New Cross-Certificate of Hongkong Post CA for Extending Android Device Compatibility

504 views
Skip to first unread message

Man Ho

unread,
Jul 1, 2022, 11:27:21 AMJul 1
to dev-secur...@mozilla.org
Hi Everyone,

I'm writing to invite views from members of this group on a plan for new cross-certificate that could extend Android device compatibility for TLS server certificates of Hongkong Post Certification Authority.

For over 19 years, Hongkong Post Certification Authority has been issuing TLS server certificates to local organizations for deployment in websites of Hong Kong.  Since 2019, all TLS server certificates have been rolled-over to a new Hongkong Post Root CA3 Certificate ("Root CA3") to replace the old Root CA1 which is due for expiry in May 2023.  We have also implemented a cross-certificate signed by the old Root CA1, valid from Aug 2017 to May 2023 in enabling end-users of Hong Kong who are using old version of desktop/mobile devices pre-loaded with the old Root CA1 only to access local websites using TLS server certificates issued under Root CA3.   In April 2022, we have published via our news announcement (https://www.ecert.gov.hk/news/press/95.html) the inclusion of Root CA3 approved by various root programs, including Google to accept Root CA3 into Chrome browsers starting from Android version 11.  

However, it is foreseeable that upon the expiry of the old Root CA1 in May 2023, there will be significant impact for Hong Kong end-users to access local websites using TLS server certificates issued under Root CA3, as there are still substantial number of Hong Kong residents using Android version 10 or below, not yet pre-loaded with Root CA3.  Therefore, we plan to model the previous practice of "Let's Encrypt" in managing similar expiry of its Root Certificate in 2021 in order to minimize the impact of accessibility of local websites governed under Root CA3 by old Android device users arising from the expiry of Root CA1.  As such, we will issue a new cross-certificate signed by Root CA1 extended by 3 years to May 2026 in replacing the old cross-certificate, with a view to giving a transition period of 3 years for retirement of old Android devices among the end-user population in Hong Kong.  The new cross-certificate is only aimed for building trust of website accessibility by Android users and no other certificates will be issued by it.   Besides, the planned arrangement should bear little implication to global Internet users as all TLS server certificates are mainly deployed for websites of Hong Kong.

We have discussed with our auditor (who are helping us for annual assessment of WebTrust Seal) to ensure our plan with no compliance concern.

Due to time urgency, we target to issue the new cross-certificate in mid-July 2022 and then I'll register it on the CCADB.  

Your views, if any, to make the plan more well-prepared are highly appreciated.

Thank you,
Man Ho
Hongkong Post Certification Authority, Certizen


Man Ho

unread,
Jul 14, 2022, 9:40:44 AMJul 14
to dev-secur...@mozilla.org
Hi Everyone,

I would like to provide an update regarding our plan that Hongkong Post Certification Authority will model Let’s Encrypt in extending the compatibility of old Android devices for Hong Kong mobile users to access local websites using TLS server certificates issued under our new Hongkong Post Root CA3 Certificate ("Root CA3"), upon expiry of Root CA1 in May 2023.

Our several major subscribers’ of public services have recently completed research among mobile device users in Hong Kong.  It revealed that usage of the old Android devices version 10 or below (not yet pre-loaded with Root CA3) could only drop to below 5% for the Hong Kong mobile users at least after 6 years, taking into account that low-income families would slowly replace their old mobile devices.

In order to minimize the impact of accessibility of local websites using our TLS server certificates by Hong Kong mobile device users to a manageable level, we consider issuing the new cross-certificate signed by Root CA1 extended by a longer transition period of 6 years or more (instead of 3 years to May 2026). Taking into account that during the transition period, the security strength would not be affected along our existing certificate chain of trust. We have re-confirmed with our auditor to ensure our revised plan with no compliance concerns.

Due to time urgency, we will create the new cross-certificate accordingly towards late July 2022, and then I'll register it on the CCADB.  

See if any views to make the above plan more well-prepared.


Thank you,
Man Ho
Hongkong Post Certification Authority, Certizen 
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/d6f8c327-50c4-4582-bb41-5bb7e33fc4f9n%40mozilla.org.

Man Ho

unread,
Jul 27, 2022, 11:48:35 PMJul 27
to dev-secur...@mozilla.org, Man Ho
Hi Everyone,

FYI, we created the cross-certificate yesterday, 27 July 2022. And I've registered it on the CCADB. The new cross-certificate is currently under internal evaluation for Android device compatibility, so not yet publish for use by our subscribers.

Cheers,
Man
Reply all
Reply to author
Forward
0 new messages