CFCA (China Financial Certification Authority) root CA

RESOLVED FIXED

Status

task
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: gxzhao, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: In NSS 3.18, Firefox 38 -- EV treatment enabled in Firefox 40)

Attachments

(16 attachments, 7 obsolete attachments)

909 bytes, application/x-x509-ca-cert
Details
87.79 KB, application/pdf
Details
1.39 KB, application/x-x509-ca-cert
Details
98.30 KB, application/pdf
Details
47.66 KB, image/jpeg
Details
255 bytes, text/plain
Details
406.51 KB, image/jpeg
Details
146.23 KB, application/pdf
Details
90.71 KB, application/pdf
Details
44.02 KB, application/pdf
Details
1.66 MB, application/pdf
Details
1.60 MB, application/pdf
Details
2.00 MB, application/pdf
Details
229.75 KB, application/pdf
Details
156.01 KB, application/pdf
Details
845.16 KB, application/pdf
Details
Add CFCA's Root CA to Mozilla's trusted root list
CFCA would like to add the following root to the NSS store.
The root is primarily suitable for Server and Client Authentication, Secure e-mail, Code Signing and Timestamping.


Key extensions 
•	basicConstraints: 
•	keyUsage: 
Certificate File Information


Signature Algorithum
sha256RSA

Subject DN
CN = CFCA GT CA
O = China Financial Certification Authority
C = CN

Serial Number
‎1e ab 9f a3

Subject KeyID

Validity time
Valid from 	: 21th August 2012 15:28:33
Valid to 	: 21th August 2042 15:28:33


Fingerprints
SHA1 	
MD5 
	
URL to online CRL repository 

URL to online location of the root
Posted file CFCA CPS.pdf (obsolete) —
Summary: root CA → CFCA (China Financial Certification Authority) root CA
Posted file CFCAGTROOT.cer
CFCA (China Financial Certification Authority) GT(Global trust)root CA
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: Information incomplete
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
Posted file CFCA_EV_root.cer
(In reply to Kathleen Wilson from comment #4)
> Created attachment 818131 [details]
> Initial CA Information Document
> 
> The attached document summarizes the information that has been verified.
> 
> The items highlighted in yellow indicate where further information or
> clarification is needed. Please review the full document for accuracy and
> completeness.

I upload a new attachment 8356496 [details] which contains information that attachment 818131 [details] needs.
Hope this document meets your requirements.
Posted file 火狐20140108.pdf (obsolete) —
fix EV's CA Hierarchy
Attachment #8356496 - Attachment is obsolete: true
Whiteboard: Information incomplete → EV - Information incomplete
Please respond to the items highlighted in yellow in the attached document.
pass test EV Treatment test using Firefox Nightly.
Posted file test_ev_roots.txt
test_ev_roots.txt file in EV&OCSP test
Before testing, please do the following:
1) Restore the default Root Certificate Settings
https://wiki.mozilla.org/CA:UserCertDB#How_To_Restore_Default_Root_Certificate_Settings
2) Import the root certs: https://wiki.mozilla.org/CA:UserCertDB#Importing_a_Root_Certificate
3) Set OCSP to hard fail: https://wiki.mozilla.org/CA:Recommended_Practices#OCSP
4) Clear Browser History

Here's what I'm getting when I try to browse to the test websites...

Test website for the "CFCA GT CA" root cert: https://www.56zhifu.com 
The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

Intermediate CA certificates are expected to be distributed to the certificate subjects (the holders of the private keys) together with the subjects' own certificates. Those subject parties (e.g. SSL servers) are then expected to send out the intermediate CA certificates together with their own certificates whenever they are asked to send out their certificates. That is required by SSL/TLS.
Certificate authorities MUST advise their subscribers that all intermediate certificates should be installed in the servers containing the dependent subscriber certificates.


Test Website for "CFCA EV ROOT" cert: https://pub.cebnet.com.cn 
An error occurred during a connection to pub.cebnet.com.cn. The OCSP server experienced an internal error. (Error code: sec_error_ocsp_server_error)
Posted image OCSP response.jpg
We made several test about EV OCSP test site, it seems our OCSP works well,the attachment is a screenshot of success OCSP responses (using Wireshark).

Please delete the cache then test again.

for 56zhifu.com We did gave them our Intermediate CA certificates and we will contact them to make sure they update the cert chain.

We will take measures to prevent this from happen again.

The audit of Baseline Requirement and Modification of our CPS is on the way, we will update CPS and audit reports after it's done.

