Hi Everyone,
FYI, we created the cross-certificate yesterday, 27 July 2022. And I've
registered it on the CCADB. The new cross-certificate is currently under
internal evaluation for Android device compatibility, so not yet publish
for use by our subscribers.
Cheers,
Man
On Thursday, July 14, 2022 at 9:40:44 PM UTC+8 Man Ho wrote:
> Hi Everyone,
>
> I would like to provide an update regarding our plan that Hongkong Post
> Certification Authority will model Let’s Encrypt in extending the
> compatibility of old Android devices for Hong Kong mobile users to access
> local websites using TLS server certificates issued under our new Hongkong
> Post Root CA3 Certificate ("Root CA3"), upon expiry of Root CA1 in May 2023.
>
> Our several major subscribers’ of public services have recently completed
> research among mobile device users in Hong Kong. It revealed that usage of
> the old Android devices version 10 or below (not yet pre-loaded with Root
> CA3) could only drop to below 5% for the Hong Kong mobile users at least
> after 6 years, taking into account that low-income families would slowly
> replace their old mobile devices.
>
> In order to minimize the impact of accessibility of local websites using
> our TLS server certificates by Hong Kong mobile device users to a
> manageable level, we consider issuing the new cross-certificate signed by
> Root CA1 extended by a longer transition period of 6 years or more (instead
> of 3 years to May 2026). Taking into account that during the transition
> period, the security strength would not be affected along our existing
> certificate chain of trust. We have re-confirmed with our auditor to ensure
> our revised plan with no compliance concerns.
>
> Due to time urgency, we will create the new cross-certificate accordingly
> towards late July 2022, and then I'll register it on the CCADB.
>
> See if any views to make the above plan more well-prepared.
>
>
> Thank you,
> Man Ho
> Hongkong Post Certification Authority, Certizen
> On Fri, Jul 1, 2022 at 11:27 PM Man Ho <[email protected]> wrote:
>
>> Hi Everyone,
>>
>> I'm writing to invite views from members of this group on a plan for new
>> cross-certificate that could extend Android device compatibility for TLS
>> server certificates of Hongkong Post Certification Authority.
>>
>> For over 19 years, Hongkong Post Certification Authority has been issuing
>> TLS server certificates to local organizations for deployment in websites
>> of Hong Kong. Since 2019, all TLS server certificates have been
>> rolled-over to a new Hongkong Post Root CA3 Certificate ("Root CA3") to
>> replace the old Root CA1 which is due for expiry in May 2023. We have also
>> implemented a cross-certificate signed by the old Root CA1, valid from Aug
>> 2017 to May 2023 in enabling end-users of Hong Kong who are using old
>> version of desktop/mobile devices pre-loaded with the old Root CA1 only to
>> access local websites using TLS server certificates issued under Root CA3.
>> In April 2022, we have published via our news announcement
>> <https://www.ecert.gov.hk/news/press/95.html>(
>> https://www.ecert.gov.hk/news/press/95.html) the inclusion of Root CA3
>> approved by various root programs, including Google to accept Root CA3 into
>> Chrome browsers starting from Android version 11.
>>
>> However, it is foreseeable that upon the expiry of the old Root CA1 in
>> May 2023, there will be significant impact for Hong Kong end-users to
>> access local websites using TLS server certificates issued under Root CA3,
>> as there are still substantial number of Hong Kong residents using Android
>> version 10 or below, not yet pre-loaded with Root CA3. Therefore, we plan
>> to model the previous practice of "Let's Encrypt
>> <https://letsencrypt.org/2020/12/21/extending-android-compatibility.html>"
>> in managing similar expiry of its Root Certificate in 2021 in order to
>> minimize the impact of accessibility of local websites governed under Root
>> CA3 by old Android device users arising from the expiry of Root CA1. As
>> such, we will issue a new cross-certificate signed by Root CA1 extended by
>> 3 years to May 2026 in replacing the old cross-certificate, with a view to
>> giving a transition period of 3 years for retirement of old Android devices
>> among the end-user population in Hong Kong. The new cross-certificate is
>> only aimed for building trust of website accessibility by Android users and
>> no other certificates will be issued by it. Besides, the planned
>> arrangement should bear little implication to global Internet users as all
>> TLS server certificates are mainly deployed for websites of Hong Kong.
>>
>> We have discussed with our auditor (who are helping us for annual
>> assessment of WebTrust Seal) to ensure our plan with no compliance concern.
>>
>> Due to time urgency, we target to issue the new cross-certificate in
>> mid-July 2022 and then I'll register it on the CCADB.
>>
>> Your views, if any, to make the plan more well-prepared are highly
>> appreciated.
>>
>> Thank you,
>> Man Ho
>> Hongkong Post Certification Authority, Certizen
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "[email protected]" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To view this discussion on the web visit
>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d6f8c327-50c4-4582-bb41-5bb7e33fc4f9n%40mozilla.org
>>
>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d6f8c327-50c4-4582-bb41-5bb7e33fc4f9n%40mozilla.org?utm_medium=email&utm_source=footer>
>> .
>>
>
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b6b84a32-2c61-4954-86b7-be037670d57fn%40mozilla.org.
