All, On January 23, 2023, we began an additional, three-week public discussion[1] to gather more information on the request from Beijing CA (BJCA) for inclusion of its two public root certificates--the BJCA Global Root CA1 and the BJCA Global Root CA2.
Summary of BJCA’s responses to questions BJCA responded to questions about the separation of its domestic and global (publicly trusted) systems. It stated that because of its listing on the Chinese stock market, it must follow capital market regulatory requirements. Major organizational changes such as ownership, operation, or governance would need to be disclosed, reported, and carried out in compliance with such requirements, including board deliberation and decision-making. Any changes not following such procedural requirements would be a major breach of company governance rules and publicly disclosed in audit findings. In response to questions about access to computer cabinets, BJCA responded that domestic and global systems are installed in separated cabinets located in the same secure room. Each cabinet is equipped with a padlock and numeric combination lock to prevent a single person from accessing the global and domestic cabinets alone. Access requires at least 4 persons: an authorized person giving approval (a system administrator who does not have access privileges to open cabinets); a security administrator (who holds lock combinations); and two operational personnel (who hold brass keys to padlocks). I asked BJCA to provide a new Compliance Self Assessment[2], a copy of its ISO 27001 certificate, and responses to Mozilla’s "Root Inclusion Considerations"[3]. I found the responses satisfactory. I also asked about the One Pass software, which installs two different root CA certificates for BJCA’s domestic PKI—the BeiJing ROOT CA and the BeiJing SM2 ROOT CA. BJCA provided a download link to its current version, as requested. That installation package and the software it installs can be examined by computer security experts, as necessary. Regarding influence of the Chinese government on the security of operations and data, BJCA responded that if a conflict were to arise with national law it would revise its CPS as necessary, continue to follow the Baseline Requirements, and disclose the revised content in the CPS and notify root programs to discuss remediation. BJCA also responded that government agencies or officials had no access to BJCA’s servers or data—"BJCA is an independently operated enterprise, and all personnel involved in CA operations are employees of BJCA. CA system and data are protected by control methods such as two-factor authentication from unauthorized access." This is notice that I am closing public discussion and that I am recommending that we approve BJCA’s inclusion request. This begins a 7-day "last call" period for any final objections. Thanks, Ben [1] https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/loH2352Ik6E/m/_EZZWs1KAwAJ [2] https://bugzilla.mozilla.org/attachment.cgi?id=9317746 [3] https://bugzilla.mozilla.org/attachment.cgi?id=9317754 On Fri, Feb 10, 2023 at 4:00 AM BJCA <[email protected]> wrote: > Greetings, > > Hi Ben, Attached is the new Self Assessment according to the new template. > > Thanks again > 在2023年2月1日星期三 UTC+8 04:48:31<Ben Wilson> 写道: > >> Greetings, >> >> Thanks for your responses thus far. I have a few more questions or >> requests: >> >> 1. Please complete a new Self Assessment according to the new template >> (the current one is 3 years old). See >> https://wiki.mozilla.org/CA/Compliance_Self-Assessment#Template >> >> 2. Please provide a current copy of your ISO 27001 certificate. >> >> 3. Is version 3.6.8 of the One Pass software the current version, and >> from where can it be obtained or downloaded? >> >> 4. Where can we find customer reviews of Beijing One Pass? >> >> 5. Are there any Chinese regulations or laws that BJCA must comply with >> that could potentially affect the security of operations of the Global >> Certification Management System? >> >> 6. Are there any government agencies or officials with access to BJCA’s >> servers or data? >> >> 7. Please provide a response to the bulleted items listed here: >> https://wiki.mozilla.org/CA/Root_Inclusion_Considerations. >> >> Thanks again, >> >> Ben >> >> On Sun, Jan 29, 2023 at 11:28 PM BJCA <[email protected]> wrote: >> >>> Thanks. >>> Q: In order to have access to one cabinets, how many person may be >>> notified? >>> Ans: At least 4 persons: the authorized person for approval, security >>> administrator, and the two operational staffs on shift. >>> 在2023年1月29日星期日 UTC+8 23:26:58<[email protected]> 写道: >>> >>>> In order to have access to one cabinets, how many person may be >>>> notified? >>>> >>>> 在2023年1月29日星期日 UTC+8 21:05:41<[email protected]> 