373537 - Hongkong Post root cert inclusion

Status: RESOLVED DUPLICATE of bug 408949

(CA Program :: CA Certificate Root Program, task)

Description

[Stephen Chu]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Build Identifier: 

Hongkong Post is the recognised CA under the law of Hong Kong Special Administrative Region (HKSAR).  It is a public CA and has already been accepted by Microsoft (http://support.microsoft.com/kb/931125)

The CPS is http://www.hongkongpost.gov.hk/product/cps/ecert/index.html

The root CA certificate is located in
http://www.hongkongpost.gov.hk/product/download/root/img/smartid_rt.cacert


Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

[Jeremy Baron]

Stephen: You didn't mention the Mozilla CA cert policy and it will likely be an important resource during the certificate approval process, so I'm pointing you that way in case you haven't seen it yet: http://www.mozilla.org/projects/security/certs/policy/

Another good resource is other bugs in this component.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Stephen, Are you a representative of the HongKong Post?

Mozilla requests a common set of information from all CA applicants.
You can see the request in bug 307915 comment 3, and bug 324126 comment 10. 
Please supply the information requested there, thanks.

Comment 3

[Stephen Chu]

I am not a representative of the Hongkong Post.  I am an end user, who owns a certificate issued by Hongkong Post CA.  As it is a recognised CA under the law of Hong Kong SAR, it is nice that mozilla product contains root CA certificate, so that an end user can have a easier life without manually installing the root ca certificate.

CA Details
----------

CA Name: Hongkong Post CA
Website: http://www.hongkongpost.gov.hk

Hongkong Post CA is the recognised CA under the law of Hong Kong Special
Administrative Region (HKSAR) [https://secure1.info.gov.hk/ogcio/eng/caro/esub41.htm].

HKSAR is the primary geographical area served by Hongkong Post CA.
The Root certificate is called "Hongkong Post Root CA 1", which has only one direct subordinate,
"Hongkong Post e-Cert CA 1". "Hongkong Post e-Cert CA 1" is the signer key.

The recognized certificates, which are subordinate of "Hongkong Post e-Cert CA 1":
(i)  	Hongkong Post e-Cert (Personal) certificate
(ii) 	Hongkong Post e-Cert (Organisational) certificate
(iii) 	Hongkong Post e-Cert (Server) certificate
(iv) 	Hongkong Post e-Cert (Encipherment) certificate
[Note : e-Cert (Encipherment) is for the encryption and decryption of electronic information only.]
(v) 	Hongkong Post Bank-Cert (Bank of East Asia-Corporate) certificate
(vi) 	Hongkong Post Mobile e-Cert (Personal) certificate
(vii) 	Hongkong Post Mobile e-Cert (Organisational) certificate
(viii) 	Hongkong Post Mobile e-Cert (Server) certificate
(ix) 	Hongkong Post Bank-Cert (Shanghai Commercial Bank-Personal) certificate
(x) 	Hongkong Post Bank-Cert (Shanghai Commercial Bank-Corporate) certificate

[(iii) are server certificate for SSL]

Audit Type (WebTrust, ETSI etc.): WebTrust
Auditor:  PricewaterhouseCoopers
Auditor Website: http://www.pwc.com/
Audit Document URL(s): https://cert.webtrust.org/SealFile?seal=125&file=pdf

Certificate Details
-------------------

Certificate Name: Hongkong Post Root CA 1
    This certificate currently does not issue any certificate except "Hongkong Post e-Cert CA 1".
Certificate HTTP URL (on CA website): http://www.hongkongpost.gov.hk/product/download/root/img/smartid_rt.cacert
Version: 3
SHA1 Fingerprint: D6:DA:A8:20:8D:09:D2:15:4D:24:B5:2F:CB:34:6E:B2:58:B2:8A:58
MD5 Fingerprint: A8:0D:6F:39:78:B9:43:6D:77:42:6D:98:5A:CC:23:CA
Modulus Length (a.k.a. "key length"): 2048
Valid From (YYYY-MM-DD): 2003-05-15
Valid To (YYYY-MM-DD): 2023-05-15
CRL HTTP URL: N/A
OCSP URL: N/A
Class (domain-validated, identity-validated or EV): identity-validated and domain-validated
Certificate Policy URL: http://www.hongkongpost.gov.hk/product/cps/index.html
CPS URL: http://www.hongkongpost.gov.hk/product/cps/index.html
Requested Trust Indicators (email and/or SSL and/or code): email, SSL, code


Certificate Name: Hongkong Post e-Cert CA 1
  The signer key for 
Certificate HTTP URL (on CA website): http://www.hongkongpost.gov.hk/product/download/root/img/smartid_ca.cacert
Version: 3
SHA1 Fingerprint: 0A:51:EE:71:01:B5:35:AB:C9:F3:94:14:A9:3C:76:E7:DC:76:8C:7B
MD5 Fingerprint: B1:F0:A3:09:31:09:59:51:37:98:9E:3C:C3:5C:4F:F5
Modulus Length (a.k.a. "key length"): 2048
Valid From (YYYY-MM-DD): 2003-05-15
Valid To (YYYY-MM-DD): 2013-05-15
CRL HTTP URL: http://crl1.hongkongpost.gov.hk/crl/eCertCA1CRL1.crl
OCSP URL: N/A
Class (domain-validated, identity-validated or EV): should be identity-validated and domain-validated
Certificate Policy URL: http://www.hongkongpost.gov.hk/product/cps/index.html
CPS URL: http://www.hongkongpost.gov.hk/product/cps/index.html
Requested Trust Indicators (email and/or SSL and/or code): email, SSL, code
LDAP repository: ldap://ldap1.hongkongpost.gov.hk

Comment 4

[Gervase Markham [:gerv]]

We don't accept certificate applications from anyone other than an official representative of the CA. This prevents a whole load of problems - including the CA objecting, and our setting the wrong trust bits. For example, Stephen, you asked for the cert to be trusted for code signing - how do you know that they want that?

If you want this certificate in the Mozilla store, you need to convince the Hong Kong Post to apply, in the same manner as you have.

Gerv

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

I would add that Stephen did a rather good job of applying on their behalf. :)
So, if they choose to apply, they could just re-use this bug report, and 
wouldn't need to file a new bug and re-enter all that information, IMO.

Comment 6

[Stephen Chu]

Official representative will submit it updated information.

Comment 7

[Nelson Bolyard (seldom reads bugmail)]

The official request has now been filed as bug 408949