CFCA (China Financial Certification Authority) root CA

RESOLVED FIXED

Status

NSS
CA Certificate Root Program
RESOLVED FIXED
4 years ago
3 months ago

People

(Reporter: zhaogaixia, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: In NSS 3.18, Firefox 38 -- EV treatment enabled in Firefox 40)

Attachments

(16 attachments, 7 obsolete attachments)

909 bytes, application/x-x509-ca-cert
Details
87.79 KB, application/pdf
Details
1.39 KB, application/x-x509-ca-cert
Details
98.30 KB, application/pdf
Details
47.66 KB, image/jpeg
Details
255 bytes, text/plain
Details
406.51 KB, image/jpeg
Details
146.23 KB, application/pdf
Details
90.71 KB, application/pdf
Details
44.02 KB, application/pdf
Details
1.66 MB, application/pdf
Details
1.60 MB, application/pdf
Details
2.00 MB, application/pdf
Details
229.75 KB, application/pdf
Details
156.01 KB, application/pdf
Details
845.16 KB, application/pdf
Details
(Reporter)

Description

4 years ago
Add CFCA's Root CA to Mozilla's trusted root list
(Reporter)

Comment 1

4 years ago
CFCA would like to add the following root to the NSS store.
The root is primarily suitable for Server and Client Authentication, Secure e-mail, Code Signing and Timestamping.


Key extensions 
•	basicConstraints: 
•	keyUsage: 
Certificate File Information


Signature Algorithum
sha256RSA

Subject DN
CN = CFCA GT CA
O = China Financial Certification Authority
C = CN

Serial Number
‎1e ab 9f a3

Subject KeyID

Validity time
Valid from 	: 21th August 2012 15:28:33
Valid to 	: 21th August 2042 15:28:33


Fingerprints
SHA1 	
MD5 
	
URL to online CRL repository 

URL to online location of the root
(Reporter)

Comment 2

4 years ago
Created attachment 816212 [details]
CFCA CPS.pdf

Updated

4 years ago
Summary: root CA → CFCA (China Financial Certification Authority) root CA
(Reporter)

Comment 3

4 years ago
Created attachment 816416 [details]
CFCAGTROOT.cer

 CFCA (China Financial Certification Authority) GT(Global trust)root CA
(Assignee)

Updated

4 years ago
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: Information incomplete
(Assignee)

Comment 4

4 years ago
Created attachment 818131 [details]
Initial CA Information Document

The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
(Reporter)

Comment 5

4 years ago
Created attachment 8356494 [details]
CFCA_EV_root.cer
(Reporter)

Comment 6

4 years ago
Created attachment 8356496 [details]
CFCA document for FIREFOX 20140106.pdf
(Reporter)

Comment 7

4 years ago
(In reply to Kathleen Wilson from comment #4)
> Created attachment 818131 [details]
> Initial CA Information Document
> 
> The attached document summarizes the information that has been verified.
> 
> The items highlighted in yellow indicate where further information or
> clarification is needed. Please review the full document for accuracy and
> completeness.

I upload a new attachment 8356496 [details] which contains information that attachment 818131 [details] needs.
Hope this document meets your requirements.
(Reporter)

Comment 8

4 years ago
Created attachment 8356960 [details]
火狐20140108.pdf

fix EV's CA Hierarchy
Attachment #8356496 - Attachment is obsolete: true
(Assignee)

Updated

4 years ago
Whiteboard: Information incomplete → EV - Information incomplete
(Assignee)

Comment 9

4 years ago
Created attachment 8367585 [details]
Updated CA Information Document

Please respond to the items highlighted in yellow in the attached document.
(Reporter)

Comment 10

3 years ago
Created attachment 8385883 [details]
Firefox EV Treatment CFCA.jpg

pass test EV Treatment test using Firefox Nightly.
(Reporter)

Comment 11

3 years ago
Created attachment 8385884 [details]
test_ev_roots.txt

test_ev_roots.txt file in EV&OCSP test
(Assignee)

Comment 12

3 years ago
Before testing, please do the following:
1) Restore the default Root Certificate Settings
https://wiki.mozilla.org/CA:UserCertDB#How_To_Restore_Default_Root_Certificate_Settings
2) Import the root certs: https://wiki.mozilla.org/CA:UserCertDB#Importing_a_Root_Certificate
3) Set OCSP to hard fail: https://wiki.mozilla.org/CA:Recommended_Practices#OCSP
4) Clear Browser History

Here's what I'm getting when I try to browse to the test websites...

