Closed Bug 607208 Opened 11 years ago Closed 8 years ago

Add CNNIC EV root certificate

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: liu_yan, Assigned: kwilson)

References

Details

(Whiteboard: In NSS 3.15, Firefox 23, EV in Firefox 26)

Attachments

(5 files, 1 obsolete file)

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; Maxthon; Avant Browser; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Build Identifier: 

As an operation and management organization of Chinese domain name, we would like to support the security and effective of Internet. We believe that having our EV root certificate included in your browser would be beneficial to both of us, especially for the Internet users.

Reproducible: Always
Attached file EV Certificate
Accepting this bug.  I will start the Information Gathering and Verification
phase as per https://wiki.mozilla.org/CA:How_to_apply.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: EV root certificate inclusion into IE browser → Add CNNIC EV root certificate
Whiteboard: Information incomplete
Attached file CNNIC EV Root Cert
The attached document summarizes the information that has been gathered and
verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
What steps will be taken by Mozilla to ensure that the public discussion of this request on mozilla.dev.security.policy is truly public?  

Of course, I am referring to the controversy over bug #476766, which spilled over into bug #542689.  In both of those, it was asserted that the likely end-users of the CNNIC root certificate were blocked from accessing mozilla.dev.security.policy.
Hi Kathleen,
Here is the information about the items highlighted in yellow. 

CA Hierarchy:2) Whether or not subordinate CAs can create their own subordinates.
We may create other subCAs from this root in the future. This subCA may issue codesigning certificates.

Externally operated subCAs: We do not have plans to have any externally-operated subCAs under this root.

Cross-Signing: Currently none. In the future we may have plans to cross-signing with other CAs. 

SSL Validation Type: We only issue EV certs under this root.
AUDIT: Yes. Next WebTrust CA audit will include this root and its sub-CAs.

Potentially Problematic Practices:
1.3 Email Address Prefixes for DV Certs
o Not applicable. We don’t verify through email address.
1.6 Allowing external entities to operate subordinate CAs
o No. Only one sub-CA exists, and it is internally operated.
1.9 Issuing SSL Certificates for Internal Domains
o No. We don’t issue internal domains.
(In reply to comment #6)
> What steps will be taken by Mozilla to ensure that the public discussion of
> this request on mozilla.dev.security.policy is truly public?  
> 
> Of course, I am referring to the controversy over bug #476766, which spilled
> over into bug #542689.  In both of those, it was asserted that the likely
> end-users of the CNNIC root certificate were blocked from accessing
> mozilla.dev.security.policy.

What would you like to recommend, David?
This request has been added to the queue for public discussion:
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

Now that you have a request in the Queue for Public Discussion, you are
directly impacted by the time it takes to work through the queue. The goal is
to have each discussion take about one to two weeks. However, that time varies
dramatically depending on the number of reviewers contributing to the
discussion, and the types of concerns that are raised. If no one reviews and
contributes to a discussion, then a request may be in the discussion for
several weeks. When there are not enough people contributing to the discussions
ahead of yours, then your request will sit in the queue longer.

How can you help reduce the time that your request sits in the queue?

You can help by reviewing and providing your feedback in the public discussions
of root inclusion requests, or by asking a knowledgeable colleague to do so.

Participating in other discussions is a great way to learn the expectations and
be prepared for the discussion of your request.

Please see: https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Whiteboard: Information incomplete → Information confirmed complete
Re: comment #6 and comment #8

I suppose the best way to do this would be to have trusted individuals inside China attempt to read and post to mozilla.dev.security.policy.  By "trusted", I mean trusted by the Mozilla organization, not necessarily by the government.
(In reply to comment #11)
> Re: comment #6 and comment #8
> 
> I suppose the best way to do this would be to have trusted individuals inside
> China attempt to read and post to mozilla.dev.security.policy.  By "trusted", I
> mean trusted by the Mozilla organization, not necessarily by the government.

Yeah, that's the right way to go, but, unfortunately, in China we CANNOT access mozilla.dev.security.policy, Google Groups is completely blocked in China by the infamous G*F*W, whenever we try to access Google Groups, we get the error "The connection was reset". 

Most of Chinese people got to know CNNIC's request 'for trust' through some Chinese website, not from bugzilla nor Google Groups. I myself read about it from this post (http://www.cnbeta.com/articles/103170.htm), but due to the rigid internet control in China, the site owner had to completely disable comments being submitted for that post, pretty ironic, right? Do we have freedom for speaking freely in China? Do you really think so?

Then how can we Chinese participate the discussion? we have the LUXURY that bugzilla.mozilla.org is not blocked. so we can express ourselves freely here. Therefore, most Chinese people those who know English, came a long way here to communicate with the Mozilla people, actually this is the most efficient way, which I believe, to directly talk to the people who make the decision and commit the change.

