1377389 - Add Korea Ministry of the Interior (MOI) root

Status: RESOLVED WONTFIX

(CA Program :: CA Certificate Root Program, task)

Description

[Hyunwook Kim]

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36

Steps to reproduce:

We, Korea Local Information Research & Development Institute (KLID) that operates Root CA and Sub CAs of Government Public Key Infrastructure (GPKI) of the Republic of Korea, has been conducting our Root CA certificate inclusion into Mozilla products since 2015. According to comments #38 and #42 of Bugzilla 1226100, we considered and decided to apply separately the Sub CAs under the Root CA certificate named “GPKIRootCA1”. The Sub CAs issuing SSLs are Ministry of the Interior (MOI) CA and Ministry of Education (MOE) CA. 
Comment #38: https://bugzilla.mozilla.org/show_bug.cgi?id=1226100#c38
Comment #42 : https://bugzilla.mozilla.org/show_bug.cgi?id=1226100#c42

This request applies MOI Sub CA certificates for inclusion into Mozilla products. The Other CA, Ministry of Education (MOE) CA will apply its Sub CA certificate inclusion for Mozilla products in December 2017 after WebTrust audit completion.  


Actual results:

N/A. We will follow the Mozilla Root Store Policy.  


Expected results:

N/A. We will follow the Mozilla Root Store Policy

Comment 1

[Hyunwook Kim]

Attachment: MOI Sub-CA_Information Checklist.pdf

We would like to apply MOI CA certificates(cn=CA13110001, cn=CA131100002)which are issued from the MOI Root CA of GPKI Korea. Detail information are included in the attached file.

Comment 2

[Aaron Wu]

Hi Kim,

Thanks to provide the information checklist, we are doing the information verification and updating into CCADB.

Please help to perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing

Phase-in plan is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ

Please let me know if you have any question, thank you!


Best regards,
Aaron

Comment 3

[Hyunwook Kim]

Attachment: BR Self Assessment

Dear, Aaron

Regarding 'BR-self-assessment', let me attach the file.

Please review it and feedback me what I prepare for going to next verification. 

Best Regards,
Kim

Comment 4

[Aaron Wu]

HI Kim,

Comment 5

[Aaron Wu]

Hi Kim,

Thanks to provide BR-Self Assessment.

As mentioned in document, 
Valid certificate: https://www.gpki.go.kr
Revoked certificate: TBD (in October 2017)
Expired certificate: TBD (in October 2017)

Please notify once Revoked and Expired sites are ready.

Thanks,
Aaron

Comment 6

[Hyunwook Kim]

Dear, Aaron

As you requested, we updated the test pages for revoked and expired certificates. Please check the URLs below. 

Valid certificate: https://www.gsslwebtrust..or.kr/
Revoked certificate: https://www.gsslwebtrust1.or.kr/
Expired certificate: https://www.gsslwebtrust2.or.kr/

Best Regards,
Kim

Comment 7

[Hyunwook Kim]

Dear, Aaron

As you requested, we updated the test pages for revoked and expired certificates. Please check the URLs below. 

Valid certificate: https://www.gsslwebtrust.or.kr/
Revoked certificate: https://www.gsslwebtrust1.or.kr/
Expired certificate: https://www.gsslwebtrust2.or.kr/

Best Regards,
Kim

Comment 8

[Hyunwook Kim]

Dear, Aaron

I submitted BR-Self Assessment and certificate information(valid, revoked, expired) last October.
Please feedback me what I prepare for going to next verification. 

Thanks and Regards,
Kim

Comment 9

[Aaron Wu]

HI Kim,

Thanks for your BR-Self Assessment and test websites, we are working on verification.

By the way, as the CPS[1] you provided is in Korean, we need to have CPS in English. Please kindly provide the official CPS as English version.

[1]
https://www.gpki.go.kr/upload/download/1.2-GPKI_CA CPS.pdf


Thanks,
Aaron

Comment 10

[Hyunwook Kim]

Dear, Aaron

You can get GPKI CPS (English version) below.
https://www.gpki.go.kr/upload/download/1.2-GPKI_CA_CPS(Eng).pdf

Thanks and Regard,
Kim

Comment 11

[Hyunwook Kim]

Dear, Aaron

I want to know remaining schedule to get final approval from Mozilla.org.
As I know, we need a public discussion progress, right?
I'm wondering how long dose it takes if then.

Please guide us remaining schedule and how to reduce the time.

Thanks and Regards,
Kim

Comment 12

[Aaron Wu]

Hi Kim,

Thanks for your message.

We are verifying your updated CPS now, I will notify you once the case moves to public discussion. Please stay tuned.

Kind Regards,
Aaron

Comment 13

[Hyunwook Kim]

Dear, Aaron

I'm sorry to rush you, but could you inform me expected ending time of each remaing step?
Many people in Korea are interested in this thread.

Thanks and Regards,
Kim

Comment 14

[Ryan Sleevi]

As mentioned at https://wiki.mozilla.org/CA/Application_Process , it typically takes two years for inclusion, if a CA is determined to be acceptable. Note that due to the risks adding CAs poses to the ecosystem, it may take longer, particularly if there are concerns about the CA’s practices or hierarchy, as there are here. Thus it may take longer, in order for the community to discuss the risks posed and how to mitigate them.

Comment 15

[Firefox Bug Husbandry Bot]

Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324

Comment 16

[Hyunwook Kim]

Dear Ryan, 

We understood that it may take longer, particularly if there are concerns about the CA’s practices or hierarchy. According to your guidance at Comment #38 in Bug 1226100: Add MOI GPKI Root CA certificate(s), the Korea Ministry of Interior (MOI) decided to apply its Subordinate CA certificate separately to Mozilla. We have been waiting for Mozilla feedback after we uploaded our BR Self-Assessment document 4 months ago but unfortunately couldn’t get any response on the document until now. Nevertheless we’re ready to reflect the feedback from Mozilla if improvements are required to proceed. Truly we look forward to the feedback.


Dear Kathleen, 

I know that you should handle quite a number of other CAs requests, however, please let me know something required to go forward the next steps.
It also would be very appreciated if Mozilla gives us some feedback on the BR Self-Assessment first.

Thanks and Regards,
Kim

Comment 17

[Kathleen Wilson]

(In reply to Hyunwook Kim from comment #16)
> Dear Kathleen, 
> 
> I know that you should handle quite a number of other CAs requests, however,
> please let me know something required to go forward the next steps.
> It also would be very appreciated if Mozilla gives us some feedback on the
> BR Self-Assessment first.
> 
> Thanks and Regards,
> Kim


Dear Kim,

I am ready to look into your request now.

Please send me email with the names and business email addresses of the Primary Points of Contact (POC) for this CA. 
https://wiki.mozilla.org/CA/Information_Checklist#CA_Primary_Point_of_Contact_.28POC.29
For each POC please clearly indicate the role of that person in representing/operating this CA.

Also, to refresh my memory of this situation, I reviewed Bug #1226100, and noticed that the person appearing to represent this CA has changed frequently. Please explain the situation. I need to be reassured that there will be representatives of this CA regularly following the mozilla.dev.security.policy forum and the CA/Browser Forum Baseline Requirements, and keeping the CA's practices, CP/CPS documents, and audits up to date.

Thanks,
Kathleen

Comment 18

[Hyunwook Kim]

Dear Kathleen Wilson,

I sent you email regarding POC information.
Please check it out and proceed our process.

Thanks and Regards,
Kim

Comment 19

[Kathleen Wilson]

Attachment: CA131100001-MOI-SubCA1.crt

Comment 20

[Kathleen Wilson]

Attachment: CA131100002-MOI-SubCA2.crt

Comment 21

[Kathleen Wilson]

Attachment: WebTrustCA-Jan2017.pdf

Comment 22

[Kathleen Wilson]

Attachment: WebTrustBR-Jan2017.pdf

Comment 23

[Kathleen Wilson]

I see that this request is for two subCAs certs, which I have attached as CA131100001-MOI-SubCA1.crt and CA131100002-MOI-SubCA2.crt. I am going to focus on CA131100001-MOI-SubCA1.crt first, because I suspect the information will be mostly duplicate for the other cert.

I will continue to work through the provided information, but wanted to let you know what I have noticed so far, so you can respond.

1) I will need updated audit statements -- preferably as webtrust seals, but I will also accept documents attached to this bug.

2) I will need historical audit statements (attach to this bug). I see that both of the subCA certs are valid from 2011. When did you begin getting BR audits for these subCAs? I will need those historical BR audit statements attached to this bug.
Please note that other root inclusion requests have been getting denied due to lack of BR compliance and audits throughout the life of the root (and at lest from 2014).
We may continue to process this request, but depending on the history of BR audits for these certs it is possible that the request to include these specific two subCA certs will be denied and that you will be asked to provide a new subCA cert that is BR-compliant and audited from the beginning.

3) When I try to access the test websites, I get a timeout error. Please make sure that test websites can be reached from outside your organization.
https://www.gsslwebtrust.or.kr/
https://www.gsslwebtrust2.or.kr/
https://www.gsslwebtrust1.or.kr/

Thanks,
Kathleen

Comment 24

[Hyunwook Kim]

Dear Kathleen,

1) We have completed the WebTrust audits on the Root and Sub-CA Certificates we requested and the 2 seals (WTCA, WTCA-SSL) will be released in March. I will update the audit information soon.  

2) the Sub-CA certificates, which are CA131100001-MOI-SubCA1 and CA131100002-MOI-SubCA2, has been included in the scope of the WebTrust audits since 2015. You can find the Sub-CA certificates information on the WTCA audit report to be released in March 2018. 

3) You can currently reach the website below. Sorry for inconvenience.