Test website for the "CFCA GT CA" root cert: https://www.56zhifu.com 
The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

Intermediate CA certificates are expected to be distributed to the certificate subjects (the holders of the private keys) together with the subjects' own certificates. Those subject parties (e.g. SSL servers) are then expected to send out the intermediate CA certificates together with their own certificates whenever they are asked to send out their certificates. That is required by SSL/TLS.
Certificate authorities MUST advise their subscribers that all intermediate certificates should be installed in the servers containing the dependent subscriber certificates.


Test Website for "CFCA EV ROOT" cert: https://pub.cebnet.com.cn 
An error occurred during a connection to pub.cebnet.com.cn. The OCSP server experienced an internal error. (Error code: sec_error_ocsp_server_error)
(Reporter)

Comment 13

3 years ago
Created attachment 8389072 [details]
OCSP response.jpg

We made several test about EV OCSP test site, it seems our OCSP works well,the attachment is a screenshot of success OCSP responses (using Wireshark).

Please delete the cache then test again.

for 56zhifu.com We did gave them our Intermediate CA certificates and we will contact them to make sure they update the cert chain.

We will take measures to prevent this from happen again.

The audit of Baseline Requirement and Modification of our CPS is on the way, we will update CPS and audit reports after it's done.

Thank you Kathleen.
(Assignee)

Comment 14

3 years ago
(In reply to zhaogaixia from comment #13)
> The audit of Baseline Requirement and Modification of our CPS is on the way,
> we will update CPS and audit reports after it's done.

OK. I'll retest when I review the CPS updates and audit statement.
(Reporter)

Comment 15

3 years ago
Created attachment 8399310 [details]
CFCA-FireFox20140331.pdf

update on the information form

updates:

OV test website fixed
EV test website fixed
Baseline requirement in CPS
20 bits	of unpredictable random	data
OCSP test info and result
code signing verification procedure
Attachment #8356960 - Attachment is obsolete: true
(Reporter)

Comment 16

3 years ago
Created attachment 8399313 [details]
CFCA-CPS-2.0.1-en-20140331.pdf

latest CPS
Amend / Add related content in order to comply with lateset Baseline Requirement

download webpage:
http://www.cfca.com.cn/us/us-09.htm
download url:
http://www.cfca.com.cn/file/CFCA-1403-CPS-en.rar
Attachment #816212 - Attachment is obsolete: true
(Reporter)

Comment 17

3 years ago
Created attachment 8408889 [details]
PwC&CFCA Assertion(BR).pdf

Baseline Requirement audit report

webpage:
http://www.cfca.com.cn/us/us-12.htm

Download url:
http://www.cfca.com.cn/file/PwC_CFCA(en).rar
(Assignee)

Comment 18

3 years ago
(In reply to zhaogaixia from comment #13)
> for 56zhifu.com We did gave them our Intermediate CA certificates and we
> will contact them to make sure they update the cert chain.

I just tried again, and I'm still getting the sec_error_unknown_issuer error.
(Assignee)

Comment 19

3 years ago
One more question...

In section 1.4.1 of the CPS (http://www.cfca.com.cn/file/CFCA-1403-CPS-en.rar) the table indicates that only OCA2 can issue Code-Signing certificates. So then the Code-Signing trust bit is not needed for the "CFCA EV ROOT" cert. Correct?
(Reporter)

Comment 20

3 years ago
Created attachment 8412460 [details]
Firefox-CFCA-20140425.pdf


For EV code signing certificate:

Yes, only OCA2 issue code signing certificate now, EV system can not issue code signing certificate.
We may upgrade our EV system in the future and add code signing issue module on it. 
After that we will include this update in our next audit report and apply for code signing trust bit.


For the test website 56zhifu:

We contacted the network manager of 56zhifu. They claim that they have trouble in deploying certificate trust chain, we will get in touch with them and solve this issue as soon as possible, in the mean time, please test https://cs.cfca.com.cn/cgi-bin/  for CFCA GT CA's OCSP.
Attachment #8399310 - Attachment is obsolete: true
(Assignee)

Comment 21

3 years ago
Created attachment 8423345 [details]
Completed CA Information Document
(Assignee)

Comment 22

3 years ago
I'll try to start the discussion soon.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion

In the meantime, please update this bug with your responses to the recent CA Communication,
https://wiki.mozilla.org/CA:Communications#May_13.2C_2014
Whiteboard: EV - Information incomplete → EV - Information confirmed complete
(Reporter)

Comment 23

3 years ago
Response to CA:Communications(May 13, 2014)

1) Ensure that Mozilla’s spreadsheet of included root certificates has the correct link to your most recent audit statement, and that the date of the audit statement is correct.

