CNNIC Root Inclusion Request
Kathleen Wilson
China Internet Network Information Center (CNNIC) is the next request
in the queue for public discussion.
CNNIC, a non-profit organization, is the state network information
center of China. CNNIC takes orders from the Ministry of Information
Industry (MII) to conduct daily business, while it is administratively
operated by the Chinese Academy of Sciences (CAS). The CNNIC Steering
Committee, a working group composed of well-known experts and
commercial representatives in domestic Internet community, supervises
and evaluates the structure, operation and administration of CNNIC.
CNNIC has applied to add the “CNNIC ROOT” root certificate and enable
the Websites trust bit.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=476766
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#CNNIC
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=405902
Noteworthy points:
* The CPS has been translated into English:
http://www.cnnic.cn/uploadfiles/pdf/2009/7/3/163452.pdf
* There is currently one internally-operated subordinate CA named
CNNIC SSL, which offers only SSL certificates. SSL certificates may be
issued to general public, including enterprise, government,
organization, league, individual, etc.
* The request is to enable the Websites trust bit.
** CPS Section 3.2 Requires proof of identification of the certificate
applicant or organization representative. Enterprises, government
organizations, institutions, etc. must provide the organization code
certificate or legal person business license (each page affixed with
an official seal).
** CPS Section 3.2: The inputer at the Local Registration Authority
carries out preliminary examination. Through the domain name
registration information inquiry (whois), the inputer gets the
information of the domain name registrar of the domain name
certificate application, checks whether the domain name registrar is
consistent with the domain name certificate applicant, and determines
whether the domain name certificate applicant indeed has this domain
name through preliminary examination.
** CPS Section 3.2: The RA auditor checks whether the legal domain
name subscriber is consistent with the certificate applicant (also
using the whois function), and whether the information is true, and
compares it with the application information in the RA system. The RA
auditor confirms the information with the director and the handler
respectively through telephone.
** CPS Section 4.1.1.1: “The handlers for applying for domain name
certificates must go to a Local Registration Authority of CNNIC
Trusted Network Service Center designated by the CNNIC to submit
applications.”
** CPS Section 4.1.1.2: “Documents used to prove the certificate
subscriber organizations, handlers (subscribers) and identity of
handlers are explained in Section 3.2 of this CPS, and applicants
shall carry out application operations according to Section 3.2 of
this CPS. After the Registration Authority of CNNIC Trusted Network
Service Center completed the procedure of verifying identity, it
emails the first thirteen numbers of the reference number and
authorization code to handler and sends the last three number of these
two code through cellphone. And make a paper ‘certificate on approval
for CNNIC SSL Certificates’ via a safe mailing method to the
certificate application handler.”
** CPS Section 4.1.2.1: “The steps for issuing and accepting single
domain and wildcard domain certificates are as follows: The
certificate application handler generates a certificate request CSR in
the Web server. The certificate application handler accesses the CNNIC
certificate download page, submits the CSR and puts in the reference
number and the authorization code. CNNIC Trusted Network Service
Center system automatically checks the completeness of the CSR. CNNIC
Trusted Network Service Center issues a certificate and the
certificate application handler downloads it and then installs it.”
* Test website: https://www.enum.cn/
* CNNIC provides CRL, NextUpdate is 12 hours
* CNNIC does not currently provide OCSP
* Audit: CNNIC is audited every 12 months, according to their CPS.
CNNIC was recently audited by Ernst & Young. https://cert.webtrust.org/ViewSeal?id=935
* Other
** Wildcard SSL certs are provided, but they are always OV.
This begins the one-week discussion period. After that week, I will
provide a summary of issues noted and action items. If there are no
outstanding issues, then this request can be approved. If there are
outstanding issues or action items, then an additional discussion may
be needed as follow-up.
Kathleen
Eddy Nigg
> As per the CA Schedule at https://wiki.mozilla.org/CA:Schedule the
> China Internet Network Information Center (CNNIC) is the next request
> in the queue for public discussion.
>
No particular immediate issues seen, fine CA. Note to the representative
of CNNIC that the cross signing of other CA certificates has not been
disclosed properly in the CA policy. This should be corrected, a mere
disclaimer is not sufficient.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: star...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
Kathleen Wilson
Does anyone else have an opinion about this request?
Shall I proceed with making the recommendation for approval?
Kathleen
Ian G
I read the audit report briefly, nothing spotted. On the whole I could
not see anything there that I would complain about.
iang
Kathleen Wilson
> of CNNIC that the cross signing of other CA certificates has not been
> disclosed properly in the CA policy. This should be corrected, a mere
> disclaimer is not sufficient.
Eddy, CNNIC is happy to update their CPS as per your suggestion.
However, it is unclear as to what would be considered sufficient
disclosure. Do you happen to have an example that you could point them
to? Or perhaps a suggestion about what they could include in their
CPS to satisfy this request?
Eddy Nigg
Basically it should include the circumstance for issuing (cross-signing)
and its relevant requirements, suspension,and revocation of the
cross-signed certificate. For example if the cross-signed root is
handled by the CA or if a WebTrust audit must be completed for the
cross-signed roots. I think the WebTrust audit has relevant criteria for
sub and cross signing as part of the CAs disclosure if its key and
certificate life cycle.
Kathleen Wilson
your comments and feedback. Your contributions are greatly
appreciated.
This discussion was in regards to the request from the China Internet
Network Information Center (CNNIC) to add the “CNNIC ROOT” root
certificate and enable the Websites trust bit.
CNNIC intends to update their CPS in regards to Eddy’s suggestion
about further disclosing their policies about cross-signing. I do not
plan to track this action item.
I will post a summary of the request and my recommendation for
approval in the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=476766
I am now closing this discussion. Any further follow-up on this
request should be added directly to the bug.
Thanks,
Kathleen
cghadsdsd
>
> * Other
> ** Wildcard SSL certs are provided, but they are always OV.
>
> This begins the one-week discussion period. After that week, I will
> provide a summary of issues noted and action items. If there are no
> outstanding issues, then this request can be approved. If there are
> outstanding issues or action items, then an additional discussion may
> be needed as follow-up.
>
http://www.chinaxbj.org.cn