Closed
Bug 1312957
Opened 8 years ago
Closed 5 years ago
Add [China Internet Network Information Center (CNNIC) CA] root certificate(s)
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: anyin, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: [ca-verifying] - Need BR Self Assessment)
Attachments
(1 file)
192.29 KB,
application/pdf
|
Details |
CA Details ---------- CA Name:China Internet Network Information Center (CNNIC) Website:http://www.cnnic.cn One Paragraph Summary of CA, including the following: China Internet Network Information Center (abbreviated as CNNIC) is an administration and service organization set up on June 3, 1997 upon the approval of the competent authority and undertakes the responsibilities as the national Internet network information center. Audit Type (WebTrust, ETSI etc.):WebTrust Auditor:E&Y Auditor Website:http://www.ey.com/ Audit Document URL(s): https://cert.webtrust.org/ViewSeal?id=2092 https://cert.webtrust.org/ViewSeal?id=2091 Certificate Details ------------------- (To be completed once for each certificate; note that we only include root certificates in the store, not intermediates.) Certificate Name:CNNIC ROOT Summary Paragraph, including the following: CNNIC ROOT is used for OV and DV SSL certificate issuance. CNNIC ROOT have DQ SSL, CNNIC SSL, CNNIC SHA256 SSL intermediate root operated by CNNIC internally, DQ SSL and CNNIC SSL is stopped issue certificate. Now only CNNIC SHA256 SSL is used to issue SHA256 OV SSL for entity customer. Certificate download URL (on CA website): http://www.cnnic.cn/download/cert/CNNICROOT.cer Version:The X.509 certificate version V3 SHA1 Fingerprint:8b af 4c 9b 1d f0 2a 92 f7 da 12 8e b9 1b ac f4 98 60 4b 6f Public key length (for RSA, modulus length) in bits:2048 RSA Valid From (YYYY-MM-DD):2007-4-16 15:09:14 Valid To (YYYY-MM-DD):2027-4-16 15:09:14 CRL HTTP URL:http://crl.cnnic.cn/download/rootsha2crl/CRL1.crl CRL issuing frequency for subordinate end-entity certificates:12 hours CRL issuing frequency for subordinate CA certificates:6 months OCSP URL: http://ocspcnnicroot.cnnic.cn http://ocspsha2ssl.cnnic.cn/ Class (domain-validated, identity/organizationally-validated or EV): • OV ---- CNNIC SHA256 SSL chain to CNNIC ROOT issuing SHA 256 OV SSL certificate. CNNIC SSL chain to CNNIC ROOT stopped issuing SHA1 OV certificate since Jan 28th, 2015. • DV ---- CNNIC DQ SSL chain to CNNIC ROOT issuing SHA1 DV certificate, already stopped issue SHA1 certificate. Plan to deploy a new SHA256 intermediate certificate to issue SHA256 DQ certificate. Certificate Policy URL: http://cnnic.cn/jczyfw/fwqzs/CNNICfwqzsywgz/201206/t20120615_29271.htm CPS URL:http://www.cnnic.cn/cps/ Requested Trust Indicators (email and/or SSL and/or code signing): SSL URL of example website using certificate subordinate to this root (if applying for SSL): https://ctserver.cnnic.cn
Assignee | ||
Comment 1•8 years ago
|
||
Aaron and Francis, Please do the Information Verification. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Assignee | ||
Updated•8 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Assignee | ||
Updated•8 years ago
|
Whiteboard: Information incomplete - Begin Information Verification
Assignee | ||
Updated•8 years ago
|
Assignee: kwilson → frlee
Comment 2•7 years ago
|
||
hi Anyin, i have started your certificate information verification process, but i need your help to make sure that you have acknowledgement our policy and also identify in which CP/CPS section describes each of following items: please read through our wiki link provided below. Recommended Practices: 1. NEED CA's response to each of the items listed in https://wiki.mozilla.org/CA:Recommended_Practices#CA_Recommended_Practices 1) Publicly Available CP and CPS: (please provide direct links) 2) CA Hierarchy: (please provide which sections in CP/CPS, same for all following items) 3) Audit Criteria: 4) Document Handling of IDNs in CP/CPS: 5) Revocation of Compromised Certificates: 6) Verifying Domain Name Ownership: 7) Verifying Email Address Control: 8) Verifying Identity of Code Signing Certificate Subscriber: 9) DNS names go in SAN: 10) Domain owned by a Natural Person: 11) OCSP: 12) Network Security Controls: Problematic Practices: 2. NEED CA's response to each of the items listed in https://wiki.mozilla.org/CA:Problematic_Practices#Potentially_problematic_CA_practices 1) Long-lived DV certificates: 2) Wildcard DV SSL certificates: 3) Email Address Prefixes for DV Certs: 4) Delegation of Domain / Email validation to third parties: 5) Issuing end entity certificates directly from roots: 6) Allowing external entities to operate subordinate CAs: 7) Distributing generated private keys in PKCS#12 files: 8) Certificates referencing hostnames or private IP addresses: 9) Issuing SSL Certificates for Internal Domains: 10) OCSP Responses signed by a certificate under a different root: 11) SHA-1 Certificates: 12) Generic names for CAs: 13) Lack of Communication With End Users: 14) Backdating the notBefore date: thank you very much
Comment 3•7 years ago
|
||
I suggest that processing this bug report not be rushed until the issues in bug #1177209 are addressed. The data collection process outlined in comment #2 should thus include CNNIC's response to #1177209.
(In reply to Francis Lee [:frlee] from comment #2) > hi Anyin, > > i have started your certificate information verification process, but i need > your help to make sure that you have acknowledgement our policy and also > identify in which CP/CPS section describes each of following items: > > please read through our wiki link provided below. > > Recommended Practices: > > 1. NEED CA's response to each of the items listed in > https://wiki.mozilla.org/CA:Recommended_Practices#CA_Recommended_Practices > 1) Publicly Available CP and CPS: (please provide direct links) CPS http://www.cnnic.cn/jczyfw/fwqzs/CNNICfwqzsywgz/201206/W020161026393737627803.pdf CP http://cnnic.cn/jczyfw/fwqzs/CNNICfwqzsywgz/201206/W020160421527397195222.pdf We only have English version for CP. > 2) CA Hierarchy: (please provide which sections in CP/CPS, same for all > following items) Chapter 1.3.1 > 3) Audit Criteria: Chapter 8 > 4) Document Handling of IDNs in CP/CPS: We don't have specific process for IDNs in CP/CPS. So far, the only IDNs CNNIC issue certificate is .中国(.China) and the cert is for domain CNNIC owns. > 5) Revocation of Compromised Certificates: Chapter 4.8.1 > 6) Verifying Domain Name Ownership: Chapter 3.2.2 > 7) Verifying Email Address Control: N/A > 8) Verifying Identity of Code Signing Certificate Subscriber: N/A > 9) DNS names go in SAN: Chapter 3.1.1 > 10) Domain owned by a Natural Person: Chapter 3.2.3, 4.2.1 > 11) OCSP: Chapter 7.3 > 12) Network Security Controls: Chapter 6.7, we also perform the Network security refer to internal documents <CNNIC CA security management policy and regulations> which will be check in WebTrust annual audit. Since it's have Chinese version only, we can provide an English version which include major network security control. > > Problematic Practices: > > 2. NEED CA's response to each of the items listed in > https://wiki.mozilla.org/CA: > Problematic_Practices#Potentially_problematic_CA_practices > > 1) Long-lived DV certificates: None > 2) Wildcard DV SSL certificates: None > 3) Email Address Prefixes for DV Certs: None > 4) Delegation of Domain / Email validation to third parties: None > 5) Issuing end entity certificates directly from roots: None > 6) Allowing external entities to operate subordinate CAs: None > 7) Distributing generated private keys in PKCS#12 files: None > 8) Certificates referencing hostnames or private IP addresses: None > 9) Issuing SSL Certificates for Internal Domains: None > 10) OCSP Responses signed by a certificate under a different root: None > 11) SHA-1 Certificates: Stopped issue SHA-1 certificates from September 28th, 2016. > 12) Generic names for CAs: None > 13) Lack of Communication With End Users: None > 14) Backdating the notBefore date: None > > thank you very much Dear Francis, I listed some information and chapters as you required in our CPS. Please have a check. Please let me know if your need any further more information. Regards, An Yin
Dear Francis, Please kindly review the information I replied. Regards, An Yin
Updated•7 years ago
|
Assignee: frlee → awu
Whiteboard: Information incomplete - Begin Information Verification → [ca-verification]
Hi An-Yin, It is Aaron Wu who will take over the work of information verification on this case. I've done of 1st round of Information Verification, please see the attachment as Comment#6. We need your more information input which marked as "Need Response from CA". For Test Website please provide (i) valid, (ii) revoked, (iii) expired. CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..” For CA/Browser Forum Lint Test, there are two errors which we need you to fix before moving to next phase. - ERROR 1: CA certificates must set keyUsage extension as critical - Meaning : The Baseline Requirements say that the keyUsage extension MUST be present and MUST be marked critical. - Recommended Resolution : This requirement applies to all CA certs that are created after the first BR Effective Date of 01-Jul-2012. In general, CAs should not be requesting inclusion of CA certs created before that date. - ERROR 2: Unallowed key usage for RSA public key - Meaning : A certificate with an RSA key should not assert keyAgreement. - Recommended Resolution : A certificate that has an RSA key and asserts the keyAgreement usage is technically a non-conforming certificate. We are not aware of any implementation that would actually have a problem verifying that certificate, but we think that CAs should not be issuing certificates with this problem. Please help to update sufficient information in attachment and fix the errors shown above, thanks for your cooperation! Kind regards, Aaron
Dear Aaron, Thanks for your verification and response. Regarding the 3 error you raised, For error 1, We will build 3 test website and provide (i) valid, (ii) revoked, (iii) expired certificate for testing. For error 2&3, We plan to renew our root certificate to fix these 2 error. For further information we need response, I will update this week. Regards, An Yin
Hi An Yin, Thanks for your response! Please also perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug. Note: Current version of the BRs: https://cabforum.org/baseline-requirements-documents/ Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf = Background = We are adding a BR-self-assessment step to Mozilla's root inclusion/change process. Description of this new step is here: https://wiki.mozilla.org/CA:BRs-Self-Assessment It includes a link to a template for CA's BR Self Assessment, which is a Google Doc: https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing Phase-in plan is here: https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ Please let me know if you have any question, thank you! Kind regards, Aaron
Whiteboard: [ca-verifying] → [ca-verifying] - Need BR Self Assessment
Updated•7 years ago
|
Product: mozilla.org → NSS
Assignee | ||
Comment 10•7 years ago
|
||
Will also need CNNIC's response to Mozilla's April 2017 CA Communication, before proceeding with this request. https://wiki.mozilla.org/CA/Communications#April_2017
Comment 11•6 years ago
|
||
Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324
Assignee: awu → kwilson
Assignee | ||
Comment 12•5 years ago
|
||
Closing due to lack of response by CA.
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
QA Contact: kwilson
Resolution: --- → WONTFIX
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•