As per the CA Schedule at https://wiki.mozilla.org/CA:Schedule the China Internet Network Information Center (CNNIC) is the next request in the queue for public discussion.
CNNIC, a non-profit organization, is the state network information center of China. CNNIC takes orders from the Ministry of Information Industry (MII) to conduct daily business, while it is administratively operated by the Chinese Academy of Sciences (CAS). The CNNIC Steering Committee, a working group composed of well-known experts and commercial representatives in domestic Internet community, supervises and evaluates the structure, operation and administration of CNNIC.
CNNIC has applied to add the “CNNIC ROOT” root certificate and enable the Websites trust bit.
* There is currently one internally-operated subordinate CA named CNNIC SSL, which offers only SSL certificates. SSL certificates may be issued to general public, including enterprise, government, organization, league, individual, etc.
* The request is to enable the Websites trust bit.
** CPS Section 3.2 Requires proof of identification of the certificate applicant or organization representative. Enterprises, government organizations, institutions, etc. must provide the organization code certificate or legal person business license (each page affixed with an official seal). ** CPS Section 3.2: The inputer at the Local Registration Authority carries out preliminary examination. Through the domain name registration information inquiry (whois), the inputer gets the information of the domain name registrar of the domain name certificate application, checks whether the domain name registrar is consistent with the domain name certificate applicant, and determines whether the domain name certificate applicant indeed has this domain name through preliminary examination. ** CPS Section 3.2: The RA auditor checks whether the legal domain name subscriber is consistent with the certificate applicant (also using the whois function), and whether the information is true, and compares it with the application information in the RA system. The RA auditor confirms the information with the director and the handler respectively through telephone. ** CPS Section 4.1.1.1: “The handlers for applying for domain name certificates must go to a Local Registration Authority of CNNIC Trusted Network Service Center designated by the CNNIC to submit applications.” ** CPS Section 4.1.1.2: “Documents used to prove the certificate subscriber organizations, handlers (subscribers) and identity of handlers are explained in Section 3.2 of this CPS, and applicants shall carry out application operations according to Section 3.2 of this CPS. After the Registration Authority of CNNIC Trusted Network Service Center completed the procedure of verifying identity, it emails the first thirteen numbers of the reference number and authorization code to handler and sends the last three number of these two code through cellphone. And make a paper ‘certificate on approval for CNNIC SSL Certificates’ via a safe mailing method to the certificate application handler.” ** CPS Section 4.1.2.1: “The steps for issuing and accepting single domain and wildcard domain certificates are as follows: The certificate application handler generates a certificate request CSR in the Web server. The certificate application handler accesses the CNNIC certificate download page, submits the CSR and puts in the reference number and the authorization code. CNNIC Trusted Network Service Center system automatically checks the completeness of the CSR. CNNIC Trusted Network Service Center issues a certificate and the certificate application handler downloads it and then installs it.”
* Other ** Wildcard SSL certs are provided, but they are always OV.
This begins the one-week discussion period. After that week, I will provide a summary of issues noted and action items. If there are no outstanding issues, then this request can be approved. If there are outstanding issues or action items, then an additional discussion may be needed as follow-up.
> As per the CA Schedule at https://wiki.mozilla.org/CA:Schedule the > China Internet Network Information Center (CNNIC) is the next request > in the queue for public discussion.
No particular immediate issues seen, fine CA. Note to the representative of CNNIC that the cross signing of other CA certificates has not been disclosed properly in the CA policy. This should be corrected, a mere disclaimer is not sufficient.
> Note to the representative > of CNNIC that the cross signing of other CA certificates has not been > disclosed properly in the CA policy. This should be corrected, a mere > disclaimer is not sufficient.
Eddy, CNNIC is happy to update their CPS as per your suggestion. However, it is unclear as to what would be considered sufficient disclosure. Do you happen to have an example that you could point them to? Or perhaps a suggestion about what they could include in their CPS to satisfy this request?
>> Note to the representative >> of CNNIC that the cross signing of other CA certificates has not been >> disclosed properly in the CA policy. This should be corrected, a mere >> disclaimer is not sufficient.
> Eddy, CNNIC is happy to update their CPS as per your suggestion. > However, it is unclear as to what would be considered sufficient > disclosure. Do you happen to have an example that you could point them > to? Or perhaps a suggestion about what they could include in their > CPS to satisfy this request?
