1312957 - Add [China Internet Network Information Center (CNNIC) CA] root certificate(s)

Status: RESOLVED WONTFIX

(CA Program :: CA Certificate Root Program, task)

Description

[anyin]

CA Details
----------

CA Name:China Internet Network Information Center (CNNIC) 
Website:http://www.cnnic.cn
One Paragraph Summary of CA, including the following:
China Internet Network Information Center (abbreviated as CNNIC) is an administration and service organization set up on June 3, 1997 upon the approval of the competent authority and undertakes the responsibilities as the national Internet network information center.

Audit Type (WebTrust, ETSI etc.):WebTrust
Auditor:E&Y
Auditor Website:http://www.ey.com/
Audit Document URL(s):
https://cert.webtrust.org/ViewSeal?id=2092
https://cert.webtrust.org/ViewSeal?id=2091

Certificate Details
-------------------
(To be completed once for each certificate; note that we only include root
certificates in the store, not intermediates.)

Certificate Name:CNNIC ROOT
Summary Paragraph, including the following:

CNNIC ROOT is used for OV and DV SSL certificate issuance.
CNNIC ROOT have DQ SSL, CNNIC SSL, CNNIC SHA256 SSL intermediate root operated by CNNIC internally, DQ SSL and CNNIC SSL is stopped issue certificate. Now only CNNIC SHA256 SSL is used to issue SHA256 OV SSL for entity customer. 

Certificate download URL (on CA website): http://www.cnnic.cn/download/cert/CNNICROOT.cer
Version:The X.509 certificate version V3
SHA1 Fingerprint:8b af 4c 9b 1d f0 2a 92 f7 da 12 8e b9 1b ac f4 98 60 4b 6f
Public key length (for RSA, modulus length) in bits:2048 RSA
Valid From (YYYY-MM-DD):2007-4-16   15:09:14
Valid To (YYYY-MM-DD):2027-4-16    15:09:14

CRL HTTP URL:http://crl.cnnic.cn/download/rootsha2crl/CRL1.crl
CRL issuing frequency for subordinate end-entity certificates:12 hours
CRL issuing frequency for subordinate CA certificates:6 months
OCSP URL: 
http://ocspcnnicroot.cnnic.cn
http://ocspsha2ssl.cnnic.cn/

Class (domain-validated, identity/organizationally-validated or EV): 
•	OV ----  CNNIC SHA256 SSL chain to CNNIC ROOT issuing  SHA 256 OV SSL certificate. CNNIC SSL chain to CNNIC ROOT stopped issuing SHA1 OV certificate since Jan 28th, 2015.
•	DV ----  CNNIC DQ SSL chain to CNNIC ROOT issuing SHA1 DV certificate, already stopped issue SHA1 certificate. Plan to deploy a new SHA256 intermediate certificate to issue SHA256 DQ certificate.

Certificate Policy URL: http://cnnic.cn/jczyfw/fwqzs/CNNICfwqzsywgz/201206/t20120615_29271.htm
CPS URL:http://www.cnnic.cn/cps/
Requested Trust Indicators (email and/or SSL and/or code signing): SSL
URL of example website using certificate subordinate to this root
(if applying for SSL): https://ctserver.cnnic.cn

Comment 1

[Kathleen Wilson]

Aaron and Francis, Please do the Information Verification.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification

Comment 2

[Francis Lee [:frlee]]

hi Anyin,

i have started your certificate information verification process, but i need your help to make sure that you have acknowledgement our policy and also identify in which CP/CPS section describes each of following items:

please read through our wiki link provided below.

Recommended Practices:

1. NEED CA's response to each of the items listed in https://wiki.mozilla.org/CA:Recommended_Practices#CA_Recommended_Practices
1) Publicly Available CP and CPS: (please provide direct links)
2) CA Hierarchy: (please provide which sections in CP/CPS, same for all following items)
3) Audit Criteria: 
4) Document Handling of IDNs in CP/CPS: 
5) Revocation of Compromised Certificates: 
6) Verifying Domain Name Ownership: 
7) Verifying Email Address Control: 
8) Verifying Identity of Code Signing Certificate Subscriber:  
9) DNS names go in SAN: 
10) Domain owned by a Natural Person: 
11) OCSP: 
12) Network Security Controls:

Problematic Practices:

2. NEED CA's response to each of the items listed in https://wiki.mozilla.org/CA:Problematic_Practices#Potentially_problematic_CA_practices

1) Long-lived DV certificates:
2) Wildcard DV SSL certificates:
3) Email Address Prefixes for DV Certs: 
4) Delegation of Domain / Email validation to third parties: 
5) Issuing end entity certificates directly from roots: 
6) Allowing external entities to operate subordinate CAs: 
7) Distributing generated private keys in PKCS#12 files: 
8) Certificates referencing hostnames or private IP addresses: 
9) Issuing SSL Certificates for Internal Domains: 
10) OCSP Responses signed by a certificate under a different root: 
11) SHA-1 Certificates:
12) Generic names for CAs: 
13) Lack of Communication With End Users: 
14) Backdating the notBefore date:

thank you very much

Comment 3

[David E. Ross]

I suggest that processing this bug report not be rushed until the issues in bug #1177209 are addressed.  The data collection process outlined in comment #2 should thus include CNNIC's response to #1177209.

Comment 4

[anyin]

(In reply to Francis Lee [:frlee] from comment #2)
> hi Anyin,
> 
> i have started your certificate information verification process, but i need
> your help to make sure that you have acknowledgement our policy and also
> identify in which CP/CPS section describes each of following items:
> 
> please read through our wiki link provided below.
> 
> Recommended Practices:
> 
> 1. NEED CA's response to each of the items listed in
> https://wiki.mozilla.org/CA:Recommended_Practices#CA_Recommended_Practices
> 1) Publicly Available CP and CPS: (please provide direct links)
CPS http://www.cnnic.cn/jczyfw/fwqzs/CNNICfwqzsywgz/201206/W020161026393737627803.pdf
CP http://cnnic.cn/jczyfw/fwqzs/CNNICfwqzsywgz/201206/W020160421527397195222.pdf
We only have English version for CP.
> 2) CA Hierarchy: (please provide which sections in CP/CPS, same for all
> following items)
Chapter 1.3.1
> 3) Audit Criteria: 
Chapter 8
> 4) Document Handling of IDNs in CP/CPS: 
We don't have specific process for IDNs in CP/CPS. So far, the only IDNs CNNIC issue certificate is .中国（.China) and the cert is for domain CNNIC owns. 
> 5) Revocation of Compromised Certificates: 
Chapter 4.8.1
> 6) Verifying Domain Name Ownership: 
Chapter 3.2.2
> 7) Verifying Email Address Control:  N/A
> 8) Verifying Identity of Code Signing Certificate Subscriber:  N/A
> 9) DNS names go in SAN: 
Chapter 3.1.1
> 10) Domain owned by a Natural Person: 
Chapter 3.2.3, 4.2.1
> 11) OCSP: 
Chapter 7.3
> 12) Network Security Controls:
Chapter 6.7, we also perform the Network security refer to internal documents <CNNIC CA security management policy and regulations> which will be check in WebTrust annual audit. Since it's have Chinese version only, we can provide an English version which include major network security control. 
> 
> Problematic Practices:
> 
> 2. NEED CA's response to each of the items listed in
> https://wiki.mozilla.org/CA:
> Problematic_Practices#Potentially_problematic_CA_practices
> 
> 1) Long-lived DV certificates: None
> 2) Wildcard DV SSL certificates: None
> 3) Email Address Prefixes for DV Certs: None
> 4) Delegation of Domain / Email validation to third parties: None
> 5) Issuing end entity certificates directly from roots: None
> 6) Allowing external entities to operate subordinate CAs: None
> 7) Distributing generated private keys in PKCS#12 files: None
> 8) Certificates referencing hostnames or private IP addresses: None
> 9) Issuing SSL Certificates for Internal Domains: None
> 10) OCSP Responses signed by a certificate under a different root: None
> 11) SHA-1 Certificates: Stopped issue SHA-1 certificates from September 28th, 2016.
> 12) Generic names for CAs: None
> 13) Lack of Communication With End Users: None
> 14) Backdating the notBefore date: None
> 
> thank you very much

Dear Francis,

I listed some information and chapters as you required in our CPS. Please have a check.
Please let me know if your need any further more information.

Regards,
An Yin

Comment 5

[anyin]

Dear Francis,

Please kindly review the information I replied.

Regards,
An Yin

Comment 6

[Aaron Wu]

Attachment: CAInformaion_CNNIC_InfoNeeded_20170308.pdf

Comment 7

[Aaron Wu]

Hi An-Yin,

It is Aaron Wu who will take over the work of information verification on this case.

I've done of 1st round of Information Verification, please see the attachment as Comment#6. We need your more information input which marked as "Need Response from CA".

For Test Website please provide (i) valid, (ii) revoked, (iii) expired.
CA Browser Forum section 2.2: “The CA SHALL host test Web pages that allow Application Software Suppliers to test their software with Subscriber Certificates that chain up to each publicly trusted Root Certificate. At a minimum, the CA SHALL host separate Web pages using Subscriber Certificates ..”

For CA/Browser Forum Lint Test, there are two errors which we need you to fix before moving to next phase.
- ERROR 1: CA certificates must set keyUsage extension as critical 
  - Meaning : The Baseline Requirements say that the keyUsage extension MUST be present and MUST be marked critical.
  - Recommended Resolution : This requirement applies to all CA certs that are created after the first BR Effective  Date of 01-Jul-2012. In general, CAs should not be requesting inclusion of CA certs created before that date.

- ERROR 2: Unallowed key usage for RSA public key
  - Meaning : A certificate with an RSA key should not assert keyAgreement.
  - Recommended Resolution : A certificate that has an RSA key and asserts the keyAgreement usage is technically a non-conforming certificate. We are not aware of any implementation that would actually have a problem verifying that certificate, but we think that CAs should not be issuing certificates with this problem.

Please help to update sufficient information in attachment and fix the errors shown above, thanks for your cooperation!

Kind regards,
Aaron

Comment 8

[anyin]

Dear Aaron,

Thanks for your verification and response. 

Regarding the 3 error you raised, 
For error 1, We will build 3 test website and provide (i) valid, (ii) revoked, (iii) expired certificate for testing.
For error 2&3, We plan to renew our root certificate to fix these 2 error.

For further information we need response, I will update this week.

Regards,
An Yin

Comment 9

[Aaron Wu]

Hi An Yin,

Thanks for your response!

Please also perform the BR Self Assessment, and attach the resulting BR-self-assessment document to this bug.

Note:
Current version of the BRs: https://cabforum.org/baseline-requirements-documents/
Until a version of the BRs is published that describes all of the allowed methods of domain validation, use version 1.4.1 for section 3.2.2.4 (Domain validation): https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.1.pdf

= Background = 

We are adding a BR-self-assessment step to Mozilla's root inclusion/change process.

Description of this new step is here:
https://wiki.mozilla.org/CA:BRs-Self-Assessment

It includes a link to a template for CA's BR Self Assessment, which is a Google Doc:
https://docs.google.com/spreadsheets/d/1ni41Czial_mggcax8GuCBlInCt1mNOsqbEPzftuAuNQ/edit?usp=sharing

Phase-in plan is here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Y-PxWRCIcck/Fi9y6vOACQAJ

Please let me know if you have any question, thank you!


Kind regards,
Aaron

Comment 10

[Kathleen Wilson]

Will also need CNNIC's response to Mozilla's April 2017 CA Communication, before proceeding with this request.
https://wiki.mozilla.org/CA/Communications#April_2017

Comment 11

[Firefox Bug Husbandry Bot]

Bulk reassign, see https://bugzilla.mozilla.org/show_bug.cgi?id=1430324

Comment 12

[Kathleen Wilson]

Closing due to lack of response by CA.