Thank you Kathleen.
(In reply to zhaogaixia from comment #13)
> The audit of Baseline Requirement and Modification of our CPS is on the way,
> we will update CPS and audit reports after it's done.

OK. I'll retest when I review the CPS updates and audit statement.
Posted file CFCA-FireFox20140331.pdf (obsolete) —
update on the information form

updates:

OV test website fixed
EV test website fixed
Baseline requirement in CPS
20 bits	of unpredictable random	data
OCSP test info and result
code signing verification procedure
Attachment #8356960 - Attachment is obsolete: true
Posted file CFCA-CPS-2.0.1-en-20140331.pdf (obsolete) —
latest CPS
Amend / Add related content in order to comply with lateset Baseline Requirement

download webpage:
http://www.cfca.com.cn/us/us-09.htm
download url:
http://www.cfca.com.cn/file/CFCA-1403-CPS-en.rar
Attachment #816212 - Attachment is obsolete: true
Posted file PwC&CFCA Assertion(BR).pdf (obsolete) —
Baseline Requirement audit report

webpage:
http://www.cfca.com.cn/us/us-12.htm

Download url:
http://www.cfca.com.cn/file/PwC_CFCA(en).rar
(In reply to zhaogaixia from comment #13)
> for 56zhifu.com We did gave them our Intermediate CA certificates and we
> will contact them to make sure they update the cert chain.

I just tried again, and I'm still getting the sec_error_unknown_issuer error.
One more question...

In section 1.4.1 of the CPS (http://www.cfca.com.cn/file/CFCA-1403-CPS-en.rar) the table indicates that only OCA2 can issue Code-Signing certificates. So then the Code-Signing trust bit is not needed for the "CFCA EV ROOT" cert. Correct?
For EV code signing certificate:

Yes, only OCA2 issue code signing certificate now, EV system can not issue code signing certificate.
We may upgrade our EV system in the future and add code signing issue module on it. 
After that we will include this update in our next audit report and apply for code signing trust bit.


For the test website 56zhifu:

We contacted the network manager of 56zhifu. They claim that they have trouble in deploying certificate trust chain, we will get in touch with them and solve this issue as soon as possible, in the mean time, please test https://cs.cfca.com.cn/cgi-bin/  for CFCA GT CA's OCSP.
Attachment #8399310 - Attachment is obsolete: true
I'll try to start the discussion soon.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

In the meantime, please update this bug with your responses to the recent CA Communication,
https://wiki.mozilla.org/CA:Communications#May_13.2C_2014
Whiteboard: EV - Information incomplete → EV - Information confirmed complete
Response to CA:Communications(May 13, 2014)

1) Ensure that Mozilla’s spreadsheet of included root certificates has the correct link to your most recent audit statement, and that the date of the audit statement is correct.

A) Mozilla’s spreadsheet of included root certificates has the correct link to our most recent audit statement, and the audit statement date is correct.
(Highlighted Green, Pending)

2) Send Mozilla the link to your most recent Baseline Requirements audit statement. 

A) Mozilla’s spreadsheet of included root certificates has the correct link to our most recent Baseline Requirements audit statement.

3) Test Mozilla's new Certificate Verification library with your CA hierarchies and inform your customers of the upcoming changes as needed. 

A) We have tested certificates in our CA hierarchy with Mozilla's new Certificate Verification library, and found that the certificates in our CA hierarchies are not impacted by the changes introduced in mozilla::pkix.

4) Check your certificate issuance to confirm that no new certificates will be issued with the problems listed here: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix

We checked the problems on the wiki page, We have not and will not issue certificates with any of the problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page.

1,All new intermediate certificates that include the EKU extension and will be used for SSL certificate issuance, must include the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU. Mozilla will stop recognizing the "Netscape Server Gated Crypto (2.16.840.1.113730.4.1)" EKU.

CFCA's Intermediate certificates have no EKU.

2,Default values in a SEQUENCE must not be explicitly encoded. 
We have not and will not issue certificates with this problem.

3,Basic constraints: pathLenConstraint must not be included if cA is false
We noticed that CAs that have this problem have value "0" in the pathLenConstraint field, We do not have this problem. 

4,OCSP responders should not include a responseExtensions consisting of an empty SEQUENCE
I just tested our GT OCSP and EV OCSP response, found no empty SEQUENCE in the response.

5,key identifiers match 
I tested our customs' websites and trust chains, key identifiers match.