Valid certificate: https://www.gsslwebtrust.or.kr/
Revoked certificate: https://www.gsslwebtrust1.or.kr/
Expired certificate: https://www.gsslwebtrust2.or.kr/

Thanks and Regards,
Kim

Comment 25

[KimMinsu]

CA131100001 and CA131100002 does not meet the CA/B BR.

1. leaf certificate have a poor OCSP server status.
2. CA131100001/CA131100002  does not have a authorityInformationAccess field (OCSP)

Comment 26

[KimMinsu]

CA/B Forum BR
6.1.7 CA MUST NOT issue Subscriber Certificates directly from Root CAs

as CA131100001,CA131100002 are considered to be a root certificate.
they are also violating CA/B Forum BR.

ex)
CA131100001 issue a leaf certificate directly.
https://crt.sh/?id=37573411

Comment 27

[KimMinsu]

https://crt.sh/?icaid=272&identity=%25

Comment 28

[Hyunwook Kim]

Dear, KimMinsu

CA131100001,CA131100002 belong to CA certificate.
Subscriber Certificates are issued from these CAs.

Thanks,
Kim

Comment 29

[KimMinsu]

as CA131100001/CA131100002 expires in 2021-09-22, i think it has too short remaning times for a root certificate.

when this certificate is propatated to the many clients, that certificate would be already expired.

Microsoft requires "New roots must be valid for at least eight (8) years from the date of submission."

i think we should make a similar remaining root cert valid time policy like microsoft.

Comment 30

[mail]

According to Mozilla Root Store Policy §5.2 Forbidden and Required Practices:

> CAs MUST maintain a certificate hierarchy such that the included certificate does not directly issue end-entity certificates to customers (i.e. the included certificate signs intermediate issuing certificates), as described in section 6.1.7 of the Baseline Requirements.

Comment 31

[Wayne Thayer]

(In reply to mail from comment #30)
> According to Mozilla Root Store Policy §5.2 Forbidden and Required Practices:
> 
> > CAs MUST maintain a certificate hierarchy such that the included certificate does not directly issue end-entity certificates to customers (i.e. the included certificate signs intermediate issuing certificates), as described in section 6.1.7 of the Baseline Requirements.

Because Mozilla directed the Government of Korea to submit subordinate CAs, this is an inconsistency between Mozilla's policy and Mozilla's actions that Mozilla will need to resolve.

Comment 32

[Wayne Thayer]

It has been pointed out in bug 1451235 that these two CAs have misissued a large number of certificates:

https://crt.sh/?CAID=272&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
https://crt.sh/?CAID=2149&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01

Also as reported in https://bugs.chromium.org/p/chromium/issues/detail?id=823665, I am receiving an OCSP timeout for a sample certificate (https://crt.sh/?id=287836226&opt=cablint,ocsp)

Given this, it is unlikely that this inclusion request will ever be approved (please refer to other recent denials on the mozilla.dev.security.policy forum).

Comment 33

[Yongmin Hong [:revi]]

To add this already-long disasterous modus operandi of GPKI: Self-assessment is obviously false: "MOI CA doesn't issue SSL certificates containing IP addresses."

https://crt.sh/?id=130687620 makes me h-u-h and https://crt.sh/?q=211.206.120.182 makes H-U-H. They've been doing this since 2013.

While CA134100031 (which is at fault here) is operated by Ministry of Education (MOE), not the MOI who is requesting inclusion (Specifically, CA131100001 and CA131100002), because of GPKI structure, [note1], MOI and "Government Certification Management Authority" [note2] seem to take the final responsibility on operating GPKI infrastructure (especially for the same part of Government). Therefore their failure to detect MOE mis-issuance can be traced back to failure to detect by MOI in due course.

[note1]: c.f. bug 1226100 comment 37 and Electronic Government Act of Korea No. 14914[1] Article 29
[1]: http://www.law.go.kr/lsSc.do?tabMenuId=tab18&query=전자정부법
[note2]: c.f. https://www.gpki.go.kr/eng/center/sub_01_01_01.jsp says "MOGAHA (former name of MOI), which is Root CA"... - and Enforcement Decree of Electronic Government Act, Presidential Decree no. 28211, Article 28 states Government Certification Management Authority, reporting to Minister of Interior, is established to manage authentication of GPKI.

Comment 34

[Wayne Thayer]

The following news article appears to relate to an issue with the MOE CA: http://www.korea.kr/briefing/actuallyView.do?newsId=148849591&call_from=naver_news

I ask the Government of Korea to explain this issue as part of this MOI root inclusion request.

Comment 35

[Kathleen Wilson]

(In reply to Wayne Thayer [:wayne] from comment #32)
> these two CAs have misissued a
> large number of certificates:
> 
> https://crt.sh/?CAID=272&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
> https://crt.sh/?CAID=2149&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
> 


I am going to close this request as WONTFIX.

This CA is welcome to submit a new request for inclusion of a new root that is (from creation) in full compliance with the Mozilla's Root Store Policy and the CA/Browser Forum's Baseline Requirements.