A) Mozilla’s spreadsheet of included root certificates has the correct link to our most recent audit statement, and the audit statement date is correct.
(Highlighted Green, Pending)

2) Send Mozilla the link to your most recent Baseline Requirements audit statement. 

A) Mozilla’s spreadsheet of included root certificates has the correct link to our most recent Baseline Requirements audit statement.

3) Test Mozilla's new Certificate Verification library with your CA hierarchies and inform your customers of the upcoming changes as needed. 

A) We have tested certificates in our CA hierarchy with Mozilla's new Certificate Verification library, and found that the certificates in our CA hierarchies are not impacted by the changes introduced in mozilla::pkix.

4) Check your certificate issuance to confirm that no new certificates will be issued with the problems listed here: https://wiki.mozilla.org/SecurityEngineering/mozpkix-testing#Things_for_CAs_to_Fix

We checked the problems on the wiki page, We have not and will not issue certificates with any of the problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page.

1,All new intermediate certificates that include the EKU extension and will be used for SSL certificate issuance, must include the id-kp-serverAuth (1.3.6.1.5.5.7.3.1) EKU. Mozilla will stop recognizing the "Netscape Server Gated Crypto (2.16.840.1.113730.4.1)" EKU.

CFCA's Intermediate certificates have no EKU.

2,Default values in a SEQUENCE must not be explicitly encoded. 
We have not and will not issue certificates with this problem.

3,Basic constraints: pathLenConstraint must not be included if cA is false
We noticed that CAs that have this problem have value "0" in the pathLenConstraint field, We do not have this problem. 

4,OCSP responders should not include a responseExtensions consisting of an empty SEQUENCE
I just tested our GT OCSP and EV OCSP response, found no empty SEQUENCE in the response.

5,key identifiers match 
I tested our customs' websites and trust chains, key identifiers match.

5) Send Mozilla information about your publicly disclosed subordinate CA certificates that chain up to certificates in Mozilla's CA program, as per Items #8, 9, and 10 of Mozilla's CA Certificate Inclusion Policy.

Certificate chain download page:
https://www.cfca.com.cn/zhengshu/zhengshu.htm

Certificate Chain for GT system(Download URL):
https://www.cfca.com.cn/file/qqfwq-zhengshulian.zip

Certificate Chain for EV system(Download URL):
https://www.cfca.com.cn/file/EVSSL.zip

Our CPS and audit report cover all certificates above.

A) All subordinate CA certificates chaining up to our certificates in Mozilla's CA program are disclosed as requested.
(Assignee)

Comment 24

3 years ago
I am now opening the first public discussion period for this request from China Financial Certification Authority (CFCA) to include the “CFCA GT CA” and “CFCA EV ROOT” root certificates, turn on all three trust bits for the “CFCA GT CA” root certificate, turn on the websites trust bit for the “CFCA EV ROOT” root certificate, and enable EV treatment for the “CFCA EV ROOT” certificate.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “CFCA Root Inclusion Request”

Please actively review, respond, and contribute to the discussion.

A representative of CFCA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In Public Discussion
(Assignee)

Comment 25

3 years ago
The first public discussion period for this request is now over.

Of Note:
1) This request has been changed to be only for the “CFCA EV ROOT” root certificate.
2) A second public discussion period will be needed after the following action items are completed.

ACTION CFCA: State (in this bug) CFCA's plan for remediation of all of the issues noted in the discussion.

ACTION CFCA: Decide if CFCA will be re-audited by the same auditor, or by a different auditor. And get re-audited.

ACTION PwC: Provide a plan to improve PwC audits so that the oversights that were found during this discussion will not be missed in future PwC audits.
Whiteboard: EV - In Public Discussion → EV - CA Action Items from First Discussion
(Reporter)

Comment 26

3 years ago
Created attachment 8514862 [details]
CFCA-PwC Audit Plan for BR 2014.pdf

①Quote
"ACTION CFCA: State (in the bug) CFCA's plan for remediation of all of 
the issues noted in this discussion. "

Issues noted in public discussion: 
1,No SAN in certificate 
2,MIME type of AIA URI and CRLDP is test/plain 
3,OCSP signer certificate's public key, valid period and extension. 
4,root key generation ceremony. 
5,Crl number field in crl downloaded from CRLDP 
6,issue relate to oca2-SHA1 and oca2-SHA256 with same serial number. 