5) Send Mozilla information about your publicly disclosed subordinate CA certificates that chain up to certificates in Mozilla's CA program, as per Items #8, 9, and 10 of Mozilla's CA Certificate Inclusion Policy.

Certificate chain download page:
https://www.cfca.com.cn/zhengshu/zhengshu.htm

Certificate Chain for GT system(Download URL):
https://www.cfca.com.cn/file/qqfwq-zhengshulian.zip

Certificate Chain for EV system(Download URL):
https://www.cfca.com.cn/file/EVSSL.zip

Our CPS and audit report cover all certificates above.

A) All subordinate CA certificates chaining up to our certificates in Mozilla's CA program are disclosed as requested.
I am now opening the first public discussion period for this request from China Financial Certification Authority (CFCA) to include the “CFCA GT CA” and “CFCA EV ROOT” root certificates, turn on all three trust bits for the “CFCA GT CA” root certificate, turn on the websites trust bit for the “CFCA EV ROOT” root certificate, and enable EV treatment for the “CFCA EV ROOT” certificate.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “CFCA Root Inclusion Request”

Please actively review, respond, and contribute to the discussion.

A representative of CFCA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In Public Discussion
The first public discussion period for this request is now over.

Of Note:
1) This request has been changed to be only for the “CFCA EV ROOT” root certificate.
2) A second public discussion period will be needed after the following action items are completed.

ACTION CFCA: State (in this bug) CFCA's plan for remediation of all of the issues noted in the discussion.

ACTION CFCA: Decide if CFCA will be re-audited by the same auditor, or by a different auditor. And get re-audited.

ACTION PwC: Provide a plan to improve PwC audits so that the oversights that were found during this discussion will not be missed in future PwC audits.
Whiteboard: EV - In Public Discussion → EV - CA Action Items from First Discussion
①Quote
"ACTION CFCA: State (in the bug) CFCA's plan for remediation of all of 
the issues noted in this discussion. "

Issues noted in public discussion: 
1,No SAN in certificate 
2,MIME type of AIA URI and CRLDP is test/plain 
3,OCSP signer certificate's public key, valid period and extension. 
4,root key generation ceremony. 
5,Crl number field in crl downloaded from CRLDP 
6,issue relate to oca2-SHA1 and oca2-SHA256 with same serial number. 

CFCA's explanation / Plan for all the Issue.(EV system)

1, No SAN(Subject Alt Name)

EV test website and other EV certificate (and the issuing model), EV subject certificate have SAN and have no problem.

2, MIME type 

The problem of MIME type is not within the CA issuing system (this means no problem with certificates' fields) but in the downloading server of AIA url and CRLDP. 

downloading server is updated and this problem is fixed. 

3, OCSP signer certificate 

The OCSP signing certificate issuing model is fixed, new ocsp signing certificate will have at least 2048 bits public key and valid period is set to less than 2 years. 
OCSP system for EV is updated and fixed. 

4, root key generation ceremony. 

This is not a problem, as explained in the public discussion, our root key generation ceremony is valid and is included in the report by default.

5, CRL number field in crl downloaded from CRLDP 

CFCA's plan on this issue is update the model and make sure it comply to x509/RFC5280, Crl number will be a positive number and increase every-time after it content changes.

The problem is updated and fixed.

6, Issue relate to oca2-SHA1 and oca2-SHA256 

EV system has no problem relate to this issue, EV system only have sha256 end-entity certificates, and only have one Intermediate certificate(EV OCA,SHA256) that capable of issuing end-entity certificates.

②Quote
"Decide if CFCA will be re-audited by the same auditor, or 
by a different auditor. And get re-audited.  "

CFCA will be re-audited by the same auditor: PWC

③Quote
“ACTION PwC: Provide a plan to improve PwC audits so that the oversights 
that were found during this discussion will not be missed in future PwC 
audits. ”

The audit plan is updated as an attachment.

Should there be any problem/Inadequate, please inform us, we will resolve the issue as soon as possible.
(In reply to zhaogaixia from comment #26)
> “ACTION PwC: Provide a plan to improve PwC audits so that the oversights 
> that were found during this discussion will not be missed in future PwC 
> audits. ”
> 
> The audit plan is updated as an attachment.
> 
> Should there be any problem/Inadequate, please inform us, we will resolve
> the issue as soon as possible.

I think it looks reasonable.

Please attach the new audit statement to this bug when it is available.
Attachment #8408889 - Attachment is obsolete: true
Webtrust Audit Report
EV Audit Report
BR Audit Report
updated.