If you check the other related bug #476766 (https://bugzilla.mozilla.org/show_bug.cgi?id=476766), you can see there all the Chinese users (except the bug submitter who apparently works for CNNIC) are raging and protesting against the inclusion of CNNIC as trusted root certificate, regardless that there're some people keep telling that Bugzilla is not the right place to discuss. simply because we have no other places to speak out and deliver our voice.

And there's the request #542689 to revert what CNNIC has requested. Read the comments there, you can get a feeling that how angry that Chinese firefox users are about this. I feel somewhat sorry because the indecent words in those comments, but comparing to the malware CNNIC had used to plague unsolicited users and their computers, I can really understand those rants.

So, Mozilla people, please take the comments from Chinese users, we really don't have another good option to let you know how bad we're feeling about CNNIC being trusted.

Best Regards
Re:  Comment #12.  

I believe this request should not be queued for public discussion until the public within China are able to participate.
I have a small question to the representative of CNNIC.The entry at http://www.mozilla.org/projects/security/certs/pending/#CNNIC states that "CNNIC takes orders from the Ministry of Information Industry (MII) to conduct daily business" and with it I assume that CNNIC is licensed by the MIIT, but I can't find an entry for CNNIC at this link: http://www.miit.gov.cn/n11293472/n11505629/n11506629/n11967886/n11967946/12432542.html

Would it be possible to point me to the current valid license?
Reply to comment 12,14&15,
To #12&#14: I tested to open the follow link in China. http://groups.google.com/group/mozilla.dev.security.policy/, it works. I am sure public within China can participate this discussion.

I knew CNNIC got many complaint about "Zhongwenshangwang". The “Zhongwenshangwang” is activeX product of browser to help Chinese people to access internet with Chinese characters. It was warned as a malware by some anti-virus software. But CNNIC stopped distribute and update this product at 2006. 

In recent years, CNNIC participate many public benefit activities. CNNIC initialized and built Anti-Phishing alliance of China. This organization is a NGO. We handled more than 75000 phishing website, and protected Chinese netizen from personal information lost.

CNNIC CA already had the WebTrust Seal, also passed annual audit by third party (Ernst & Young). I already updated audit report to the Kathleen. Technically, CA ROOT could not trace and monitor end-user’s internet activities. At the meantime, CNNIC have strict process to verify each applicant and make sure they are legal enterprise. We absolutely won’t deliver any Cert to any illegal organization. 

To #15, As I mentioned, CNNIC CA already had the WebTrust Seal. CNNIC CA fully meet the requirement of providing SSL certificate service. It’s not necessary to be licensed by MIIT.

Please include CNNIC EV ROOT Cert in Mozilla products.
Attachment #487996 - Attachment is obsolete: true
Whiteboard: Information confirmed complete → EV - Information confirmed complete
I am now opening the first public discussion period for this request from CNNIC to add the “China Internet Network Information Center EV Certificates Root” certificate, turn on the websites trust bit, and enable EV.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “CNNIC Inclusion Request for Additional Root”

Please actively review, respond, and contribute to the discussion.

A representative of CNNIC must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion
NO CNNIC in trusted root CA. I believe that most of Chinese internet users share my view. CNNIC is absolutely non-trustable, at least to us Chinese. Please listen to our voices.

Chinese government has enforced strict public access restrictions to web sites abroad, especially Google. It is called "Great Fire Wall" to filter connections or reset it whenever it wants. So if someone claims that you are free to access Google services from within China without problem, he is either a liar or a government agent. He is just part of GFW which prevents Chinese to access most web services outside China. Just think about what they can and will do if they are trusted without notice.

I strongly oppose inclusion of any CNNIC CA at all. I don't care so-call 'web WebTrust Seal' or whatsoever CNNIC may claim to carry. I just don't trust CNNIC at all. Please don't proceed this request until it is fully discussed, particularly by Chinese participants. 

Here is a well-known discussion on CNNIC root CA: https://autoproxy.org/zh-CN/node/66?page=1 (in Chinese). If you have it translated, you may find how notorious CNNIC is for us Chinese and how eager we are to remove it from trust list.

Thanks
Reply to Comment 19:

I need state CNNIC is not government. CNNIC was founded as a non-profit organization and absolutely has nothing to do with internet restriction of Chinese government. I know many objections from people who dislike Chinese government, but this should not be a basis of acceptance nor rejection of CAs under Mozilla policy, right?

Please try to understand WebTrust at http://www.webtrust.org/item64428.aspx. WebTrust for Certification Authorities includes the principles and related criteria which CA should be engaged. 

Again, IMO, we should not discuss politics, they are not relevant with CA's acceptability.

Thanks.
Reply to Comment 19:

Please check the  following link as well. I believe you can view the discussion inside China without using any VPN.
http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/404c32c7a4d0e533

And also, within China you can post to the discussion forum by sending a regular email to mozilla-dev-security-policy@lists.mozilla.org.

Thanks.
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/projects/security/certs/policy/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to add the “China Internet Network Information Center EV Certificates Root” certificate, turn on the websites trust bit, and enable EV.

Section 4 [Technical]. I am not aware of instances where China Internet Network Information Center (CNNIC ) has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug report.

Section 6 [Relevancy and Policy]. CNNIC appears to provide a service relevant to Mozilla users: It is a non-profit organization, and is the state network information center of China. The CNNIC Steering Committee, a working group composed of well-known experts and commercial representatives in domestic Internet community, supervises and evaluates the structure, operation and administration of CNNIC.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list; the main documents of interest are the CPS documents, which have been translated into English.

Document Repository: http://www.cnnic.cn/cps/
CPS (English): http://www.cnnic.cn/jczyfw/fwqzs/CNNICfwqzsywgz/201206/W02012050236102
7520300.pdf
EV CPS (English): http://www.cnnic.cn/jczyfw/fwqzs/CNNICfwqzsywgz/201206/W02012051455787
9926993.pdf 

Section 7 [Validation]. CNNIC appears to meet the minimum requirements for subscriber verification, as follows:

* Email: Not applicable, not requesting the email trust bit.

* SSL:  As per sections 3.2 and 4.2 of the (non-EV) CPS, the Local Registration Authority performs a domain name registration information inquiry (whois), gets the information of the domain name registrar of the domain name certificate application, checks whether the domain name registrar is consistent with the domain name certificate applicant, and determines whether the domain name certificate applicant indeed owns this domain name. Then the RA auditor checks whether the legal domain name subscriber is consistent with the certificate applicant (also using the whois function), and whether the information is true, and compares it with the application information in the RA system.

* Code:  Not applicable, not requesting the code signing trust bit.

* EV Policy OID: 1.3.6.1.4.1.29836.1.10

* As per section 1.10 and 4.1.1 of the EV CPS, CNNIC issues and manages EV Certificates according to the CAB Forum EV Guidelines. CNNIC checks the identity and authority of the certificate subscriber and the organization, and uses a domain name registration inquiry (whois) function to check whether the domain name register is identical with the applicant of EV Certificate and determine whether the EV Certificate register actually owns such domain name through primary verification.

Section 15 [Certificate Hierarchy]. 
Currently there is one internally-operated subordinate CA named CNNIC EV SSL, which only signs EV SSL Certificates. In the future CNNIC may also add another internally-operated subCA for issuing code signing certificates.

* CRL 
http://www.cnnic.cn/download/evrootcrl/crl1.crl
http://www.cnnic.cn/download/evcrl/crl1.crl
CPS Section 4.3.6.10: CRL issued every 7 days, or immediately upon a revocation.

* OCSP
http://ocsproot.cnnic.cn
http://ocspev.cnnic.cn
EV CPS Section 2.13.1, Max expiration time of OCSP response: every 12 hours

Sections 9-11 [Audit]. Annual audits are performed by Ernst & Young according to the WebTrust CA and WebTrust EV criteria and posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1332  
https://cert.webtrust.org/ViewSeal?id=1347  

Based on this assessment I intend to approve this request to add the “China Internet Network Information Center EV Certificates Root” certificate, turn on the websites trust bit, and enable EV.

There is one action item that resulted from the discussion, which will be tracked in this bug.

ACTION CNNIC: Make sure there is at least 20 bits of entropy in all new end-entity certificates.
Whiteboard: EV - In public discussion → EV - Pending Approval
To the representatives of CNNIC: Thank you for your cooperation and your patience.

To all others who have commented on this bug or participated in the public discussion: Thank you for volunteering your time to assist in reviewing this CA request.

As per the summary in Comment #22, and on behalf of Mozilla I approve this request from CNNIC to include the following root certificate:

** China Internet Network Information Center EV Certificates Root (websites), enable EV.

I will file the NSS and PSM bugs to effect the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM
Depends on: 799692
Depends on: 799697
I have filed bug #799692 against NSS and bug #799697 against PSM for the actual changes.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting NSS and PSM → In NSS 3.15, Firefox 23, EV in Firefox 26
(In reply to Kathleen Wilson from comment #22)
> 
> There is one action item that resulted from the discussion, which will be
> tracked in this bug.
> 
> ACTION CNNIC: Make sure there is at least 20 bits of entropy in all new
> end-entity certificates.

Email received on Jan 16, 2014, from CNNIC stating that 20 bits of random data are now included in the serial number of end-entity certs.
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.