Public Discussion re: Inclusion of the iTrusChina Root CAs

538 views
Skip to first unread message

Ben Wilson

unread,
Apr 7, 2021, 2:49:42 PMApr 7
to dev-secur...@mozilla.org

This is to announce the beginning of the public discussion phase of the Mozilla root CA inclusion process for iTrusChina’s vTrus Root CA and its vTrus ECC Root CA.  See https://wiki.mozilla.org/CA/Application_Process#Process_Overview, (Steps 4 through 9).

These Root CAs  are operated by iTrusChina Co., Ltd.

This current CA inclusion application has been tracked in the CCADB and in Bugzilla–

https://ccadb-public.secure.force.com/mozilla/PrintViewForCase?CaseNumber=00000431

https://bugzilla.mozilla.org/show_bug.cgi?id=1554846

These new root CA certificates are valid from 2018 to 2043, and they are proposed for inclusion with the websites bit and EV enabled.

Mozilla is considering approving iTrusChina’s request. This email begins the 3-week comment period, after which, if no concerns are raised, we will close the discussion and the request may proceed to the approval phase (Step 10).

Root Certificate Information:

vTrus Root CA (RSA)

    crt.sh -
https://crt.sh/?q=8A71DE6559336F426C26E53880D00D88A18DA4C6A91F0DCB6194E206C5C96387

Download –

http://wtca-cafiles.itrus.com.cn/ca/vTrusRootCA.cer

vTrus ECC Root CA (ECC)

    crt.sh –

https://crt.sh/?q=30FBBA2C32238E2A98547AF97931E550428B9B3F1C8EEB6633DCFA86C5B27DD3

http://wtca-cafiles.itrus.com.cn/ca/vTrusECCRootCA.cer

CP/CPS:   

iTrusChina’s current CPS is v.1.4.4 / Dec. 19, 2020

https://www.itrus.com.cn/uploads/soft/201223/2-201223110436.pdf

Repository location:   

https://www.itrus.com.cn/repository

iTrusChina's 2021 BR Self-Assessment (PDF) is located here: 

https://bugzilla.mozilla.org/attachment.cgi?id=9209938

Audits: 

iTrusChina’s WebTrust auditor is PricewaterhouseCoopers Zhong Tian LLP, and the most recent audit reports are dated March 24, 2021. These audit reports may be downloaded by clicking on the WebTrust seals at the bottom of iTrusChina’s repository page.

Incidents:

I was not able to find any incidents involving iTrusChina, no misissuances were found under the iTrusChina root CAs, and the issuing CAs appeared to be properly formatted.

Thus, this email begins a three-week public discussion period, which I’m scheduling to close on or about 30-April-2021.

A representative of iTrusChina must promptly respond directly in the discussion thread to all questions that are posted.

Sincerely yours,

Ben Wilson

Mozilla Root Program

Ryan Sleevi

unread,
Apr 7, 2021, 3:01:25 PMApr 7
to Ben Wilson, dev-secur...@mozilla.org
Ben,

I'm not used to parallel discussions for adding CAs. May I request that you put this discussion on hold until the conclusion of TunTrust? Or is this an intentional attempt to parallelize more, despite the limited resources? 

Ben Wilson

unread,
Apr 7, 2021, 3:39:09 PMApr 7
to Ryan Sleevi, dev-secur...@mozilla.org
Ryan,
Yes, I think it is an intentional effort to process multiple applications simultaneously. As I was moving CA applicants through the queue these two just seemed to both be ready at about the same time. It was more efficient for me to handle these two at once.  Note that we also have Asseco/Certum with public discussion closing next week (4/14/2021). I'll repost that to this list right now so that there is continuity on this list.  Let's see how this goes. If it presents a problem, then we can adjust.
Ben

Ryan Sleevi

unread,
Apr 7, 2021, 3:52:39 PMApr 7
to Ben Wilson, Ryan Sleevi, dev-secur...@mozilla.org
Thanks for clarifying.

In a personal capacity, while I can understand that Mozilla may have reached a level of confidence that they can handle processing these requests in parallel, I don't believe it's reasonable to expect the same of the community, since these public discussions may be the first time a number of members of the community are examining CAs in depth. This practically impacts both the quality and depth of review, as it effectively requires the community make larger and larger time commitments to handle all such reviews, or reduces the amount of time and effort focused on an individual CA.

Wearing a Google hat, Honestly, I don't think we'll be able to offer feedback here for both CAs in a parallel (time-gated) review. We'll examine the available data to help prioritize against our own stated policies, but I think realistically, we may request that the CA that does not align most with the priorities undergoes an additional public discussion when we're ready to proceed. We see significant risk to our users from trying to include CAs too quickly, and so want to make sure as much as possible that all CAs receive the same level of attention and thoroughness by dedicating specific time to focus on just a single CA.

It's an entirely reasonable goal, but the effect of running these in parallel does not mean both CAs undergo three weeks of review; it means both CAs undergo a week and a half, or less, since these processes do not linearly scale, nor should they.

Ben Wilson

unread,
Apr 20, 2021, 2:19:41 PMApr 20
to Ryan Sleevi, dev-secur...@mozilla.org
Hi Ryan,
Kathleen and I discussed iTrusChina's and TunTrust's root inclusion applications this morning and agreed that we should extend the public discussion period and leave them open for discussion beyond April 30th. Meanwhile, I will work on follow-up questions for them regarding their added value to users vs. added risk.
Thanks,
Ben

Andrew Ayer

unread,
May 21, 2021, 9:22:59 AMMay 21
to dev-secur...@mozilla.org
On Wed, 7 Apr 2021 12:49:29 -0600
Ben Wilson <bwi...@mozilla.com> wrote:

> https://crt.sh/?q=8A71DE6559336F426C26E53880D00D88A18DA4C6A91F0DCB6194E206C5C96387

> https://crt.sh/?q=30FBBA2C32238E2A98547AF97931E550428B9B3F1C8EEB6633DCFA86C5B27DD3

crt.sh reports verification errors for these roots' CRLs, which I was
able to reproduce using the openssl command. Could iTrusChina
investigate and file an incident report about this?

Regards,
Andrew

yutian zheng

unread,
May 24, 2021, 10:50:01 AMMay 24
to dev-secur...@mozilla.org, Andrew Ayer
Hi Andrew,

We have submitted this issue to our security and R&D team and started the investigation,and we will release the incident report later today.

Regards,
Yutian Zheng
iTrusChina Co.,Ltd.

yutian zheng

unread,
May 24, 2021, 11:21:33 PMMay 24
to dev-secur...@mozilla.org, yutian zheng, Andrew Ayer
Our R&D team has investigated this issue and found the problem. I published an incident report in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1712664, we will add more details and progress on this page later.
Reply all
Reply to author
Forward
0 new messages