We are ready to move on. Should we join the queue of public discussion?(For second discussion)?

Our WebTrust Seal will be ready in a few days, after that we can update the CA Information Document for Seal Url.
Attached the CA information document as output from SalesForce.

I will start the second round of discussion soon.
I am now opening the second public discussion period for this request from China Financial Certification Authority (CFCA) to include the “CFCA EV ROOT” root certificate, turn on the websites trust bit, and enable EV treatment.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called “Second Discussion of CFCA Root Inclusion Request”

Please actively review, respond, and contribute to the discussion.

A representative of CFCA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - CA Action Items from First Discussion → EV - In public discussion
Posted file CFCA-CPS-2.1-en-2014.11.pdf (obsolete) —
Attachment #8399313 - Attachment is obsolete: true
Attachment #8545598 - Attachment is obsolete: true
The public comment period for this request is now over.

This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at

https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

Inclusion Policy Section 4 [Technical].
I am not aware of instances where China Financial Certification Authority (CFCA) has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Inclusion Policy Section 6 [Relevance and Policy].
CFCA appears to provide a service relevant to Mozilla users. CFCA accounts for more than 50% of the total amount of certificates issued in China. There are more than 200 Chinese banks that are using CFCA’s certificates to ensure the security of online banking trade.

CA Document Repository: 	http://www.cfca.com.cn/us/us-12.htm
CP: http://www.cfca.com.cn/us/us-12.htm
CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8545612

Inclusion Policy Section 7 [Validation]. 
* SSL Verification Procedures: CFCA verifies that the certificate applicant owns/controls the domain name to be included in the certificate as described in section 3.2.2.3 of the CPS: CFCA performs a WHOIS inquiry on the internet for the domain name supplied by the applicant, to verify that the applicant is the entity to whom the domain name is registered. Where the WHOIS record indicates otherwise, CFCA will ask for a letter of authorization, or email to the register to inquiry whether the applicant has been authorized to use the domain name. To verify the public IP, the subscriber can supply a sealed paper document or email from the ISP showing the IP is allocated by the ISP to the applicant.
EV SSL Verification Procedures are described in section 3.2.2.4 of the CPS.
* Email Verification Procedures: Not requesting Email trust bit for this root.
* Code Signing Subscriber Verification Procedure: Not requesting Code Signing trust bit for this root.

Inclusion Policy Sections 11-14 [Audit].
Annual audits are performed by PricewaterhouseCoopers, according to the WebTrust criteria.
Standard Audit: https://cert.webtrust.org/SealFile?seal=1788&file=pdf
BR Audit: https://cert.webtrust.org/SealFile?seal=1787&file=pdf
EV Audit: https://cert.webtrust.org/SealFile?seal=1786&file=pdf

Root Certificate 1 of 1
	 
Root Certificate Name: CFCA EV ROOT
O From Issuer Field: China Financial Certification Authority
Trust Bits: Websites
EV Policy OID(s): 2.16.156.112554.3

Root Certificate Download URL: https://bugzilla.mozilla.org/attachment.cgi?id=8356494

CRL URLs: 
http://crl.cfca.com.cn/evrca/RSA/crl1.crl
http://crl.cfca.com.cn/evoca/RSA/crl1.crl

OCSP URL: http://ocsp.cfca.com.cn/ocsp/

Inclusion Policy Section 18 [Certificate Hierarchy]
CA Hierarchy: CFCA EV ROOT has one internally-operated subordinate CA; CFCA EV OCA
Externally Operated SubCAs: None, and none planned.
Cross Signing: None, and none planned.

Based on this assessment, I intend to approve this request from CFCA to include the “CFCA EV ROOT” root certificate, turn on the websites trust bit, and enable EV treatment.
Whiteboard: EV - In public discussion → EV - Pending Approval
As per the summary in Comment #38, and on behalf of Mozilla I approve this request from China Financial Certification Authority (CFCA) to include the following root certificate:

** "CFCA EV ROOT" (websites), enable EV

I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM changes
Depends on: 1131698
Depends on: 1131699
I have filed bug #1131698 against NSS and bug #1131699 against PSM for the actual changes.
Whiteboard: EV - Approved - awaiting NSS and PSM changes → In NSS 3.18, Firefox 38 -- Pending PSM changes for EV
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: In NSS 3.18, Firefox 38 -- Pending PSM changes for EV → In NSS 3.18, Firefox 38 -- EV treatment enabled in Firefox 40
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.