Hi Everyone,
I'm writing to invite views from members of this group on a plan for new
cross-certificate that could extend Android device compatibility for TLS
server certificates of Hongkong Post Certification Authority.
For over 19 years, Hongkong Post Certification Authority has been issuing
TLS server certificates to local organizations for deployment in websites
of Hong Kong. Since 2019, all TLS server certificates have been
rolled-over to a new Hongkong Post Root CA3 Certificate ("Root CA3") to
replace the old Root CA1 which is due for expiry in May 2023. We have also
implemented a cross-certificate signed by the old Root CA1, valid from Aug
2017 to May 2023 in enabling end-users of Hong Kong who are using old
version of desktop/mobile devices pre-loaded with the old Root CA1 only to
access local websites using TLS server certificates issued under Root CA3.
In April 2022, we have published via our news announcement
<https://www.ecert.gov.hk/news/press/95.html>(
https://www.ecert.gov.hk/news/press/95.html) the inclusion of Root CA3
approved by various root programs, including Google to accept Root CA3 into
Chrome browsers starting from Android version 11.
However, it is foreseeable that upon the expiry of the old Root CA1 in May
2023, there will be significant impact for Hong Kong end-users to access
local websites using TLS server certificates issued under Root CA3, as
there are still substantial number of Hong Kong residents using Android
version 10 or below, not yet pre-loaded with Root CA3. Therefore, we plan
to model the previous practice of "Let's Encrypt
<https://letsencrypt.org/2020/12/21/extending-android-compatibility.html>"
in managing similar expiry of its Root Certificate in 2021 in order to
minimize the impact of accessibility of local websites governed under Root
CA3 by old Android device users arising from the expiry of Root CA1. As
such, we will issue a new cross-certificate signed by Root CA1 extended by
3 years to May 2026 in replacing the old cross-certificate, with a view to
giving a transition period of 3 years for retirement of old Android devices
among the end-user population in Hong Kong. The new cross-certificate is
only aimed for building trust of website accessibility by Android users and
no other certificates will be issued by it. Besides, the planned
arrangement should bear little implication to global Internet users as all
TLS server certificates are mainly deployed for websites of Hong Kong.
We have discussed with our auditor (who are helping us for annual
assessment of WebTrust Seal) to ensure our plan with no compliance concern.
Due to time urgency, we target to issue the new cross-certificate in
mid-July 2022 and then I'll register it on the CCADB.
Your views, if any, to make the plan more well-prepared are highly
appreciated.
Thank you,
Man Ho
Hongkong Post Certification Authority, Certizen
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d6f8c327-50c4-4582-bb41-5bb7e33fc4f9n%40mozilla.org.
