Hi Ben, We added a document on our budget 2018-2021.
attachment.cgi (bug1554846.bmoattachments.org) <https://bug1554846.bmoattachments.org/attachment.cgi?id=9236778> Regards, vTrus Team 在2021年8月13日星期五 UTC+8 上午2:17:48<[email protected]> 写道: > All, > > Here is my summary of iTrusChina's value justification. Please provide any > clarifications or additional comments you may have. > > *Ownership-Management Structure* > > iTrusChina (iTC) was established in 2000 as the Beijing Tianwei Chengxin > Electronic Commerce Service Co., Ltd. ( > https://m.itrus.com.cn/about/history/). It was approved by the Chinese > Ministry of Industry and Information Technology and State Cryptography > Administration. The company is owned by four natural persons and one > partnership. Here is what I have been able to glean about the governance > structure from iTC's value justification - > https://bugzilla.mozilla.org/attachment.cgi?id=9229617: > > Board of Directors > > | > > Security Policy Administration Committee > > | | | | | | > > Compliance R&D Authentication Business O&M Product Dept. > > The Security Policy Administration Committee (SPAC) is the lead department > for security and compliance issues, and is responsible for the overall > coordination of the iTC's internal resources. It determines priorities for > the product and R&D departments and reviews and approves rectification > results. The SPAC conducts two-person review of all operations performed by > operating team. > > *User Base* > > iTC users account for more than half of Chinese market of personal and > corporate certificates (480 million). Main customers are Alibaba, Tencent, > JD.com, Industrial and Commercial Bank of China, Bank of China, and China > Construction Bank. > > *Finances - Budgeting* > > iTC originally invested $3.09 million in 2001. It invested 2 million yuan > in 2017 for WebTrust audits and compliance transformations of its > facilities. Continuous investment in fixed assets and operating expenses is > about US$310,000 per year. > > iTC's compliance budget includes personnel costs, audit costs, > infrastructure construction and renovation costs, and is determined > annually based on factors such as risk assessment, audit status, and > software improvement plans for R&D. > > With the increase in the number of certificates issued each year, iTC will > increase the investment in compliance each year, including the investment > budget for the training of personnel familiar with CABF and IETF standards > and legal-related training. When faced with compliance issues, if the > overall budget set at the beginning of the year is exceeded, it will be > approved by the board. > > Personnel Expense (R&D/O&M/security/verification/customer > service/compliance teams) > > 2018 2019 2020 2021 (5 months) > > $0.83M $1.07M $1.17M $0.68M > > R&D team consists of 66 people (incl. 18 for CA system development, 3 for > testing, and 6 for WebTrust business and authentication system development). > > *CA System and System Development* > > iTC operates a fully self-developed CA software system with a replica test > environment for development and testing to ensure compliance. iTC’s CA > system is designed based on CA/Browser Forum requirements and the RFCs and > conforms to the Specification of cryptograph and related security > technology for certificate authentication systems of the National > Cryptographic Standards Committee of China (GB/T 25056-2018 Information > Security Technology) and "GM/T 0037-2014 Certificate authority system test > specification". > > iTC designs product and system changes in accordance with privacy, > security, and compliance requirements. iTC uses an agile (scrum) > development process. Each iteration cycle is generally 1-4 weeks. > > *Compliance Team and Personnel* > > iTC’s Compliance team follows domestic and foreign compliance standards > and specifications, and regularly updates internal documentation. There are > two bilingual persons who follow changes in the CA industry requirements on > a daily basis. The compliance team summarizes Bugzilla CA incidents > quarterly and circulates an industry dynamic tracking report to relevant > personnel every month. iTC conducts self-inspections and trains personnel > to avoid similar errors. Going forward, iTC will train more compliance > personnel and conduct more regular training for team members of > authentication, R&D, and business departments. > > iTC has 20 years of risk compliance experience and personnel with > comparable management experience and appears to have a sufficient number of > key personnel familiar with CABF and IETF standards. > > *Authentication Team* > > This team conducts monthly training on authentication procedures and > industry standards, and conducts compliance audits on internal documents, > certificate issuance and revocation records on a monthly basis. > > *R&D Team* > > This team integrates lint tests in the CA system for certificate issuance > compliance inspection. R&D team inspects CA system at design level and > performs unit testing and examines results of other testing processes. > > *Operation Team* > > This team operates and monitors the availability of all CA-related > services. > > *Monitoring and Alerting* > > iTC has continuous automatic monitoring to detect and alert on any changes > to the CA/RA system, and it responds to and solves the problem within 24 > hours after receiving the alert. iTC uses three kinds of lint tests: zlint, > certlint, x509lint. iTC conducts automatic inspection of CAA, blacklist, > and high-risk list before the issuance of the certificate. The fortress > machine records operations, and operation records are reviewed on a monthly > basis. > > *Logs and backups* > > iTC logs/backs up: > > 1. Any CA operation and maintenance process in a bastion machine log. The > log server backs up and archives every day and saves 2 backups, 1 remote > backup, and 1 different device backup. > > 2. All business logs of CA, RA, etc. are backed up to the log server in > real time. > > 3. regular CRL generation > > *Compliance Incidents* > > When a compliance incident occurs, the compliance team coordinates with > the relevant business personnel to quickly initiate the investigation > process within 24 hours and submit a problem report to Mozilla. The > certificate that needs to be revoked after the investigation will be > revoked within 24 hours after the incident. > > *Vulnerability Assessments* > > iTC conducts a vulnerability scan of the CA system every 3 months and a > penetration test every year. Based on audit results, iTC also conducts > vulnerability assessments of the system, physical site, operation > management, and takes measures to reduce operational risks. > > *Risk Assessment* > > iTC's annual risk assessment is carried out by the operation and > maintenance, product, development, and compliance teams. All internal and > external audits include risk assessments. iTC's risk control refers to BR > Chapter 5, including physical control, program control, personnel control, > audit log program and other dimensions, and meets the WT audit > requirements. iTC also follows the Chinese Ministry of Industry and > Information Technology and the State Cryptography Administration’s > formulated risk assessment and inspection standards. > > Risk Control Team rates the risks, evaluate the impact on the business, > and after the approval of the Security Policy Administration Committee, > decides whether to undertake the risk and formulates a corresponding > commitment plan. > > *Audits* > > The internal control team conducts WebTrust internal audits on a quarterly > basis. External audits include: > > · WebTrust audit by pwc > > · ISO9001 > > · ISO27001 > > After reviewing iTrusChina's value justification, I would like to examine > the compliance aspects of its budget a little closer, and I am wondering > whether iTrustChina can provide something similar (or better) to that > provided by TunTrust? See > https://bugzilla.mozilla.org/attachment.cgi?id=9228562 > > Sincerely yours, > > Ben > > On Tue, Aug 10, 2021 at 9:20 AM Ben Wilson <[email protected]> wrote: > >> All, >> Are there any additional comments? >> Thanks, >> Ben >> >> On Sun, Jul 4, 2021 at 7:11 PM yutian zheng <[email protected]> wrote: >> >>> Hi All, >>> >>> iTrusChina submitted a document to answer a series of questions in >>> Quantifying Value: >>> >>> attachment.cgi (bug1554846.bmoattachments.org) >>> <https://bug1554846.bmoattachments.org/attachment.cgi?id=9229617> >>> >>> Regards, >>> vTrus team >>> >>> 在2021年4月21日星期三 UTC+8 上午2:19:41<[email protected]> 写道: >>> >>>> Hi Ryan, >>>> Kathleen and I discussed iTrusChina's and TunTrust's root inclusion >>>> applications this morning and agreed that we should extend the public >>>> discussion period and leave them open for discussion beyond April 30th. >>>> Meanwhile, I will work on follow-up questions for them regarding their >>>> added value to users vs. added risk. >>>> Thanks, >>>> Ben >>>> >>>> On Wed, Apr 7, 2021 at 1:52 PM Ryan Sleevi <[email protected]> wrote: >>>> >>>>> Thanks for clarifying. >>>>> >>>>> In a personal capacity, while I can understand that Mozilla may have >>>>> reached a level of confidence that they can handle processing these >>>>> requests in parallel, I don't believe it's reasonable to expect the same >>>>> of >>>>> the community, since these public discussions may be the first time a >>>>> number of members of the community are examining CAs in depth. This >>>>> practically impacts both the quality and depth of review, as it >>>>> effectively >>>>> requires the community make larger and larger time commitments to handle >>>>> all such reviews, or reduces the amount of time and effort focused on an >>>>> individual CA. >>>>> >>>>> Wearing a Google hat, Honestly, I don't think we'll be able to offer >>>>> feedback here for both CAs in a parallel (time-gated) review. We'll >>>>> examine >>>>> the available data to help prioritize against our own stated policies, >>>>> but >>>>> I think realistically, we may request