in contest of the gmail, aren't it blocked in china GFW? not sure how they works as this google groups would be blocked too though.
2022년 12월 11일 일요일 오전 2시 5분 21초 UTC+9에 [email protected]님이 작성: > Uh, I just realized. How can we confirm that [email protected] is indeed > BJCA? Don't you have email setup on your domain? > > [image: Screenshot 2022-12-10 100338.png] > I'm sorry but we're supposed to believe you are capable of running a root > CA when you can't even do a basic email address setup with your own domain? > > On Sat, Dec 10, 2022 at 1:42 AM BJCA <[email protected]> wrote: > >> Thank you all, reply one by one: >> >> 1. Was this report submitted to Mozilla and is it available to read >> generally? >> >> This report is a communication document between our company and the >> competent government department, and it is not suitable for disclosure or >> submission to Mozilla because it involves confidential information. And >> because the security incident does not involve the certificate chain of the >> root inclusion case submitted to Mozilla this time, we made a clarification >> in the Mozilla root inclusion case by disclosing the main points of the >> report. >> >> 2. I suppose my question is thus how do you define spyware in this >> context and in particular, "known spyware", and what was the process for >> evaluating if it was present? In my opinion there is a difference is >> whether or not a piece of software happens to include components that match >> a signature of spyware or a virus in a some database of known spyware, >> versus whether it exhibits behaviours consistent with spyware. >> >> We understand that "Spyware is software with malicious behaviour that >> aims to gather information about a person or organization and send it to >> another entity in a way that harms the user". Whether it is spyware is >> mainly to evaluate whether it behaves consistent with spyware. After >> analysis, we found that the suspected spyware behavior indicated in the >> report was caused by one of the drivers, wmControl.exe. This program is a >> driver provided by the USB Token manufacturer, Its software behavior is >> different from spyware and does not have malicious behavior. It is intended >> to ensure the normal use of this type of devide in the browser. In >> addition, the USB Token for digital certificate corresponding to the driver >> wmControl.exe is an old version device, and its driver has been deleted in >> the new version of the certificate environment software (version >= 3.6.8) >> provided by BJCA. This measure will help our software out from being judged >> as spyware. >> >> 3. I can see how software that installs novel root certificates to the >> trusted root store would be flagged as PUA. I'm surprised that in the >> value/risk analysis a desire to not have to install new root certificates >> on peoples computer's this way is not a more prominent component, instead >> it is more or less "to become a globally trusted CA ... to secure a wide >> range of websites visited by Firefox users". >> >> This is exactly the reason why we apply for root inclusion, so that the >> issued SSL certificate can be automatically trusted by Mozilla, Microsoft, >> Apple, and Google, so the user experience could be improved. It must be >> noted that our software needs to provide services for different types of >> users. In addition to SSL certificates, the certificates issued by our >> company have a wide range of uses, including document signing, identity >> authentication, etc. Registering the root certificate to the operating >> system can bring convenience for users to use certificates. >> >> 4. I'm a bit unclear here. The Insikt report said that there was >> substantial functional overlap, not that a zfkeymonitor.exe program was >> included exactly. >> >> From my understanding, a file with sha256 >> bed0d1139adcec9292841b7315289bb43960f2c7a4ff1bbab536528b1317b075 was >> included and multiple security vendors label it as a kind of PUA named >> zfkeymonitoring, e.g., >> >> >> https://www.virustotal.com/gui/file/bed0d1139adcec9292841b7315289bb43960f2c7a4ff1bbab536528b1317b075/detection >> >> So to clear this up, is it that this file as referenced above was in fact >> included, but Microsoft and others are incorrect to label it as they did? >> Or is this code-signed file not actually included in the first place? The >> Insikt report appears to be primarily static testing, meaning that code to >> record screenshots, read clipboard, etc., was present in the library but >> their testing did not seem to check whether such code actually ran during >> testing. Is it the case that the code was present but never used, or that >> this code didn't exist at all? >> >> Our software contains drivers from multiple certificate device vendors, >> resulting in overlapping functionality. The SHA256 digest mentioned here >> points to the certificate application environment installation package >> developed by our company. In fact, our software does not include the >> zfkeymonitor.exe program. >> >> 5. I'm not sure I understand this. The software did install new root >> certificates, but it is not the same root certificates that you are >> attempting to add