Kathleen Wilson於 2016年11月15日星期二 UTC+8上午9時20分09秒寫道: > All, > > I will greatly appreciate it if you will review this request from Government > of Taiwan, Government Root Certification Authority (GRCA) to include their > Government Root Certification Authority root certificate, and turn on the > Websites and Email trust bits. This root cert will eventually replace the > previous GRCA root certificate that was included via Bugzilla Bug #274106. > > Thanks, > Kathleen
In CA/Browser Forum 34th F2F meeting, the minutes is in https://cabforum.org/2015/03/11/2015-03-11-minutes-of-cupertino-f2f-meeting-34/. Li-Chun Chen (me) of Chunghwa Telecom presented a discussion about "behaviors of web servers and browsers if a PKI follows RFC 4210 & RFC 5280 6.1 for Root CA key Update". The presentation file is in https://cabforum.org/wp-content/uploads/Chunghwatelecom201503cabforumV4.pdf. I explained the rollover certificate process outlined in RFC 4210 by signing the old public key with the new private key and the new public key with the old private key. I also gave the definition of Self-issued certificates (Self-issued certificates are generated to support changes in policy or operations. So there will be values in certificate policies extension filed of self-issued certificates) and Self-signed certificates (CA certificates in which the issuer and subject are the same entity. For a Root CA self-signed certficae, there will be no value in certificate policies extension.) as RFC 5280. Following RFC 5280 6.1, a certificate is self-issued if the same DN appears in the subject and issuer fields. The Taiwanese Government Root CA (GRCA) has switched over from SHA1 to SHA256 (in 2012), but we have encountered IIS issues following the processes found in the RFCs. See Slide pp.8-pp.13. IIS 7 falsely treated GRCA’s Self-Issued certificate (new with old) as a Self-Signed certificate, because it has the same issuer and subject name. We found SSL Cert –> GCA Cert –> new-with-old GRCA Cert –> old GRCA cert in IIS side, but IIS only sends SSL Cert –> GCA Cert to client. For Mozilla Firefox, it uses its own trust list and it only trusts old GRCA and new GRCA is waiting to be built in NSS. So there are lots of complaints of Firefox users connected to IIS sites. Because Windows clients support AIA chasing there are less chaining problems. Chunghwa Telecom requested Microsoft to solve the bug of IIS ASAP through Premium support last spring. But until now Microsoft IIS team has not yet solve the bug. Chunghwa Telecom suggested to make AIA mandatory and browsers must support fetching intermediate certificates through AIA. Supporting AIA will also reduce some web site administrators forget to install intermediate certificates to their server follow CAs or web server’s manuals. (In SSL protocol, SSL servers should send intermediate certificate & SSL certificate to SSL client) It seems that Mozilla Firefox has not yet suppot AIA. So the best solution to solve the bug is to include the new Taiwna Government Root Certification Authority root certificate in Mozilla NSS, and turn on the Websites and Email trust bits. It will significantly reduces complaints from Mozilla User and administrators of Taiwan government entities's websites that use IIS. In CA/Browser Form 34th F2F meeting minutes, There are [ Additionally, Brian Smith commented separately via email, “It is also possible, and recommended, for the rollover certificate to be added to Firefox’s certificate store. Then Firefox will be able to use it even if IIS doesn’t send it.”] _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy