Add Aspire root certificates
Categories
(CA Program :: CA Certificate Root Program, task, P5)
Tracking
(Not tracked)
People
(Reporter: tongjing, Assigned: bwilson)
References
Details
(Whiteboard: [ca-initial])
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.62
Steps to reproduce:
Access via Firefox https://www.cmca.net/
Actual results:
Because it is not in the list of certification authorities, the page prompts a warning: facing potential security risks. You need to confirm that you accept the risk and continue to visit.
Expected results:
We hope to add a list of Firefox certification authorities, including the Aspire root certificate. Normal access https://www.cmca.net/
|
||
Comment 1•2 years ago
|
||
Please see
https://wiki.mozilla.org/CA/Application_Process
https://wiki.mozilla.org/CA/Application_Instructions#Create_Root_Inclusion.2FUpdate_Request
https://wiki.mozilla.org/CA/Information_Checklist
The requested information needs to be in the CCADB and referenced here; we no longer put the information in documents and attach to bugs
In several places it was stated that the information had to be public and not to check any boxes to hide the visibility of the bugs. And because the information needs to be public, not to include sensitive or proprietary information. Before we make this bug public, is there anything in the attached document that shouldn't be there?
Basic information of CA organization/company
CA organization/Company Aspire Digital Technology (Shenzhen) Co., Ltd.
Organization/Company website https://www.cmca.net/
Business Type WFOE
Key market/customer base What kind of customer will CA serve?
- Internal and external business platforms/systems of China Mobile
- Financial, medical and government affairs customers
Does CA serve only one country or region?
No specific country or region.
What sites have been issued sm2 domain name certificates (SSL certificates), and how are they being used?
Not available.
Impact on Firefox users Why does CA need to build a root certificate into the Firefox root truststore instead of just issuing trusted intermediate roots for it by requesting other root certificates already in the Firefox truststore?
CMCA is one of the organizations approved by the Ministry of Industry and Information Technology and has its own root certificate.
Specify which users need to rely on the root certificate to browse websites (https access)
China Mobile insiders and their customers visit its official website.
Built-in situations in other browsers Is the root certificate used to apply for the built-in certificate already embedded in another browser?
If yes, please list them.
No.
Preferred contact method of CA(POC) Contact Email address : tongjing@aspirecn.com
Email alias: /
CA organization contact number:13926420102
The representative of the CA organization must personally submit and/or participate in the built-in application.
Technical parameters of the root certificate
Root Certificate Name An appropriate user name to display certificate information
CMCA SM2 ROOT CA
Certificate Serial Number 010009
Issuer field The institution name and common name fields in the issuer information must have sufficient CA institution information.
CN = CMCA SM2 ROOT CA
O = CMCA
C = CN
Fingerprint e939b533b1383273e9b93a9104b485952e532e51
The period of validity begins May 6, 2021 17:05:10
The period of validity ends April 30, 2046 17:05:10
Version V3
Certificate Signature Algorithm AS:SM2+SM3
SM3/SM2
Signature key parameter AS:SM2-256 Bits
1.2.156.10197.1.301 (Public key parameters)
Summary of end user certificates
Subject Indication field
CN = sm2_20210522_01
E = 15348403611@139.com
C = CN
Issuer Indicate field and content
CN = CMCA SM2 Root CA
C = CN
Duration For example, a year
A month
Version V3
Certificate Signature Algorithm AS: SM2+SM3
SM3/SM2
Signature key parameter as:SM2-256 Bits
1.2.156.10197.1.301 (Public key parameters)
CRL URL CRL link
https://www.cmca.net/download/crl/CRL169.crl
OCSP URL OCSP link
http://211.138.237.38:8089/ocspserver/ocsp
Strategy OID (s) 2.23.140.1.2.2
Level information of each CA root certificate
CA Level List, describe, and/or chart all intermediate roots issued by the root certificate.
Specify which are internal and external operating sub-CA.
The intermediate root of the root certificate is:
CMCA SM2 SSL CA
Externally operated sub-CA If the root certificate is operated by a third-party organization, the following information must be provided:
Sub-CA company name;
Sub-CA URL;
Download address of the sub-CA certificate;
Install a link to the test website of the sub-CA certificate (if the sub-CA is allowed to issue an SSL certificate);
Certificate level under the sub-CA;
CP/CPS link of the sub-CA;
The chapter number of the relevant chapter in its CP or CPS. The content of this chapter specifies a reasonable method of verifying domain name ownership.
Cross-sign Lists all cross-root certificates that this root certificate issues for other root certificates; not available
Lists the cross root certificates issued by other root certificates for this root certificate; not available
If the cross-signature exists, specify whether the CA is preset in the Firefox root certificate library.
Verify policies and actions
Policy File Links to the following files:
CP (optional) :
CPS:https://www.cmca.net/images/download/CMCArule.zip
Relying Party Agreement:
License qualification Document Required: E-Authentication Service password License: (no., expiry date)
Number: 0032
Validity: 10 July 2020 to 9 July 2025
Required: Electronic Authentication Service License: (No., expiry date)
Number: ECP44030516032
Validity: October 10, 2016 to October 9, 2021
Optional: E-Government E-Authentication Service Permit (No., expiry date)
Test certificate website IP address: https://211.138.237.41:8443
Public IP address: https://demo.gmssl.cn
Safety production certificate WebTrust audit report
Or intermediate certificate video record(root generated before July 1, 2020)
Or video record of root and Intermediate certificates (root generated after 1 July 2020)
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 4•2 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
In several places it was stated that the information had to be public and not to check any boxes to hide the visibility of the bugs. And because the information needs to be public, not to include sensitive or proprietary information. Before we make this bug public, is there anything in the attached document that shouldn't be there?
I don't believe there is anything confidential in the attachments, but we can wait to hear from the applicant before flipping the security flag on this bug.
Jing Tong,
Please confirm that this bug and its content should be public.
Thanks,
Ben
|
|
||
Comment 5•2 years ago
|
||
Moving to employee confidential in the meantime -- it's clearly not a security vulnerability
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 6•2 years ago
|
||
This is in the CCADB as case 888 - https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000888
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 8•2 years ago
|
||
I closed Bug 1768811. CA Applicant says that there is another root. That information for the newer root can be added here to this bug.
|
|
Assignee | |
Comment 9•2 years ago
|
||
The two subordinate certificates uploaded to the CCADB as roots have been deleted.
|
|
Assignee | |
Comment 10•2 years ago
|
||
I have tried to locate a website where I can test the certificate chain, but none of them seem to be live.
See https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000888
|
||
Updated•2 years ago
|
|
|
Assignee | |
Updated•8 months ago
|
Description
•