写道: >>>> >>>>> Thanks. >>>>> Q: what ensures a person cannot access cabinet A from one environment >>>>> and then cabinet B from a second environment? Is there physical separation >>>>> of the cabinets, or are they still physically located near each other >>>>> where >>>>> a reasonable individual might incidentally open the wrong cabinet? >>>>> Ans: The global and domestic systems are installed in separated >>>>> cabinets located in the same secure room. Each cabinet is equipped with a >>>>> padlock and numeric combination lock to prevent single person from >>>>> accessing the global and domestic cabinets alone. >>>>> The passwords of the numeric combination locks are kept by the >>>>> security administrator of the secure room. The brass keys of padlocks are >>>>> kept by operational staffs of the control room outside layers of secure >>>>> rooms. Cabinets can be opened after authorization from the management >>>>> according to the physical access requests from system administrators. >>>>> System administrators do not have privileges to open the cabinets. >>>>> 在2023年1月29日星期日 UTC+8 07:25:49<ke ju> 写道: >>>>> >>>>>> On Thursday, January 26, 2023 at 7:18:53 PM UTC-5 [email protected] >>>>>> wrote: >>>>>> Thanks. Happy New Year. Sorry, the Spring Festival holiday delayed >>>>>> some time. >>>>>> >>>>>> BJCA separates and operates two independent certification systems in >>>>>> the following aspects: >>>>>> 1. Certification Practice Statement >>>>>> i. Global Certification system CPS >>>>>> <https://www.bjca.cn/u4d/%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%EF%BC%88CPS%EF%BC%89/files/%E5%8C%97%E4%BA%AC%E6%95%B0%E5%AD%97%E8%AE%A4%E8%AF%81%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%E5%85%A8%E7%90%83%E8%AE%A4%E8%AF%81%E4%BD%93%E7%B3%BB%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%20Beijing%20Certificate%20Authority%20Co.,%20Ltd.%20Global%20Certification%20Practice%20Statement.pdf> >>>>>> ii. Domestic Certification system CPS >>>>>> <https://www.bjca.cn/u4d/%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%EF%BC%88CPS%EF%BC%89/files/%E5%8C%97%E4%BA%AC%E6%95%B0%E5%AD%97%E8%AE%A4%E8%AF%81%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99.pdf> >>>>>> >>>>>> 2. The two independent certification management systems are operated >>>>>> within its own segmented networks and resources such as cabinets, server >>>>>> hardwares, operating system environments and HSMs are independent and not >>>>>> shared. >>>>>> >>>>>> what ensures a person cannot access cabinet A from one environment >>>>>> and then cabinet B from a second environment? >>>>>> >>>>>> Is there physical separation of the cabinets, or are they still >>>>>> physically located near each other where a reasonable individual might >>>>>> incidentally open the wrong cabinet? >>>>>> 3. A Policy Management Authority (PMA) within the company is >>>>>> responsible for monitoring the operations of the two certification >>>>>> management systems. The CEO of the company is the chief of the PMA now. >>>>>> All >>>>>> members of the PMA are employees of the company. >>>>>> >>>>>> 4. The operation team members have to be approved by the PMA and >>>>>> trained for qualification before being enlisted in the trusted-role list >>>>>> of >>>>>> the Global Certification Management System to get into regular operation >>>>>> activities. Physical and logical access priviledges for Global >>>>>> Certification Management System are issued following the roles of >>>>>> operations in the trusted-role list. All members of the operation team >>>>>> are >>>>>> full-time employees working for the company. >>>>>> >>>>>> 5. Automated monitoring system which detects unauthorized changes to >>>>>> critical files or send alerts for security events has been implemented. >>>>>> >>>>>> 6. Automation has been implemented on the global certification system >>>>>> for checking, such as linting tools certlint, x509lint and zlint. >>>>>> >>>>>> 7. In order to maintain compliance, BJCA has built up ISO 27001 ISMS >>>>>> as the foundation of its management and got certified. BJCA conducts >>>>>> regular internal audits and risk assessments following its ISMS >>>>>> management >>>>>> system requirements. BJCA also accept external audits for the two >>>>>> independent certification management systems: >>>>>> i. The global certification system: WebTrust. >>>>>> ii. The domestic certification system: regular audit of the authority >>>>>> department of the government to maintain its certification service >>>>>> license. >>>>>> 在2023年1月27日星期五 UTC+8 01:03:56<[email protected]> 写道: >>>>>> I have added BJCA's email addresses, including "[email protected]", >>>>>> to the list with posting privileges. Hopefully this will enable some >>>>>> responses. >>>>>> Thanks, >>>>>> Ben >>>>>> >>>>>> On