Thanks. Q: What prevents this from being merged in the future? Ans: The technical requirements of the two certificate management systems are different now and can not be merged for operations. The HSMs with the domestic certificate management system have to fulfill domestic technical requirements from the authority and they are not compatible with the HSMs used for the global certificate management system. On the other hand, the HSMs used in the global certificate management system can not be used in domestic certificate system because the FIPS-certified key management scheme is not recognized by the authority to be used in the domestic certificate management system. It will be technically difficult to merge the two key management scheme for CA operations. As we know for now, there is no HSM product which can fulfill technical requirements for both domestic and global market.
Q: What prevents the CEO from making changes that result in for example the Root Certificate Authority being placed under the other entity in the future? Is there a public transparency resource where e.g. BJCA.cn will publish data as changes happen? Ans: BJCA is a company enlisted in Chinese stock market and follows capital market regulatory requirements. Major organizational changes such as shareholders or CEO have to be disclosed and carried out in compliance with the legal requirements. For major changes such as ownership or operation responsibility of the CA company, they need to be reported to the board of directors for company governance for deliberation and decision-making. It will be a major breach of company governance rules in case the CEO does not fulfill the his responsibility and will then be disclosed by routine external audits of the company. 在2023年1月28日星期六 UTC+8 11:34:00<[email protected]> 写道: > On Thu, Jan 26, 2023 at 5:18 PM BJCA <[email protected]> wrote: > >> Thanks. Happy New Year. Sorry, the Spring Festival holiday delayed some >> time. >> >> BJCA separates and operates two independent certification systems in the >> following aspects: >> 1. Certification Practice Statement >> i. Global Certification system CPS >> <https://www.bjca.cn/u4d/%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%EF%BC%88CPS%EF%BC%89/files/%E5%8C%97%E4%BA%AC%E6%95%B0%E5%AD%97%E8%AE%A4%E8%AF%81%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%E5%85%A8%E7%90%83%E8%AE%A4%E8%AF%81%E4%BD%93%E7%B3%BB%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%20Beijing%20Certificate%20Authority%20Co.,%20Ltd.%20Global%20Certification%20Practice%20Statement.pdf> >> ii. Domestic Certification system CPS >> <https://www.bjca.cn/u4d/%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%EF%BC%88CPS%EF%BC%89/files/%E5%8C%97%E4%BA%AC%E6%95%B0%E5%AD%97%E8%AE%A4%E8%AF%81%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99.pdf> >> >> 2. The two independent certification management systems are operated >> within its own segmented networks and resources such as cabinets, server >> hardwares, operating system environments and HSMs are independent and not >> shared. >> > > What prevents this from being merged in the future? > > >> 3. A Policy Management Authority (PMA) within the company is responsible >> for monitoring the operations of the two certification management systems. >> The CEO of the company is the chief of the PMA now. All members of the PMA >> are employees of the company. > > > What prevents the CEO from making changes that result in for example the > Root Certificate Authority being placed under the other entity in the > future? Is there a public transparency resource where e.g. BJCA.cn will > publish data as changes happen? > > 4. The operation team members have to be approved by the PMA and trained >> for qualification before being enlisted in the trusted-role list of the >> Global Certification Management System to get into regular operation >> activities. Physical and logical access priviledges for Global >> Certification Management System are issued following the roles of >> operations in the trusted-role list. All members of the operation team are >> full-time employees working for the company. >> >> 5. Automated monitoring system which detects unauthorized changes to >> critical files or send alerts for security events has been implemented. >> >> 6. Automation has been implemented on the global certification system for >> checking, such as linting tools certlint, x509lint and zlint. >> >> 7. In order to maintain compliance, BJCA has built up ISO 27001 ISMS as >> the foundation of its management and got certified. BJCA conducts regular >> internal audits and risk assessments following its ISMS management system >> requirements. BJCA also accept external audits for the two independent >> certification management systems: >> i. The global certification system: WebTrust. >> ii. The domestic certification system: regular audit of the authority >> department of the government to maintain its certification service license. >> 在2023年1月27日星期五 UTC+8 01:03:56<[email protected]> 写道: >> >>> I have added BJCA's email addresses, including "[email protected]", to >>> the list with posting privileges. Hopefully this will enable