Re: Something About CFCA (China Financial Certification Authority)

[Han Yuwei]

在 2016年10月31日星期一 UTC+8下午6:19:44，jonath...@gmail.com写道：
> 在 2016年10月31日星期一 UTC+8上午11:28:04，Han Yuwei写道：
> > 在 2016年10月31日星期一 UTC+8上午9:35:04，jonath...@gmail.com写道：
> > > Please see 6.1.7 which describes these content.
> > 
> > In version 3.2 I see that "证书最长期限（年）" (maxium validity period) about 
> > "SSL服务器证书" (SSL Server Certficates) is 5.
> > 
> > And I don't see any other informations about SM2 usage
> 
>  We feel that there is no  need to discuss those root that NOT included in 
> Mozilla and  other public trusted root store. sm2 is not valid for BR right 
> now，so we didn't apply our sm2 root for inclusion. It is as simple as that. 
> hence， we do not plan to explain further about our NOT included root.

Ok, thanks for your time.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Something About CFCA (China Financial Certification Authority)

[Eric Mill]

On Mon, Oct 31, 2016 at 8:29 PM, Percy  wrote:

> On Sunday, October 30, 2016 at 4:19:12 AM UTC-7, Han Yuwei wrote:
> > According to their CPS (Chinese version 3.2 Jul.2016),
> >
> > 1. All CAs can issue SM2 certificates and uses SM3 Hash.
> >
> > 2. There is a "signing key" generated by subscriber and "encryption key"
> generated by CFCA which transmitted to subscriber.
> >
> > 3. For SSL certificate, the longest vaild duration is 5 years, which is
> much more than 39 months.
> >
> > Are those conflicting with Mozilla's policy?
>
> https://www.ssllabs.com/ssltest/analyze.html?d=www.cfca.com.cn
>
> This server is vulnerable to the OpenSSL Padding Oracle vulnerability
> (CVE-2016-2107) and insecure. Grade set to F.
>
> Rather ironical for a CA's official site, isn't it?
>

But off-topic for this thread.


> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
konklone.com | @konklone 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Something About CFCA (China Financial Certification Authority)

[Percy]

On Sunday, October 30, 2016 at 4:19:12 AM UTC-7, Han Yuwei wrote:
> According to their CPS (Chinese version 3.2 Jul.2016),
> 
> 1. All CAs can issue SM2 certificates and uses SM3 Hash.
> 
> 2. There is a "signing key" generated by subscriber and "encryption key" 
> generated by CFCA which transmitted to subscriber.
> 
> 3. For SSL certificate, the longest vaild duration is 5 years, which is much 
> more than 39 months.
> 
> Are those conflicting with Mozilla's policy?

https://www.ssllabs.com/ssltest/analyze.html?d=www.cfca.com.cn

This server is vulnerable to the OpenSSL Padding Oracle vulnerability 
(CVE-2016-2107) and insecure. Grade set to F.

Rather ironical for a CA's official site, isn't it?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Something About CFCA (China Financial Certification Authority)

[jonathansshn]

在 2016年10月31日星期一 UTC+8上午11:28:04，Han Yuwei写道：
> 在 2016年10月31日星期一 UTC+8上午9:35:04，jonath...@gmail.com写道：
> > Please see 6.1.7 which describes these content.
> 
> In version 3.2 I see that "证书最长期限（年）" (maxium validity period) about 
> "SSL服务器证书" (SSL Server Certficates) is 5.
> 
> And I don't see any other informations about SM2 usage

 We feel that there is no  need to discuss those root that NOT included in 
Mozilla and  other public trusted root store. sm2 is not valid for BR right 
now，so we didn't apply our sm2 root for inclusion. It is as simple as that. 
hence， we do not plan to explain further about our NOT included root.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Something About CFCA (China Financial Certification Authority)

[Han Yuwei]

在 2016年10月31日星期一 UTC+8上午9:35:04，jonath...@gmail.com写道：
> Please see 6.1.7 which describes these content.

In version 3.2 I see that "证书最长期限（年）" (maxium validity period) about "SSL服务器证书" 
(SSL Server Certficates) is 5.

And I don't see any other informations about SM2 usage
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Something About CFCA (China Financial Certification Authority)

[jonathansshn]

Please see 6.1.7 which describes these content.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Something About CFCA (China Financial Certification Authority)

[Han Yuwei]

在 2016年10月30日星期日 UTC+8下午10:26:57，jonath...@gmail.com写道：
> 1，It’s not true. CFCA's RSA root that included in Mozilla is not able to 
> issue sm2 certificate with sm3 hash. CFCA do have sm2 root that issue sm2 
> certificate but that root is not included in Mozilla or any other root store 
> such as Apple, Microsoft or Google. And our CPS never indicate that our RSA 
> root is able to issue sm2 certificate. It is impossible.
> 2，The signing key and encrypting key issue is a standard relate to 
> Chinese double certificate, which is different from ssl, codesigning and 
> email certificate. CFCA's root that included in Mozilla, Google and Apple is 
> never able to issue this kind of certificate. 
> 3，CFCA OV certificate have a longest valid period of 3 years. EV 
> certificate have a longest valid of 2 years. There is no root of CFCA that 
> included in Mozilla, Google and Apple can issue 5 year long certificate. 
> Please note that the sub root that use to be able to issue 5 year long 
> certificate is the GT root, which is a sha1 root that we already turned off. 
> This root issue 0 certificate after 2016 Jan 1, and this root is never 
> included in Mozilla, Apple and Google.

So why I didn't see these statements in the CPS or in the website?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Something About CFCA (China Financial Certification Authority)

[jonathansshn]

1，  It’s not true. CFCA's RSA root that included in Mozilla is not able to 
issue sm2 certificate with sm3 hash. CFCA do have sm2 root that issue sm2 
certificate but that root is not included in Mozilla or any other root store 
such as Apple, Microsoft or Google. And our CPS never indicate that our RSA 
root is able to issue sm2 certificate. It is impossible.
2，  The signing key and encrypting key issue is a standard relate to 
Chinese double certificate, which is different from ssl, codesigning and email 
certificate. CFCA's root that included in Mozilla, Google and Apple is never 
able to issue this kind of certificate. 
3，  CFCA OV certificate have a longest valid period of 3 years. EV 
certificate have a longest valid of 2 years. There is no root of CFCA that 
included in Mozilla, Google and Apple can issue 5 year long certificate. Please 
note that the sub root that use to be able to issue 5 year long certificate is 
the GT root, which is a sha1 root that we already turned off. This root issue 0 
certificate after 2016 Jan 1, and this root is never included in Mozilla, Apple 
and Google.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Something About CFCA (China Financial Certification Authority)

[Han Yuwei]

According to their CPS (Chinese version 3.2 Jul.2016),

1. All CAs can issue SM2 certificates and uses SM3 Hash.

2. There is a "signing key" generated by subscriber and "encryption key" 
generated by CFCA which transmitted to subscriber.

3. For SSL certificate, the longest vaild duration is 5 years, which is much 
more than 39 months.

Are those conflicting with Mozilla's policy?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy