Status

NSS
CA Certificate Root Program
RESOLVED FIXED
2 years ago
4 months ago

People

(Reporter: Kathleen Wilson, Assigned: Kathleen Wilson)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Incident Action Items)

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
The CNNIC root certificates are currently in a partially disabled state, in which certificates chaining to these roots are only accepted if they were issued before 1 Apr 2015. 

CNNIC may re-apply for full inclusion following the normal process, after they have completed the following additional steps.

1. Provide a list of changes (in this bug) that CNNIC has implemented to ensure that there are no future violations of Mozilla Policy and the Baseline Requirements.

2. Improve CNNIC’s process for authorizing intermediate CAs, and fully document this improved process in the CP/CPS. Then update this bug with URLs to the improved CP/CPS.

3. Include in this year's WebTrust audit an explicit confirmation by the auditor that these changes have been implemented and enforced. 

4. Provide auditor attestation that a full performance audit has been performed confirming BR compliance according to https://wiki.mozilla.org/CA:BaselineRequirements

5. April 1, 2016 is the earliest date at which CNNIC may apply for full inclusion. If approved, we will remove the restriction currently in place on their SSL certificates issued after Apr 1 2015. If denied, we will remove the CNNIC root certificates from NSS.
(Assignee)

Comment 1

2 years ago
An Yin, Please add a comment in this bug to provide CNNIC's progress towards these action items.

Comment 2

2 years ago
During the past few months, CNNIC has working on the remediation work of  CA process and system upgrade. We would like to update the current working status as follows,

1,CNNIC take the BR and Mozillay policy as reference, established the management process of subordinate CA, including the subordinate root authorization and issuance, renew,rekey and revoke process control. We add risk assessment in subordinate CA authorization process, also add advance notice step (notice all browsers include Microsoft, Chrome , Apple and Firefox) in the process of subordinate cert issuance.

2,CNNIC revised CPS twice and add all process improvement in the CPS . We will continue to make a CPS revise refer to the rfc3647. 

3,CNNIC upgraded our CA system, which add the NameConstraints feature, and also add the role of subordinate certificate issuance administrator to improve the security of subordinate root issuance; We already completed the deployment on Oct 16th, 2015.

4,CNNIC are working on CT server development, we almost complete the development and testing work and plan to deploy CNNIC CT online by the end of 2015.

CNNIC will keep update working progress in this bug.
(Assignee)

Comment 3

2 years ago
An Yin, Please update this bug to provide status on these action items, and also to provide current audit statements.

Comment 4

2 years ago
Status update from CNNIC as follows,
1, CNNIC complete WebTrust audit work till Jan 15th, 2016. CNNIC provide all the documentation and records of system upgrade and process improvement to the auditor(Ernst&Young). The audit team confirm the audit report is still reviewing by E&Y American Webtrust team. We expected E&Y provide official report by the end of March. 

2, This week, We start the audit based on the “WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2” and expect to complete it at Mar 31th.

3, Regarding the CT service, we complete the deployment and submit inclusion request in Chromium. Now Google are doing monitoring test work.

I will keep update once we get any update for audit report.

Regards,
An Yin
(Assignee)

Comment 5

a year ago
An Yin, Please update this bug again to let us know the current status.

Comment 6

a year ago
Sorry for lately update as we have WebTrust report officially signed by E&Y and CNNIC management today.

I update the report on the CNNIC Website as follows,

http://cnnic.cn/jczyfw/fwqzs/fwqzsrzjzz/

The Webtrust seal are still on the apply process. We expected the seal may online at June according to the auditors update.

Regarding the improvement changes for intermediate CA authorization, the auditors will provide the audit report by the end of May.

We plan to re-apply root inclusion after all the audit report complete.

Thanks.

Regards,
An Yin
(Assignee)

Comment 7

a year ago
An Yin, Thank you for the update. I have a few questions about the audit statements.

The Previous Audit Statements that I have are:
https://cert.webtrust.org/SealFile?seal=1731&file=pdf
https://cert.webtrust.org/SealFile?seal=1730&file=pdf
Audit period from June 1, 2013 through May 31, 2014

New Audit Statements, posted here: http://www.cnnic.cn/jczyfw/fwqzs/fwqzsrzjzz/
Audit period from November 2, 2015 to February 29, 2016

The Baseline Requirements say:
"The period during which the CA issues Certificates SHALL be divided into an unbroken sequence of audit periods.
An audit period MUST NOT exceed one year in duration."

Perhaps I missed the audit statements covering the audit period from June 1, 2014 to November 1, 2015. 
Would you please send those to me?

Also, currently CNNIC has two root certificates included:
1) China Internet Network Information Center EV Certificates Root
SHA-1 Fingerprint: 4F:99:AA:93:FB:2B:D1:37:26:A1:99:4A:CE:7F:F0:05:F2:93:5D:1E
2) CNNIC ROOT
SHA-1 Fingerprint: 8B:AF:4C:9B:1D:F0:2A:92:F7:DA:12:8E:B9:1B:AC:F4:98:60:4B:6F

The new WebTrust CA audit statement lists "CNNIC Root" and its subordinates, so it is not clear to me if the "China Internet Network Information Center EV Certificates Root" certificate and its subordinate certificates were audited.

The new WebTrust BR audit statement says it is "for the Root CA: CNNIC CA", so it is not clear to me which of these root certificates and subordinate certificates were audited.

The new WebTrust EV audit statement does not indicate which root or intermediate certificates were included in the audit.

Regards,
Kathleen

Comment 8

a year ago
Dear Kathleen,

Regarding the question you raised, I communicated with the auditors and they explained as follows, 

The auditors  issued an audit report and expressed a QUALIFIED opinion on Webtrust for CNNIC CA during the audit period from June 1, 2014 to June 30, 2015, due to the ineffective control on external sub-CA.
All certificate issued by sub-CA internal operated are conforming to the CPS. (We can send this report if it is necessary).

CNNIC CA spent three months completing the remediation work from July 1, 2015 to Nov 1, 2015.
Then, the auditors performed the follow-up audit to CNNIC CA's remediation on sub-CA in November, 2015. The continuity of audit period will be clarified in additional audit report of the remediation phase.
(CNNIC are still waiting for this audit report, the auditors expected to issue report before May 31th.)

After that, the auditors initiated second round Webtrust audit in Feb 2016, the period was from Nov 2, 2015 to Feb 29, 2016. They issued the Webtrust report as I provided in previous update. 

The auditors have performed all audit procedures in accordance with CA, EV, BR requirements to CNNIC CA's assets, including CNNIC ROOT and the SUB ROOT(CNNIC SSL, CNNIC SHA256SSL, DQ SSL), EV ROOT(China Internet Network Information Center EV Certificates Root) and the EV SUB ROOT(EV SSL). 

Regards,
An Yin
(Assignee)

Comment 9

a year ago
(In reply to anyin from comment #8)
> Dear Kathleen,
> 
> Regarding the question you raised, I communicated with the auditors and they
> explained as follows, 
> 
> The auditors  issued an audit report and expressed a QUALIFIED opinion on
> Webtrust for CNNIC CA during the audit period from June 1, 2014 to June 30,
> 2015, due to the ineffective control on external sub-CA.
> All certificate issued by sub-CA internal operated are conforming to the
> CPS. (We can send this report if it is necessary).
> 
> CNNIC CA spent three months completing the remediation work from July 1,
> 2015 to Nov 1, 2015.
> Then, the auditors performed the follow-up audit to CNNIC CA's remediation
> on sub-CA in November, 2015. The continuity of audit period will be
> clarified in additional audit report of the remediation phase.
> (CNNIC are still waiting for this audit report, the auditors expected to
> issue report before May 31th.)

Please provide an update on this.

Comment 10

a year ago
Created attachment 8772252 [details]
1:CNNIC Remediation Phase 2015 Audit Letter.pdf

Comment 11

a year ago
Dear Kathleen, 

We received the audit letter for CNNIC Sub-CA remediation work from the auditors last week. I attached it into this bug. 

The Webtrust seal are still on applying process, it may online in 2 weeks according to the auditors update.