that the CA that does not align >>>>> most >>>>> with the priorities undergoes an additional public discussion when we're >>>>> ready to proceed. We see significant risk to our users from trying to >>>>> include CAs too quickly, and so want to make sure as much as possible >>>>> that >>>>> all CAs receive the same level of attention and thoroughness by >>>>> dedicating >>>>> specific time to focus on just a single CA. >>>>> >>>>> It's an entirely reasonable goal, but the effect of running these in >>>>> parallel does not mean both CAs undergo three weeks of review; it means >>>>> both CAs undergo a week and a half, or less, since these processes do not >>>>> linearly scale, nor should they. >>>>> >>>>> On Wed, Apr 7, 2021 at 3:39 PM Ben Wilson <[email protected]> wrote: >>>>> >>>>>> Ryan, >>>>>> Yes, I think it is an intentional effort to process multiple >>>>>> applications simultaneously. As I was moving CA applicants through the >>>>>> queue these two just seemed to both be ready at about the same time. It >>>>>> was >>>>>> more efficient for me to handle these two at once. Note that we also >>>>>> have >>>>>> Asseco/Certum with public discussion closing next week (4/14/2021). I'll >>>>>> repost that to this list right now so that there is continuity on this >>>>>> list. Let's see how this goes. If it presents a problem, then we can >>>>>> adjust. >>>>>> Ben >>>>>> >>>>>> On Wed, Apr 7, 2021 at 1:01 PM Ryan Sleevi <[email protected]> wrote: >>>>>> >>>>>>> >>>>>>> >>>>>>> On Wed, Apr 7, 2021 at 2:49 PM Ben Wilson <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> This is to announce the beginning of the public discussion phase of >>>>>>>> the Mozilla root CA inclusion process for iTrusChina’s vTrus Root CA >>>>>>>> and >>>>>>>> its vTrus ECC Root CA. See >>>>>>>> https://wiki.mozilla.org/CA/Application_Process#Process_Overview, >>>>>>>> (Steps 4 through 9). >>>>>>>> >>>>>>>> These Root CAs are operated by iTrusChina Co., Ltd. >>>>>>>> >>>>>>>> This current CA inclusion application has been tracked in the CCADB >>>>>>>> and in Bugzilla– >>>>>>>> >>>>>>>> >>>>>>>> https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000431 >>>>>>>> >>>>>>>> >>>>>>>> https://bugzilla.mozilla.org/show_bug.cgi?id=1554846 >>>>>>>> >>>>>>>> These new root CA certificates are valid from 2018 to 2043, and >>>>>>>> they are proposed for inclusion with the websites bit and EV enabled. >>>>>>>> >>>>>>>> Mozilla is considering approving iTrusChina’s request. This email >>>>>>>> begins the 3-week comment period, after which, if no concerns are >>>>>>>> raised, >>>>>>>> we will close the discussion and the request may proceed to the >>>>>>>> approval >>>>>>>> phase (Step 10). >>>>>>>> >>>>>>>> *Root Certificate Information:* >>>>>>>> >>>>>>>> *vTrus Root CA *(RSA) >>>>>>>> >>>>>>>> crt.sh - >>>>>>>> >>>>>>>> https://crt.sh/?q=8A71DE6559336F426C26E53880D00D88A18DA4C6A91F0DCB6194E206C5C96387 >>>>>>>> >>>>>>>> >>>>>>>> Download – >>>>>>>> >>>>>>>> http://wtca-cafiles.itrus.com.cn/ca/vTrusRootCA.cer >>>>>>>> >>>>>>>> *vTrus ECC Root CA *(ECC) >>>>>>>> >>>>>>>> crt.sh – >>>>>>>> >>>>>>>> >>>>>>>> https://crt.sh/?q=30FBBA2C32238E2A98547AF97931E550428B9B3F1C8EEB6633DCFA86C5B27DD3 >>>>>>>> >>>>>>>> http://wtca-cafiles.itrus.com.cn/ca/vTrusECCRootCA.cer >>>>>>>> >>>>>>>> *CP/CPS:* >>>>>>>> >>>>>>>> iTrusChina’s current CPS is v.1.4.4 / Dec. 19, 2020 >>>>>>>> >>>>>>>> https://www.itrus.com.cn/uploads/soft/201223/2-201223110436.pdf >>>>>>>> >>>>>>>> Repository location: >>>>>>>> >>>>>>>> https://www.itrus.com.cn/repository >>>>>>>> >>>>>>>> *iTrusChina's 2021 BR Self-Assessment* (PDF) is located here: >>>>>>>> >>>>>>>> https://bugzilla.mozilla.org/attachment.cgi?id=9209938 >>>>>>>> >>>>>>>> *Audits:* >>>>>>>> >>>>>>>> iTrusChina’s WebTrust auditor is PricewaterhouseCoopers Zhong Tian >>>>>>>> LLP, and the most recent audit reports are dated March 24, 2021. These >>>>>>>> audit reports may be downloaded by clicking on the WebTrust seals at >>>>>>>> the >>>>>>>> bottom of iTrusChina’s repository page >>>>>>>> <https://www.itrus.com.cn/repository/>. >>>>>>>> >>>>>>>> *Incidents: * >>>>>>>> >>>>>>>> I was not able to find any incidents involving iTrusChina, no >>>>>>>> misissuances were found under the iTrusChina root CAs, and the issuing >>>>>>>> CAs >>>>>>>> appeared to be properly formatted. >>>>>>>> >>>>>>>> Thus, this email begins a three-week public discussion period, >>>>>>>> which I’m scheduling to close on or about 30-April-2021. >>>>>>>> >>>>>>>> A representative of iTrusChina must promptly respond directly in >>>>>>>> the discussion thread to all questions that are posted. >>>>>>>> >>>>>>> >>>>>>> Ben, >>>>>>> >>>>>>> I'm not used to parallel discussions for adding CAs. May I request >>>>>>> that you put this discussion on hold until the conclusion of TunTrust? >>>>>>> Or >>>>>>> is this an intentional attempt to parallelize more, despite the limited >>>>>>> resources? >>>>>>> >>>>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c77449ba-9aa5-4efd-b85e-7a8a9a12566bn%40mozilla.org.
