>>> Asseco/Certum with public discussion closing next week (4/14/2021). I'll >>>>> repost that to this list right now so that there is continuity on this >>>>> list. Let's see how this goes. If it presents a problem, then we can >>>>> adjust. >>>>> Ben >>>>> >>>>> On Wed, Apr 7, 2021 at 1:01 PM Ryan Sleevi <[email protected]> wrote: >>>>> >>>>>> >>>>>> >>>>>> On Wed, Apr 7, 2021 at 2:49 PM Ben Wilson <[email protected]> wrote: >>>>>> >>>>>>> This is to announce the beginning of the public discussion phase of >>>>>>> the Mozilla root CA inclusion process for iTrusChina’s vTrus Root CA and >>>>>>> its vTrus ECC Root CA. See >>>>>>> https://wiki.mozilla.org/CA/Application_Process#Process_Overview, >>>>>>> (Steps 4 through 9). >>>>>>> >>>>>>> These Root CAs are operated by iTrusChina Co., Ltd. >>>>>>> >>>>>>> This current CA inclusion application has been tracked in the CCADB >>>>>>> and in Bugzilla– >>>>>>> >>>>>>> >>>>>>> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000431 >>>>>>> >>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1554846 >>>>>>> >>>>>>> These new root CA certificates are valid from 2018 to 2043, and they >>>>>>> are proposed for inclusion with the websites bit and EV enabled. >>>>>>> >>>>>>> Mozilla is considering approving iTrusChina’s request. This email >>>>>>> begins the 3-week comment period, after which, if no concerns are >>>>>>> raised, >>>>>>> we will close the discussion and the request may proceed to the approval >>>>>>> phase (Step 10). >>>>>>> >>>>>>> *Root Certificate Information:* >>>>>>> >>>>>>> *vTrus Root CA *(RSA) >>>>>>> >>>>>>> crt.sh - >>>>>>> >>>>>>> https://crt.sh/?q=8A71DE6559336F426C26E53880D00D88A18DA4C6A91F0DCB6194E206C5C96387 >>>>>>> >>>>>>> Download – >>>>>>> >>>>>>> http://wtca-cafiles.itrus.com.cn/ca/vTrusRootCA.cer >>>>>>> >>>>>>> *vTrus ECC Root CA *(ECC) >>>>>>> >>>>>>> crt.sh – >>>>>>> >>>>>>> >>>>>>> https://crt.sh/?q=30FBBA2C32238E2A98547AF97931E550428B9B3F1C8EEB6633DCFA86C5B27DD3 >>>>>>> >>>>>>> http://wtca-cafiles.itrus.com.cn/ca/vTrusECCRootCA.cer >>>>>>> >>>>>>> *CP/CPS:* >>>>>>> >>>>>>> iTrusChina’s current CPS is v.1.4.4 / Dec. 19, 2020 >>>>>>> >>>>>>> https://www.itrus.com.cn/uploads/soft/201223/2-201223110436.pdf >>>>>>> >>>>>>> Repository location: >>>>>>> >>>>>>> https://www.itrus.com.cn/repository >>>>>>> >>>>>>> *iTrusChina's 2021 BR Self-Assessment* (PDF) is located here: >>>>>>> >>>>>>> https://bugzilla.mozilla.org/attachment.cgi?id=9209938 >>>>>>> >>>>>>> *Audits:* >>>>>>> >>>>>>> iTrusChina’s WebTrust auditor is PricewaterhouseCoopers Zhong Tian >>>>>>> LLP, and the most recent audit reports are dated March 24, 2021. These >>>>>>> audit reports may be downloaded by clicking on the WebTrust seals at the >>>>>>> bottom of iTrusChina’s repository page >>>>>>> <https://www.itrus.com.cn/repository/>. >>>>>>> >>>>>>> *Incidents: * >>>>>>> >>>>>>> I was not able to find any incidents involving iTrusChina, no >>>>>>> misissuances were found under the iTrusChina root CAs, and the issuing >>>>>>> CAs >>>>>>> appeared to be properly formatted. >>>>>>> >>>>>>> Thus, this email begins a three-week public discussion period, which >>>>>>> I’m scheduling to close on or about 30-April-2021. >>>>>>> >>>>>>> A representative of iTrusChina must promptly respond directly in the >>>>>>> discussion thread to all questions that are posted. >>>>>>> >>>>>> >>>>>> Ben, >>>>>> >>>>>> I'm not used to parallel discussions for adding CAs. May I request >>>>>> that you put this discussion on hold until the conclusion of TunTrust? Or >>>>>> is this an intentional attempt to parallelize more, despite the limited >>>>>> resources? >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaY2XeP1gLh9XrtrS9pMbHdn%2By_m4uHeb6o6W6drdxpO6A%40mail.gmail.com.