to Mozilla's program? >> >> The root certificate installed by this software is not used for the >> application of the SSL server certificate, but for other purposes. >> Therefore, the software does not include the BJCA Global Root CA1 and BJCA >> Global Root CA2 certificate chains in the Mozilla root include case, nor >> does it attempt to add them to browser programs. >> >> 6. When the Windows installer runs, is there an option to forgo or not >> install the "Root Certificate Updates" functionality? As a person who has >> written Windows installers, I would expect an installer option to forgo >> Root Certificate installation and updates. If the user is not informed, or >> the option is not present, or the installation happens surreptitiously, >> then it would raise my suspicions. >> >> And there's always the option to add the certificate and updates to the >> current user's Personal store rather than the machine's Trusted Roots or >> Trusted Third Party stores. >> >> The BJCA certificate environment software will write the BJCA root >> certificate into the certificate store trusted by the system during >> installation. If you choose not to install the root certificate when >> installing the root certificate, some functions of the BJCA certificate >> will be abnormal, which has caused a large number of user complaints. >> >> In order to improve the user experience, the BJCA certificate environment >> software chooses to skip user confirmation during the installation process, >> which may cause doubts for users. At present, we have plans to adopt >> advanced options in the new version of the software, allowing users to >> choose whether to confirm the installation, and support users to choose to >> add certificates and updates to the current user's personal storage instead >> of the computer's trusted root or trusted third party storage. No doubt >> that there is an obvious contradiction between convenience and security, >> which could improve the software security but degrades the user >> experience and increase our operation costs. >> >> >> Regards, >> BJCA team >> >> 在2022年12月6日星期二 UTC+8 02:51:24<[email protected]> 写道: >> >>> On Mon, Dec 5, 2022 at 12:40 PM Prof. Reardon <[email protected]> >>> wrote: >>> > >>> > ... >>> > << >>> > The key points of technical analysis are as follows: >>> > (1) The software is a application security suite for digital >>> certificates, which >>> > aims to provide device driver of USB token and cross-browser >>> cryptographic >>> > middleware for end user. The software mainly consists of four parts: >>> certificate >>> > application component, certificate assistant, device driver and online >>> > upgrading. The software, by setting itself as self-startup program and >>> > periodical checking, discovers the USB token device promptly and >>> ensures >>> > third-party application softwares’ trust to BJCA certificate chain by >>> > registering the Trusted Root Certificate in Windows operating system. >>> And it >>> > also support accesing the USB token based on mass storage protocol in >>> the >>> > browser by acting as an agent with listening to a local network port. >>> The above >>> > behaviors are dedicated technologies for the normal operation of the >>> software, >>> > should not be considered as malicious behaviors and backdoor >>> functions. >>> > >> >>> > >>> > I can see how software that installs novel root certificates to the >>> trusted root >>> > store would be flagged as PUA. I'm surprised that in the value/risk >>> analysis >>> > a desire to not have to install new root certificates on peoples >>> computer's this >>> > way is not a more prominent component, instead it is more or less "to >>> become a >>> > globally trusted CA ... to secure a wide range of websites visited by >>> Firefox >>> > users". >>> >>> One comment based on Dr. Reardon's observations. >>> >>> When the Windows installer runs, is there an option to forgo or not >>> install the "Root Certificate Updates" functionality? As a person who >>> has written Windows installers, I would expect an installer option to >>> forgo Root Certificate installation and updates. If the user is not >>> informed, or the option is not present, or the installation happens >>> surreptitiously, then it would raise my suspicions. >>> >>> And there's always the option to add the certificate and updates to >>> the current user's Personal store rather than the machine's Trusted >>> Roots or Trusted Third Party stores. >>> >>> Jeff >>> >> -- >> > You received this message because you are subscribed to the Google Groups >> "public" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> > To view this discussion on the web visit >> https://groups.google.com/a/ccadb.org/d/msgid/public/95c6ef70-2086-49bc-9713-bb25cd30724dn%40ccadb.org >> >> <https://groups.google.com/a/ccadb.org/d/msgid/public/95c6ef70-2086-49bc-9713-bb25cd30724dn%40ccadb.org?utm_medium=email&utm_source=footer> >> . >> > > > -- > Kurt Seifried (He/Him) > [email protected] > -- You received this message because you are subscribed to the Google Groups "public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/ccadb.org/d/msgid/public/878a4dde-34a4-4f45-aef5-1702af187196n%40ccadb.org.