some responses. >>> Thanks, >>> Ben >>> >>> On Thu, Jan 26, 2023 at 9:00 AM Ben Wilson <[email protected]> wrote: >>> >>>> From BJCA - >>>> Hi Ben, >>>> When we reply to the forum through our gmail account, we are prompted >>>> that we have no permission. This gmail address ([email protected]) >>>> represents BJCA, please help to add permissions so that we can participate >>>> in the discussion, thank you. >>>> >>>> [email protected] >>>> ------------------------ >>>> I'll see what I can do to get this straightened out. >>>> Ben >>>> >>>> On Wed, Jan 25, 2023 at 7:06 PM Kurt Seifried <[email protected]> >>>> wrote: >>>> >>>>> Is BJCA.cn still on this list? if we've only got 3 weeks (21 days) and >>>>> they take 2+ days to answer we're going to run out of time pretty >>>>> quickly. >>>>> >>>>> On Mon, Jan 23, 2023 at 6:11 PM Kurt Seifried <[email protected]> >>>>> wrote: >>>>> >>>>>> This seems to mostly depend upon BJCA.cn disclosing information to >>>>>> us. Information we have asked for in the past but been told is >>>>>> "confidential" and so on. >>>>>> >>>>>> So with this in mind: BJCA.cn: can you please explain how your >>>>>> company is structured to prevent subversion of the root certificate >>>>>> authority? E.g. technical measures can be circumvented trivially if the >>>>>> people running them are told to do so (and if they don't they can be >>>>>> replaced with people that will). >>>>>> >>>>>> On Mon, Jan 23, 2023 at 4:57 PM Ben Wilson <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> All, >>>>>>> >>>>>>> We recently concluded a six-week public discussion on the CCADB >>>>>>> Public list for the root inclusion request of Beijing CA (BJCA), >>>>>>> https://groups.google.com/a/ccadb.org/g/public/c/o9lbCbr92Ug/m/lPkqrHF1DQAJ. >>>>>>> This >>>>>>> email is to announce a continued 3-week discussion of BJCA’s inclusion >>>>>>> application to be held on this list. The reason for this continued >>>>>>> discussion is that we need to gather more information to better >>>>>>> understand >>>>>>> BJCA’s operational and management controls and the One Pass software >>>>>>> (among >>>>>>> any other issues that might be raised during this continued discussion). >>>>>>> >>>>>>> The current state of our understanding is summarized in the post >>>>>>> referenced in the link above. That is, BJCA operates two different >>>>>>> infrastructures, one that meets the needs of its national government >>>>>>> and >>>>>>> another that aims to meet the needs of the global public. Also, >>>>>>> according >>>>>>> to BJCA, the One Pass software was mislabelled as spyware. >>>>>>> >>>>>>> There hasn’t been enough evidence yet to make conclusions about >>>>>>> these two questions–how is management and operation of the two >>>>>>> infrastructures separated, given that they both are part of the same >>>>>>> company, and did the Beijing One Pass software have any components that >>>>>>> would be considered spyware? I would expect that BJCA might want to >>>>>>> respond >>>>>>> initially to these questions, even if they believe that they have >>>>>>> answered >>>>>>> them adequately in the past. >>>>>>> >>>>>>> We need fact-based discourse that answers these questions. >>>>>>> >>>>>>> In addition to these questions, does anyone have examples of other >>>>>>> conduct by BJCA or insights into its practices? Can anyone provide more >>>>>>> information about BJCA’s information security practices, compliance >>>>>>> with >>>>>>> international standards, or performance under other metrics that will >>>>>>> help >>>>>>> determine its future conduct, were it to become a publicly trusted CA? >>>>>>> >>>>>>> I’d like to continue this discussion through Monday, February 13, >>>>>>> 2023. As with the public discussion held on CCADB Public, please reply >>>>>>> directly in this discussion thread with thoughtful and constructive >>>>>>> comments, and a representative of BJCA must respond here to all >>>>>>> questions >>>>>>> or issues that are raised. >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> Ben >>>>>>> >>>>>>> -- >>>>>>> You received this message because you are subscribed to the Google >>>>>>> Groups "[email protected]" group. >>>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>>> send an email to [email protected]. >>>>>>> To view this discussion on the web visit >>>>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRA81B1SF%3DSRF%3DPsJJcNsoq70hDZO703yOtG4FMPajTw%40mail.gmail.com >>>>>>> >>>>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRA81B1SF%3DSRF%3DPsJJcNsoq70hDZO703yOtG4FMPajTw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>>> . >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Kurt Seifried (He/Him) >>>>>> [email protected] >>>>>> >>>>> >>>>> >>>>> -- >>>>> Kurt Seifried (He/Him) >>>>> [email protected] >>>>> >>>> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1dac3529-7052-486e-aff1-60053fabf9e2n%40mozilla.org >> >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1dac3529-7052-486e-aff1-60053fabf9e2n%40mozilla.org?utm_medium=email&utm_source=footer> >> . >> > > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d76d0c33-7065-4e8b-b294-3071a93ab8edn%40mozilla.org.