CFCA's explanation / Plan for all the Issue.(EV system)

1, No SAN(Subject Alt Name)

EV test website and other EV certificate (and the issuing model), EV subject certificate have SAN and have no problem.

2, MIME type 

The problem of MIME type is not within the CA issuing system (this means no problem with certificates' fields) but in the downloading server of AIA url and CRLDP. 

downloading server is updated and this problem is fixed. 

3, OCSP signer certificate 

The OCSP signing certificate issuing model is fixed, new ocsp signing certificate will have at least 2048 bits public key and valid period is set to less than 2 years. 
OCSP system for EV is updated and fixed. 

4, root key generation ceremony. 

This is not a problem, as explained in the public discussion, our root key generation ceremony is valid and is included in the report by default.

5, CRL number field in crl downloaded from CRLDP 

CFCA's plan on this issue is update the model and make sure it comply to x509/RFC5280, Crl number will be a positive number and increase every-time after it content changes.

The problem is updated and fixed.

6, Issue relate to oca2-SHA1 and oca2-SHA256 

EV system has no problem relate to this issue, EV system only have sha256 end-entity certificates, and only have one Intermediate certificate(EV OCA,SHA256) that capable of issuing end-entity certificates.

②Quote
"Decide if CFCA will be re-audited by the same auditor, or 
by a different auditor. And get re-audited.  "

CFCA will be re-audited by the same auditor: PWC

③Quote
“ACTION PwC: Provide a plan to improve PwC audits so that the oversights 
that were found during this discussion will not be missed in future PwC 
audits. ”

The audit plan is updated as an attachment.

Should there be any problem/Inadequate, please inform us, we will resolve the issue as soon as possible.
(Assignee)

Comment 27

3 years ago
(In reply to zhaogaixia from comment #26)
> “ACTION PwC: Provide a plan to improve PwC audits so that the oversights 
> that were found during this discussion will not be missed in future PwC 
> audits. ”
> 
> The audit plan is updated as an attachment.
> 
> Should there be any problem/Inadequate, please inform us, we will resolve
> the issue as soon as possible.

I think it looks reasonable.

Please attach the new audit statement to this bug when it is available.
(Reporter)

Comment 28

3 years ago
Created attachment 8532984 [details]
CFCA BR Auditor Report(EN) 2014.9.pdf
Attachment #8408889 - Attachment is obsolete: true
(Reporter)

Comment 29

3 years ago
Created attachment 8532986 [details]
CFCA EV Auditor Report(EN) 2014.9.pdf
(Reporter)

Comment 30

3 years ago
Created attachment 8532987 [details]
CFCA WT Auditor Report(EN) 2014.9.pdf
(Reporter)

Comment 31

3 years ago
Webtrust Audit Report
EV Audit Report
BR Audit Report
updated.

We are ready to move on. Should we join the queue of public discussion?(For second discussion)?

Our WebTrust Seal will be ready in a few days, after that we can update the CA Information Document for Seal Url.
(Reporter)

Comment 32

3 years ago
Baseline: 
https://cert.webtrust.org/ViewSeal?id=1787 

EV: 
https://cert.webtrust.org/ViewSeal?id=1786 

WebTrust:
https://cert.webtrust.org/ViewSeal?id=1788
(Reporter)

Comment 33

3 years ago
Created attachment 8545158 [details]
926029-CAInformation 2015.1.7.pdf
(Assignee)

Comment 34

3 years ago
Created attachment 8545426 [details]
Final 926029-CAInformation.pdf

Attached the CA information document as output from SalesForce.

I will start the second round of discussion soon.
(Assignee)

Comment 35

3 years ago
I am now opening the second public discussion period for this request from China Financial Certification Authority (CFCA) to include the “CFCA EV ROOT” root certificate, turn on the websites trust bit, and enable EV treatment.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called “Second Discussion of CFCA Root Inclusion Request”

Please actively review, respond, and contribute to the discussion.