Basically it should include the circumstance for issuing (cross-signing) and its relevant requirements, suspension,and revocation of the cross-signed certificate. For example if the cross-signed root is handled by the CA or if a WebTrust audit must be completed for the cross-signed roots. I think the WebTrust audit has relevant criteria for sub and cross signing as part of the CAs disclosure if its key and certificate life cycle.
Thank you, Eddy and Iang, for reviewing this request and providing your comments and feedback. Your contributions are greatly appreciated.
This discussion was in regards to the request from the China Internet Network Information Center (CNNIC) to add the “CNNIC ROOT” root certificate and enable the Websites trust bit.
CNNIC intends to update their CPS in regards to Eddy’s suggestion about further disclosing their policies about cross-signing. I do not plan to track this action item.
I will post a summary of the request and my recommendation for approval in the bug:
> As per the CA Schedule athttps://wiki.mozilla.org/CA:Schedulethe > China Internet Network Information Center (CNNIC) is the next request > in the queue for public discussion.
> CNNIC, a non-profit organization, is the state network information > center of China. CNNIC takes orders from the Ministry of Information > Industry (MII) to conduct daily business, while it is administratively > operated by the Chinese Academy of Sciences (CAS). The CNNIC Steering > Committee, a working group composed of well-known experts and > commercial representatives in domestic Internet community, supervises > and evaluates the structure, operation and administration of CNNIC.
> CNNIC has applied to add the “CNNIC ROOT” root certificate and enable > the Websites trust bit.
> * There is currently one internally-operated subordinate CA named > CNNIC SSL, which offers only SSL certificates. SSL certificates may be > issued to general public, including enterprise, government, > organization, league, individual, etc.
> * The request is to enable the Websites trust bit.
> ** CPS Section 3.2 Requires proof of identification of the certificate > applicant or organization representative. Enterprises, government > organizations, institutions, etc. must provide the organization code > certificate or legal person business license (each page affixed with > an official seal). > ** CPS Section 3.2: The inputer at the Local Registration Authority > carries out preliminary examination. Through the domain name > registration information inquiry (whois), the inputer gets the > information of the domain name registrar of the domain name > certificate application, checks whether the domain name registrar is > consistent with the domain name certificate applicant, and determines > whether the domain name certificate applicant indeed has this domain > name through preliminary examination. > ** CPS Section 3.2: The RA auditor checks whether the legal domain > name subscriber is consistent with the certificate applicant (also > using the whois function), and whether the information is true, and > compares it with the application information in the RA system. The RA > auditor confirms the information with the director and the handler > respectively through telephone. > ** CPS Section 4.1.1.1: “The handlers for applying for domain name > certificates must go to a Local Registration Authority of CNNIC > Trusted Network Service Center designated by the CNNIC to submit > applications.” > ** CPS Section 4.1.1.2: “Documents used to prove the certificate > subscriber organizations, handlers (subscribers) and identity of > handlers are explained in Section 3.2 of this CPS, and applicants > shall carry out application operations according to Section 3.2 of > this CPS. After the Registration Authority of CNNIC Trusted Network > Service Center completed the procedure of verifying identity, it > emails the first thirteen numbers of the reference number and > authorization code to handler and sends the last three number of these > two code through cellphone. And make a paper ‘certificate on approval > for CNNIC SSL Certificates’ via a safe mailing method to the > certificate application handler.” > ** CPS Section 4.1.2.1: “The steps for issuing and accepting single > domain and wildcard domain certificates are as follows: The > certificate application handler generates a certificate request CSR in > the Web server. The certificate application handler accesses the CNNIC > certificate download page, submits the CSR and puts in the reference > number and the authorization code. CNNIC Trusted Network Service > Center system automatically checks the completeness of the CSR. CNNIC > Trusted Network Service Center issues a certificate and the > certificate application handler downloads it and then installs it.”
> * Other > ** Wildcard SSL certs are provided, but they are always OV.
> This begins the one-week discussion period. After that week, I will > provide a summary of issues noted and action items. If there are no > outstanding issues, then this request can be approved. If there are > outstanding issues or action items, then an additional discussion may > be needed as follow-up.
