I'm writing to invite views from members of this group on a plan for new cross-certificate that could extend Android device compatibility for TLS server certificates of Hongkong Post Certification Authority.
For over 19 years, Hongkong Post Certification Authority has been issuing TLS server certificates to local organizations for deployment in websites of Hong Kong. Since 2019, all TLS server certificates have been rolled-over to a new Hongkong Post Root CA3 Certificate ("Root CA3") to replace the old Root CA1 which is due for expiry in May 2023. We have also implemented a cross-certificate signed by the old Root CA1, valid from Aug 2017 to May 2023 in enabling end-users of Hong Kong who are using old version of desktop/mobile devices pre-loaded with the old Root CA1 only to access local websites using TLS server certificates issued under Root CA3. In April 2022, we have published via our
news announcement (
https://www.ecert.gov.hk/news/press/95.html) the inclusion of Root CA3 approved by various root programs, including Google to accept Root CA3 into Chrome browsers starting from Android version 11.
However, it is foreseeable that upon the expiry of the old Root CA1 in May 2023, there will be significant impact for Hong Kong end-users to access local websites using TLS server certificates issued under Root CA3, as there are still substantial number of Hong Kong residents using Android version 10 or below, not yet pre-loaded with Root CA3. Therefore, we plan to model the previous practice of "
Let's Encrypt" in managing similar expiry of its Root Certificate in 2021 in order to minimize the impact of accessibility of local websites governed under Root CA3 by old Android device users arising from the expiry of Root CA1. As such, we will issue a new cross-certificate signed by Root CA1 extended by 3 years to May 2026 in replacing the old cross-certificate, with a view to giving a transition period of 3 years for retirement of old Android devices among the end-user population in Hong Kong. The new cross-certificate is only aimed for building trust of website accessibility by Android users and no other certificates will be issued by it. Besides, the planned arrangement should bear little implication to global Internet users as all TLS server certificates are mainly deployed for websites of Hong Kong.
We
have discussed with our auditor (who are helping us for annual assessment
of WebTrust Seal) to ensure our plan with no compliance concern.
Due to time urgency, we target to issue the new cross-certificate in mid-July 2022 and then I'll register it on the CCADB.
Your views, if any, to make the plan more well-prepared are highly appreciated.