A representative of CFCA must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - CA Action Items from First Discussion → EV - In public discussion
(Reporter)

Comment 36

3 years ago
Created attachment 8545598 [details]
CFCA-CPS-2.1-en-2014.11.pdf
Attachment #8399313 - Attachment is obsolete: true
(Reporter)

Comment 37

3 years ago
Created attachment 8545612 [details]
CFCA-CPS-2.1-en-2014.11.pdf
Attachment #8545598 - Attachment is obsolete: true
(Assignee)

Comment 38

3 years ago
The public comment period for this request is now over.

This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at

https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

Inclusion Policy Section 4 [Technical].
I am not aware of instances where China Financial Certification Authority (CFCA) has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Inclusion Policy Section 6 [Relevance and Policy].
CFCA appears to provide a service relevant to Mozilla users. CFCA accounts for more than 50% of the total amount of certificates issued in China. There are more than 200 Chinese banks that are using CFCA’s certificates to ensure the security of online banking trade.

CA Document Repository: 	http://www.cfca.com.cn/us/us-12.htm
CP: http://www.cfca.com.cn/us/us-12.htm
CPS: https://bugzilla.mozilla.org/attachment.cgi?id=8545612

Inclusion Policy Section 7 [Validation]. 
* SSL Verification Procedures: CFCA verifies that the certificate applicant owns/controls the domain name to be included in the certificate as described in section 3.2.2.3 of the CPS: CFCA performs a WHOIS inquiry on the internet for the domain name supplied by the applicant, to verify that the applicant is the entity to whom the domain name is registered. Where the WHOIS record indicates otherwise, CFCA will ask for a letter of authorization, or email to the register to inquiry whether the applicant has been authorized to use the domain name. To verify the public IP, the subscriber can supply a sealed paper document or email from the ISP showing the IP is allocated by the ISP to the applicant.
EV SSL Verification Procedures are described in section 3.2.2.4 of the CPS.
* Email Verification Procedures: Not requesting Email trust bit for this root.
* Code Signing Subscriber Verification Procedure: Not requesting Code Signing trust bit for this root.

Inclusion Policy Sections 11-14 [Audit].
Annual audits are performed by PricewaterhouseCoopers, according to the WebTrust criteria.
Standard Audit: https://cert.webtrust.org/SealFile?seal=1788&file=pdf
BR Audit: https://cert.webtrust.org/SealFile?seal=1787&file=pdf
EV Audit: https://cert.webtrust.org/SealFile?seal=1786&file=pdf

Root Certificate 1 of 1
	 
Root Certificate Name: CFCA EV ROOT
O From Issuer Field: China Financial Certification Authority
Trust Bits: Websites
EV Policy OID(s): 2.16.156.112554.3

Root Certificate Download URL: https://bugzilla.mozilla.org/attachment.cgi?id=8356494

CRL URLs: 
http://crl.cfca.com.cn/evrca/RSA/crl1.crl
http://crl.cfca.com.cn/evoca/RSA/crl1.crl

OCSP URL: http://ocsp.cfca.com.cn/ocsp/

Inclusion Policy Section 18 [Certificate Hierarchy]
CA Hierarchy: CFCA EV ROOT has one internally-operated subordinate CA; CFCA EV OCA
Externally Operated SubCAs: None, and none planned.
Cross Signing: None, and none planned.

Based on this assessment, I intend to approve this request from CFCA to include the “CFCA EV ROOT” root certificate, turn on the websites trust bit, and enable EV treatment.
Whiteboard: EV - In public discussion → EV - Pending Approval
(Assignee)

Comment 39

3 years ago
As per the summary in Comment #38, and on behalf of Mozilla I approve this request from China Financial Certification Authority (CFCA) to include the following root certificate:

** "CFCA EV ROOT" (websites), enable EV

I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM changes
(Assignee)

Updated

3 years ago
Depends on: 1131698
(Assignee)

Updated

3 years ago
Depends on: 1131699
(Assignee)

Comment 40

3 years ago
I have filed bug #1131698 against NSS and bug #1131699 against PSM for the actual changes.
(Assignee)

Updated

2 years ago
Whiteboard: EV - Approved - awaiting NSS and PSM changes → In NSS 3.18, Firefox 38 -- Pending PSM changes for EV
(Assignee)

Updated

2 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
Whiteboard: In NSS 3.18, Firefox 38 -- Pending PSM changes for EV → In NSS 3.18, Firefox 38 -- EV treatment enabled in Firefox 40

Updated

3 months ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.