Thu, Jan 26, 2023 at 9:00 AM Ben Wilson <[email protected]> >>>>>> wrote: >>>>>> From BJCA - >>>>>> Hi Ben, >>>>>> When we reply to the forum through our gmail account, we are prompted >>>>>> that we have no permission. This gmail address ([email protected]) >>>>>> represents BJCA, please help to add permissions so that we can >>>>>> participate >>>>>> in the discussion, thank you. >>>>>> >>>>>> [email protected] >>>>>> ------------------------ >>>>>> I'll see what I can do to get this straightened out. >>>>>> Ben >>>>>> >>>>>> On Wed, Jan 25, 2023 at 7:06 PM Kurt Seifried <[email protected]> >>>>>> wrote: >>>>>> Is BJCA.cn still on this list? if we've only got 3 weeks (21 days) >>>>>> and they take 2+ days to answer we're going to run out of time pretty >>>>>> quickly. >>>>>> >>>>>> On Mon, Jan 23, 2023 at 6:11 PM Kurt Seifried <[email protected]> >>>>>> wrote: >>>>>> This seems to mostly depend upon BJCA.cn disclosing information to >>>>>> us. Information we have asked for in the past but been told is >>>>>> "confidential" and so on. >>>>>> >>>>>> So with this in mind: BJCA.cn: can you please explain how your >>>>>> company is structured to prevent subversion of the root certificate >>>>>> authority? E.g. technical measures can be circumvented trivially if the >>>>>> people running them are told to do so (and if they don't they can be >>>>>> replaced with people that will). >>>>>> >>>>>> On Mon, Jan 23, 2023 at 4:57 PM Ben Wilson <[email protected]> >>>>>> wrote: >>>>>> All, >>>>>> >>>>>> We recently concluded a six-week public discussion on the CCADB >>>>>> Public list for the root inclusion request of Beijing CA (BJCA), >>>>>> https://groups.google.com/a/ccadb.org/g/public/c/o9lbCbr92Ug/m/lPkqrHF1DQAJ. >>>>>> This >>>>>> email is to announce a continued 3-week discussion of BJCA’s inclusion >>>>>> application to be held on this list. The reason for this continued >>>>>> discussion is that we need to gather more information to better >>>>>> understand >>>>>> BJCA’s operational and management controls and the One Pass software >>>>>> (among >>>>>> any other issues that might be raised during this continued discussion). >>>>>> >>>>>> The current state of our understanding is summarized in the post >>>>>> referenced in the link above. That is, BJCA operates two different >>>>>> infrastructures, one that meets the needs of its national government and >>>>>> another that aims to meet the needs of the global public. Also, according >>>>>> to BJCA, the One Pass software was mislabelled as spyware. >>>>>> >>>>>> There hasn’t been enough evidence yet to make conclusions about these >>>>>> two questions–how is management and operation of the two infrastructures >>>>>> separated, given that they both are part of the same company, and did the >>>>>> Beijing One Pass software have any components that would be considered >>>>>> spyware? I would expect that BJCA might want to respond initially to >>>>>> these >>>>>> questions, even if they believe that they have answered them adequately >>>>>> in >>>>>> the past. >>>>>> >>>>>> We need fact-based discourse that answers these questions. >>>>>> >>>>>> In addition to these questions, does anyone have examples of other >>>>>> conduct by BJCA or insights into its practices? Can anyone provide more >>>>>> information about BJCA’s information security practices, compliance with >>>>>> international standards, or performance under other metrics that will >>>>>> help >>>>>> determine its future conduct, were it to become a publicly trusted CA? >>>>>> >>>>>> I’d like to continue this discussion through Monday, February 13, >>>>>> 2023. As with the public discussion held on CCADB Public, please reply >>>>>> directly in this discussion thread with thoughtful and constructive >>>>>> comments, and a representative of BJCA must respond here to all questions >>>>>> or issues that are raised. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Ben >>>>>> >>>>>> -- >>>>>> You received this message because you are subscribed to the Google >>>>>> Groups "[email protected]" group. >>>>>> To unsubscribe from this group and stop receiving emails from it, >>>>>> send an email to [email protected]. >>>>>> To view this discussion on the web visit >>>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRA81B1SF%3DSRF%3DPsJJcNsoq70hDZO703yOtG4FMPajTw%40mail.gmail.com >>>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaaRA81B1SF%3DSRF%3DPsJJcNsoq70hDZO703yOtG4FMPajTw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>>>> . >>>>>> >>>>>> >>>>>> -- >>>>>> Kurt Seifried (He/Him) >>>>>> [email protected] >>>>>> >>>>>> >>>>>> -- >>>>>> Kurt Seifried (He/Him) >>>>>> [email protected] >>>>>> >>>>> -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYZMDa8h1xgQtbZpboLoW5n4Xxq554%2B2xSE96UZZZeM3w%40mail.gmail.com.
