Public Discussion re: Inclusion of the iTrusChina Root CAs

Skip to first unread message

Ben Wilson

Apr 7, 2021, 2:49:42 PMApr 7

This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process for iTrusChina’s vTrus Root CA and its vTrus ECC Root CA.  See, (Steps 4 through 9).

These Root CAs  are operated by iTrusChina Co., Ltd.

This current CA inclusion application has been tracked in the CCADB and in Bugzilla–

These new root CA certificates are valid from 2018 to 2043, and they are proposed for inclusion with the websites bit and EV enabled.

Mozilla is considering approving iTrusChina’s request. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).

Root Certificate Information:

vTrus Root CA (RSA) -

Download –

vTrus ECC Root CA (ECC) –


iTrusChina’s current CPS is v.1.4.4 / Dec. 19, 2020

Repository location:

iTrusChina's 2021 BR Self-Assessment (PDF) is located here:


iTrusChina’s WebTrust auditor is PricewaterhouseCoopers Zhong Tian LLP, and the most recent audit reports are dated March 24, 2021. These audit reports may be downloaded by clicking on the WebTrust seals at the bottom of iTrusChina’s repository page.


I was not able to find any incidents involving iTrusChina, no misissuances were found under the iTrusChina root CAs, and the issuing CAs appeared to be properly formatted.

Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about 30-April-2021.

A representative of iTrusChina must promptly respond directly in the discussion thread to all questions that are posted.

Sincerely yours,

Ben Wilson

Mozilla Root Program

Ryan Sleevi

Apr 7, 2021, 3:01:25 PMApr 7
to Ben Wilson,

I'm not used to parallel discussions for adding CAs. May I request that you put this discussion on hold until the conclusion of TunTrust? Or is this an intentional attempt to parallelize more, despite the limited resources? 

Ben Wilson

Apr 7, 2021, 3:39:09 PMApr 7
to Ryan Sleevi,
Yes, I think it is an intentional effort to process multiple applications simultaneously. As I was moving CA applicants through the queue these two just seemed to both be ready at about the same time. It was more efficient for me to handle these two at once.  Note that we also have Asseco/Certum with public discussion closing next week (4/14/2021). I'll repost that to this list right now so that there is continuity on this list.  Let's see how this goes. If it presents a problem, then we can adjust.

Ryan Sleevi

Apr 7, 2021, 3:52:39 PMApr 7
to Ben Wilson, Ryan Sleevi,
Thanks for clarifying.

In a personal capacity, while I can understand that Mozilla may have reached a level of confidence that they can handle processing these requests in parallel, I don't believe it's reasonable to expect the same of the community, since these public discussions may be the first time a number of members of the community are examining CAs in depth. This practically impacts both the quality and depth of review, as it effectively requires the community make larger and larger time commitments to handle all such reviews, or reduces the amount of time and effort focused on an individual CA.

Wearing a Google hat, Honestly, I don't think we'll be able to offer feedback here for both CAs in a parallel (time-gated) review. We'll examine the available data to help prioritize against our own stated policies, but I think realistically, we may request that the CA that does not align most with the priorities undergoes an additional public discussion when we're ready to proceed. We see significant risk to our users from trying to include CAs too quickly, and so want to make sure as much as possible that all CAs receive the same level of attention and thoroughness by dedicating specific time to focus on just a single CA.

It's an entirely reasonable goal, but the effect of running these in parallel does not mean both CAs undergo three weeks of review; it means both CAs undergo a week and a half, or less, since these processes do not linearly scale, nor should they.

Ben Wilson

Apr 20, 2021, 2:19:41 PMApr 20
to Ryan Sleevi,
Hi Ryan,
Kathleen and I discussed iTrusChina's and TunTrust's root inclusion applications this morning and agreed that we should extend the public discussion period and leave them open for discussion beyond April 30th. Meanwhile, I will work on follow-up questions for them regarding their added value to users vs. added risk.

Andrew Ayer

May 21, 2021, 9:22:59 AMMay 21
On Wed, 7 Apr 2021 12:49:29 -0600
Ben Wilson <> wrote:


> reports verification errors for these roots' CRLs, which I was
able to reproduce using the openssl command. Could iTrusChina
investigate and file an incident report about this?


yutian zheng

May 24, 2021, 10:50:01 AMMay 24
to, Andrew Ayer
Hi Andrew,

We have submitted this issue to our security and R&D team and started the investigation,and we will release the incident report later today.

Yutian Zheng
iTrusChina Co.,Ltd.

yutian zheng

May 24, 2021, 11:21:33 PMMay 24
to, yutian zheng, Andrew Ayer
Our R&D team has investigated this issue and found the problem. I published an incident report in bugzilla:, we will add more details and progress on this page later.
Reply all
Reply to author
0 new messages