Hi Everyone,
I would like to provide an update regarding our plan that Hongkong Post
Certification Authority will model Let’s Encrypt in extending the
compatibility of old Android devices for Hong Kong mobile users to access
local websites using TLS server certificates issued under our new Hongkong
Post Root CA3 Certificate ("Root CA3"), upon expiry of Root CA1 in May 2023.
Our several major subscribers’ of public services have recently completed
research among mobile device users in Hong Kong. It revealed that usage of
the old Android devices version 10 or below (not yet pre-loaded with Root
CA3) could only drop to below 5% for the Hong Kong mobile users at least
after 6 years, taking into account that low-income families would slowly
replace their old mobile devices.
In order to minimize the impact of accessibility of local websites using
our TLS server certificates by Hong Kong mobile device users to a
manageable level, we consider issuing the new cross-certificate signed by
Root CA1 extended by a longer transition period of 6 years or more (instead
of 3 years to May 2026). Taking into account that during the transition
period, the security strength would not be affected along our existing
certificate chain of trust. We have re-confirmed with our auditor to ensure
our revised plan with no compliance concerns.
Due to time urgency, we will create the new cross-certificate accordingly
towards late July 2022, and then I'll register it on the CCADB.
See if any views to make the above plan more well-prepared.
Thank you,
Man Ho
Hongkong Post Certification Authority, Certizen
On Fri, Jul 1, 2022 at 11:27 PM Man Ho <[email protected]> wrote:
> Hi Everyone,
>
> I'm writing to invite views from members of this group on a plan for new
> cross-certificate that could extend Android device compatibility for TLS
> server certificates of Hongkong Post Certification Authority.
>
> For over 19 years, Hongkong Post Certification Authority has been issuing
> TLS server certificates to local organizations for deployment in websites
> of Hong Kong. Since 2019, all TLS server certificates have been
> rolled-over to a new Hongkong Post Root CA3 Certificate ("Root CA3") to
> replace the old Root CA1 which is due for expiry in May 2023. We have also
> implemented a cross-certificate signed by the old Root CA1, valid from Aug
> 2017 to May 2023 in enabling end-users of Hong Kong who are using old
> version of desktop/mobile devices pre-loaded with the old Root CA1 only to
> access local websites using TLS server certificates issued under Root CA3.
> In April 2022, we have published via our news announcement
> <https://www.ecert.gov.hk/news/press/95.html>(
> https://www.ecert.gov.hk/news/press/95.html) the inclusion of Root CA3
> approved by various root programs, including Google to accept Root CA3 into
> Chrome browsers starting from Android version 11.
>
> However, it is foreseeable that upon the expiry of the old Root CA1 in May
> 2023, there will be significant impact for Hong Kong end-users to access
> local websites using TLS server certificates issued under Root CA3, as
> there are still substantial number of Hong Kong residents using Android
> version 10 or below, not yet pre-loaded with Root CA3. Therefore, we plan
> to model the previous practice of "Let's Encrypt
> <https://letsencrypt.org/2020/12/21/extending-android-compatibility.html>"
> in managing similar expiry of its Root Certificate in 2021 in order to
> minimize the impact of accessibility of local websites governed under Root
> CA3 by old Android device users arising from the expiry of Root CA1. As
> such, we will issue a new cross-certificate signed by Root CA1 extended by
> 3 years to May 2026 in replacing the old cross-certificate, with a view to
> giving a transition period of 3 years for retirement of old Android devices
> among the end-user population in Hong Kong. The new cross-certificate is
> only aimed for building trust of website accessibility by Android users and
> no other certificates will be issued by it. Besides, the planned
> arrangement should bear little implication to global Internet users as all
> TLS server certificates are mainly deployed for websites of Hong Kong.
>
> We have discussed with our auditor (who are helping us for annual
> assessment of WebTrust Seal) to ensure our plan with no compliance concern.
>
> Due to time urgency, we target to issue the new cross-certificate in
> mid-July 2022 and then I'll register it on the CCADB.
>
> Your views, if any, to make the plan more well-prepared are highly
> appreciated.
>
> Thank you,
> Man Ho
> Hongkong Post Certification Authority, Certizen
>
>
> --
> You received this message because you are subscribed to the Google Groups "
> [email protected]" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [email protected].
> To view this discussion on the web visit
> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d6f8c327-50c4-4582-bb41-5bb7e33fc4f9n%40mozilla.org
> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d6f8c327-50c4-4582-bb41-5bb7e33fc4f9n%40mozilla.org?utm_medium=email&utm_source=footer>
> .
>
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAP%2BPtNV3zX-nVvF2L5hqSnUXFyr60zRA-8xgKB8ptJusLffMcA%40mail.gmail.com.