Regards,
An Yin
(Assignee)

Comment 12

a year ago
(In reply to anyin from comment #11)
> Dear Kathleen, 
> 
> We received the audit letter for CNNIC Sub-CA remediation work from the
> auditors last week. I attached it into this bug. 
> 
> The Webtrust seal are still on applying process, it may online in 2 weeks
> according to the auditors update.
> 
> 
> Regards,
> An Yin

Thank you for the update. Please add a comment to this bug to provide URLs to the WebTrust seals when they are available.

Comment 13

a year ago
Dear Kathleen,

We just received the update from auditors that CNNIC WebTrust Seal went live today, Please see below links,

https://cert.webtrust.org/ViewSeal?id=2092     WebTrust CA
https://cert.webtrust.org/ViewSeal?id=2091     WebTrust EV

Please check it, let know if you have any problem.

Regards,
An Yin
(Assignee)

Comment 14

11 months ago
(In reply to anyin from comment #6)
> We plan to re-apply root inclusion after all the audit report complete.

An Yin, Does CNNIC still plan to re-apply for root inclusion?

If yes, please follow the instructions and create a new Bugzilla Bug as described here:
https://wiki.mozilla.org/CA:How_to_apply#Creation_and_submission_of_the_root_CA_certificate_inclusion_request

Thanks,
Kathleen

Comment 15

11 months ago
Yes, We are preparing materials to re-apply for toot inclusion.
We may submit the request in future 2 weeks. Thanks for your reminding.

Regards,
An Yin

Comment 16

10 months ago
one question though: the CNNIC audit reports linked via webtrust above are from Ernst & Young Hong Kong, which is involved in the WoSign debacle
https://wiki.mozilla.org/CA:WoSign_Issues#Issue_J:_Various_BR_Violations_.28Apr_2015.29


and you wrote in the thread " Remediation Plan for WoSign and StartCom "
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/BV5XyFJLnQM

3) No longer accept audits carried out by Ernst & Young Hong Kong. 

to which Gervase Markham followed up with:
To be clear, this is a permanent ban, applicable worldwide, but only to
the Hong Kong branch of E&Y. (If further issues are found with E&Y
audits elsewhere, then we might consider something with wider scope.) 




I think that since Mozilla won't accept audit reports from E&Y HK given the WoSign issues that they failed to flag then the E&Y audit reports for CNNIC should also be rejected and a different auditor should be selected, using the same auditor selection criteria as for the WoSign remediation plan.

Adrian R.
Flags: needinfo?(kwilson)
(Assignee)

Comment 17

10 months ago
I think that what Gerv said in the discussion thread makes sense...
https://groups.google.com/d/msg/mozilla.dev.security.policy/BV5XyFJLnQM/zPrA24uUAAAJ
""
The audit report CNNIC has submitted covers the period from November 2,
2015 to February 29, 2016. Therefore, we would expect them to be
starting the process of getting another yearly audit in about 2 weeks
anyway, although it won't be done until next year.

I think the fairest thing is to allow them to proceed with the inclusion
application, get them in the queue, and follow through all the steps,
expecting that by the time they get to the end, their new audit (by
another auditor) will be completed.
""
Flags: needinfo?(kwilson)

Updated

10 months ago
Blocks: 1312957
(Assignee)

Comment 18

10 months ago
After further discussion in the thread listed in Comment #17, it was determined that another branch of EY should check the current audit that was performed by EY Hong Kong. Therefore, EY China or another EY APAC office (or any other branch of EY) will need to provide a revised opinion. EY Hong Kong has been informed of this, and they should be reaching out to CNNIC soon to work to get this resolved.
(Assignee)

Updated

9 months ago
Whiteboard: Incident Action Items
(Assignee)

Comment 19

7 months ago
I believe that CNNIC has completed the action items listed in this bug, and that we are just waiting for an updated audit statement from an auditor other than EY Hong Kong. Therefore, I believe it is OK for us to proceed with Bug #1312957, with the note that the additional audit statement will be needed.
(Assignee)

Comment 20

5 months ago
Closing this bug as resolved. All further follow up should be in Bug #1312957.
Status: NEW → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → FIXED

Updated

4 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.