Closed Bug 274106 Opened 20 years ago Closed 18 years ago

Add GRCA root CA certificate


(CA Program :: CA Certificate Root Program, task)

Not set


(Not tracked)



(Reporter: hecker, Assigned: hecker)





(1 file)

Per a letter sent to me, "Chunghwa Telecom, as the operation authority of the
Government Root Certification Authority (GRCA) of Taiwan, would like to submit
the self-signed certificate of the GRCA for acceptance by Mozilla Program." GRCA
is the root CA for For CPS and CP see

CRL for GRCA is at

I can't find a URL from which to download the GRCA root certificate, but I will
attach a copy to this bug report.

According to the letter sent to me, GRCA has not yet undergone a WebTrust for CA
audit, but is planning to do so. The letter was from August of this year (shame
on me for the delay in responding to this!), so the status of the WebTrust audit
may have changed by now. GRCA has undergone an audit for conformance to BS
7799-2:2002, but I don't know how close this is to WebTrust. (And unfortunately
BS 7799-2:2002 is one of those non-free standards, so it would cost me several
hundred dollars to get a copy of it.)

A final note: I found some useful background information on GRCA and PKI in
Taiwan at
Attaching the GRCA root certificate.
Oops -- forgot to officially accept the bug as assigned to me. Doing so now.
GRCA has successfully completed a WebTrust audit:

I need to review their other information, and if I have all questions answered
to my satisfaction then I will do a "last call" for comments prior to making the
final decision on approval of their request.
My apologies for the long delay in getting back to this bug. As I mentioned previously, GRCA has completed their WebTrust audit some time ago. At this point we should review the available information and evaluate this CA for inclusion, per the official CA policy at

Unless otherwise noted, all information below is from public documents available on the web; see

for links to relevant documents discussed below.

As a brief reminder, GRCA stands for Government Root Certificate Authority. GRCA is basically a root CA for the PKI operated by the government of Taiwan, and has multiple subordinate CAs operating under its scope of authority. One of these subordinate CAs (MOICA or Ministry of the Interior CA), issues personal certificates to Taiwanese citizens for the purposes of accessing Taiwanese government services, and another (GCA or Government CA) issues SSL certificates to Taiwan government agencies. See

for a brief overview. Here's a more detailed description as provided by a GRCA representive to me via email:

"GCA issues certificates to government agencies and also issues server application certificates (such as SSL server certificates) to servers owned by government agencies. MOICA issues certificates to citizens (or, in legal terms, natural persons). MOEACA issues certificates to businesses which include companies, subsidiary companies, and stores (which, in legal terms, include sole proprietorships and partnerships). XCA issues certificates to organizations (e.g., nonprofit corporations, schools, etc.) other than government agencies and businesses. In addition, GTESTCA issues short-lived certificates used by developers for testing PKI functionalities of their application systems."

Here are my quick thoughts on GRCA vis-a-vis the policy's requirements:

Section 4. I'm not aware of any technical issues with certificates issued by GRCA or its subordinate CAs. If anyone sees any technical problems with the GRCA root cert or any other certs issued by GRCA or its subordinate CAS, please note it in this bug report.

Section 6. GRCA appears to provide a service relevant to Mozilla users: As noted above, certificates issued by GRCA are used in the context of Taiwan government services offered to the general public, who might be users of the localized versions of Firefox or other Mozilla-based products. GRCA policies are documented in the CPS and CP documents listed on the ca-certificate-list page referenced above. (Note that the CP covers not only GRCA but all of its subordinate CAs as well.)

Section 7. GRCA appears to meet the minimum requirements for subscriber
verification: For individual certificates used for email the minimum procedure for CAs referenced in the CP involves email verification; however the standard MOICA individual certificates require in-person validation:

For SSL server certificates the verification procedures require some sort of form organizational identification to be presented. Identity certificates usable for code signing also require in-person validation. All this was confirmed by a representative of GRCA:

"Except for short-lived testing certificates, which are in accordance with Test assurance level, issued by GTESTCA, all certificates, no mater they are SSL certificates or identity certificates that could be used for secure emailing or code signing, issued by all other subordinate CAs are in accordance with assurance level 3."

(Asurance level 3 requires in-person validation; see sections 3.1.8 through 3.1.10 of the CP.)

Section 8-10. GRCA has successfully completed an independent audit using
the WebTrust for CAs criteria. The auditors were KPMG.

Section 13. As noted above, GRCA has multiple subordinate CAs under the single GRCA root, and (with the exception of the test CA) all of the subordinate CAs issue certificates at a single validation level, namely assurance level 3 as defined in the CP.

Other: GRCA issues its own CRLs on a daily schedule; to my knowledge it does not itself maintain an OCSP responder. The subordinate CAs issue CRLs as well.

The bottom line: Based on the information available to me thus far I'm inclined to approve inclusion of this CA certificate into the default Mozilla list. I'll allow a few days of comment and then make my final decision.

I've verified with a representative of the organization operating GRCA that the certificate attached to this bug report, with SHA-1 fingerprint of

F4 8B 11 BF DE AB BE 94 54 20 71 E6 41 DE 6B BE 88 2B 40 B9

is indeed the correct GRCA root CA certificate.
Depends on: 341022
Per my previous comments in this bug and in the m.d.t.crypto newsgroup, I'm approving this root CA certificate for inclusion in Mozilla, and have filed bug 341022 to get the actual cert added to NSS.
According to bug 341022, this cert was included in NSS 3.11.4 
So I'm marking this bug resolved/fixed.
Closed: 18 years ago
Resolution: --- → FIXED
Product: → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.