The software mentioned in the security incident report is a digital certificate application security suite developed by BJCA. The normal operation of this software depends on some technical implementation, which lead to misjudged as abnormal behavior, actually it is not a spyware.
After BJCA received the above security incident report on August 2, 2021, we had made a clarification reply in the Mozilla root inclusion case (see https://bugzilla.mozilla.org/show_bug.cgi?id=1647181#c15) . Since the reply involves amount technical details, I will not repeat them here. Please follow the link above to get details and feel free to discuss further if you have more questions. At the same time, please note that the mentioned software does not include the certificate chains of this root inclusion case (BJCA Global Root CA1 and BJCA Global Root CA2). Regards, BJCA team 在2022年12月1日星期四 UTC+8 04:13:08<[email protected]> 写道: > The second google result I got was: > > > https://borncity.com/win/2021/08/02/spyware-hnliche-funktionen-in-china-app-bejing-one-pass-gefunden/ > > Which links to the original report: > > https://www.recordedfuture.com/beijing-one-pass-benefits-software-spyware > > Insikt Group independently verified that the installed application > exhibits characteristics consistent with potentially unwanted applications > (PUA) and spyware. The software is associated with the Beijing Certificate > Authority (北京数字认证股份有限公司), which is a Chinese state-owned enterprise (BJCA, > www.bjca[.]cn). > > So a good start might be having someone from bjca.cn explain their > relationship with PUAspyeware apps in China. > > On Wed, Nov 30, 2022 at 10:03 AM Ben Wilson <[email protected]> wrote: > >> All, >> >> This is to announce the beginning of a six-week public discussion period >> for the inclusion request of Beijing Certificate Authority Co., Ltd. (BJCA) >> (Bug # 1647181 <https://bugzilla.mozilla.org/show_bug.cgi?id=1647181>, CCADB >> Case # 615 >> <https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000615>) >> >> for the following two root CA certificates: >> >> *BJCA Global Root CA1* *((4096-bit RSA) websites trust bit with EV >> enablement and the email trust bit)* >> >> Download – http://repo.bjca.cn/global/cert/BJCA_Global_Root_CA1.crt >> >> crt.sh - >> https://crt.sh/?sha256=F3896F88FE7C0A882766A7FA6AD2749FB57A7F3E98FB769C1FA7B09C2C44D5AE >> >> >> *BJCA Global Root CA2* *((384-bit EC) websites trust bit with EV >> enablement and the email trust bit)* >> >> Download – http://repo.bjca.cn/global/cert/BJCA_Global_Root_CA2.crt >> >> crt.sh - >> https://crt.sh/?sha256=574DF6931E278039667B720AFDC1600FC27EB66DD3092979FB73856487212882 >> >> >> Mozilla is considering approving BJCA’s request to add these two roots as >> trust anchors with the websites and email trust bits enabled. BJCA is also >> seeking enablement for Extended Validation (EV) under the CA/Browser >> Forum’s EV Guidelines. >> >> *Repository:* The BJCA document repository is located here: >> https://www.bjca.cn/cps. >> >> *Relevant Policy and Practices Documentation: * >> >> Beijing Certificate Authority Co., Ltd. Global Certificate Policy >> <https://www.bjca.cn/u4d/%E8%AF%81%E4%B9%A6%E7%AD%96%E7%95%A5%EF%BC%88CP%EF%BC%89/files/%E5%8C%97%E4%BA%AC%E6%95%B0%E5%AD%97%E8%AE%A4%E8%AF%81%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%E5%85%A8%E7%90%83%E8%AE%A4%E8%AF%81%E4%BD%93%E7%B3%BB%E8%AF%81%E4%B9%A6%E7%AD%96%E7%95%A5%20Beijing%20Certificate%20Authority%20Co.,%20Ltd.%20Global%20Certificate%20Policy.pdf>, >> >> v. 1.0.6, dated July 25, 2022 >> >> Beijing Certificate Authority Co., Ltd. Global Certification Practice >> Statement >> <https://www.bjca.cn/u4d/%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%EF%BC%88CPS%EF%BC%89/files/%E5%8C%97%E4%BA%AC%E6%95%B0%E5%AD%97%E8%AE%A4%E8%AF%81%E8%82%A1%E4%BB%BD%E6%9C%89%E9%99%90%E5%85%AC%E5%8F%B8%E5%85%A8%E7%90%83%E8%AE%A4%E8%AF%81%E4%BD%93%E7%B3%BB%E7%94%B5%E5%AD%90%E8%AE%A4%E8%AF%81%E4%B8%9A%E5%8A%A1%E8%A7%84%E5%88%99%20Beijing%20Certificate%20Authority%20Co.,%20Ltd.%20Global%20Certification%20Practice%20Statement.pdf>, >> >> v. 1.0.6, dated July 25, 2022 >> >> *Self-Assessments and Mozilla CPS Reviews* are located within Bug # >> 1647181 <https://bugzilla.mozilla.org/show_bug.cgi?id=1647181>: >> >> BJCA's-BR-Self-Assessment.pdf >> <https://bugzilla.mozilla.org/attachment.cgi?id=9158091> >> >> Mozilla’s CP/CPS Reviews – Comment #7 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1647181#c7> and Comment #24 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1647181#c24> >> >> *Value-vs-Risk Justification from BJCA – *see Quantifying-Value--BJCA >> -2022.7.7.pdf <https://bugzilla.mozilla.org/attachment.cgi?id=9284547> >> >> *Audits:* Annual audits have been performed by Anthony Kam & >> Associates, Ltd. in accordance with the Webtrust Principles and Criteria >> for Certification Authorities. The most recent audit reports were published >> on May 18, 2022, for the period ending March 9, 2022. See >> >> >> https://www.cpacanada.ca/GenericHandlers/CPACHandler.ashx?AttachmentID=389f5843-e05f-4e80-aae0-23cee8922866 >> >> (Standard Webtrust) >> >> >> https://www.cpacanada.ca/GenericHandlers/CPACHandler.ashx?AttachmentID=2c0c075a-0000-40f1-8a81-1ccb21268e62 >> >> (WebTrust Baseline Requirements and Network and Certificate System Security >> Requirements) >> >> >> https://www.cpacanada.ca/GenericHandlers/CPACHandler.ashx?AttachmentID=78bb08b0-7523-4011-b27c-b8a1a978433e >> >> (Webtrust for Extended Validation) >> >> *Incidents* >> >> I am unaware of any incidents involving BJCA. >> >> I have no further questions or concerns about BJCA’s inclusion request; >> however, I urge anyone with concerns or questions to raise them on this >> list by replying directly in this discussion thread. Likewise, a >> representative of BJCA must promptly respond directly in the discussion >> thread to all questions that are posted. >> >> This email begins a 6-week period for public discussion and comment, >> which I’m scheduling to close on or about January 11, 2023, after which, if >> no concerns are raised, we will close the discussion and the request may >> proceed to Mozilla’s one-week “last-call” phase. >> >> Sincerely yours, >> >> Ben Wilson >> >> Mozilla Root Program Manager >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaZH1bXQrWJ5zWPg0Rm8XqtX687qeMogFUGV%3Dsb0jDwF3g%40mail.gmail.com >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtaZH1bXQrWJ5zWPg0Rm8XqtX687qeMogFUGV%3Dsb0jDwF3g%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/b7aa7c99-7db4-43da-be42-3a69ada42d47n%40ccadb.org.
