This request is for inclusion of the Shanghai Electronic Certification
Authority Co., Ltd.
UCA Global G2 Root and UCA Extended Validation Root as documented in the
following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1309797
* BR Self Assessment is here:
https://bugzilla.mozilla.org/attachment.cgi?id=8872017
* Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8963421
* Root Certificate Download URL:
Global G2 Root:
http://www.sheca.com/download/getdownloadforpdf/126
Extended Validation Root:
http://www.sheca.com/download/getdownloadforpdf/73
* CP/CPS:
CP:
https://assets-cdn.sheca.com/documents/unitrust-certificate-policy-en-v1.4.pdf
CPS:
https://assets-cdn.sheca.com/documents/sheca-certification-practice-statement-en-v3.6.2.pdf
EV CP:
https://assets-cdn.sheca.com/documents/unitrust-ev-certificate-policy-en-v1.5.pdf
EV CPS:
https://assets-cdn.sheca.com/documents/unitrust-ev-certification-practice-statement-en-v1.4.2.pdf
* This request is to include both roots with websites and email trust bits
enabled for the Global G2 Root, and the websites trust bit and EV treatment
for the Extended Validation Root.
* EV Policy OID: 2.23.140.1.1
* Test Websites
** Global G2 Root:
https://rsaovg3.good.sheca.com/
https://rsaovg3.revoked.sheca.com/
https://rsaovg3.expired.sheca.com/
** Extended Validation Root:
https://rsaevg1.good.sheca.com/
https://rsaevg1.revoked.sheca.com/
https://rsaevg1.expired.sheca.com/
* CRL URLs:
** Global G2 Root:
http://ldap2.sheca.com/root/ucaglobalg2.crl
http://ldap2.sheca.com/CA10011/RA12050100/CRL23844.crl
** Extended Validation Root:
http://ldap2.sheca.com/root/ucaevsub.crl
http://ldap2.sheca.com/CA81/RA12050100/CRL28438.crl
* OCSP URLs:
** Global G2 Root:
http://ocsp3.sheca.com/ucaglobalg2root/ucaglobalg2root.ocsp
http://ocsp3.sheca.com/ocsp/sheca/sheca.ocsp
** Extended Validation Root:
http://ocsp3.sheca.com/evroot/ev.ocsp
http://ocsp3.sheca.com/ocsp/sheca/sheca.ocsp
* Audit: Annual audits are performed by PricewaterhouseCoopers Zhong Tian
according to the WebTrust for CA, BR, and EV audit criteria.
WebTrust:
https://cert.webtrust.org/ViewSeal?id=2470
BR:
https://cert.webtrust.org/ViewSeal?id=2471
EV:
https://cert.webtrust.org/ViewSeal?id=2472
I’ve reviewed the CPs, CPSs, BR Self Assessment, and related information
for inclusion of the two SHECA roots that is being tracked in this bug and
have the following comments:
==Good==
* SHECA plans to issue code signing and TLS certificates from separate
intermediate certificates.
* While the non-EV CP permits external RAs, it expressly prohibits using
them to issue SSL certificates.
==Meh==
* Issuance of SHA-1 certs after the CA/Browser Forum deadline [1][2] This
issuance was under an older root that is not part of the current request.
* Non-EV CPS section 7.1.2 states that serial numbers are random but does
not specify the entropy requirement in BR section 7.1. The EV CP and CPS do
not contain any information about serial numbers.
* On 8-August, both root CRLs showed a “Next update” of 29-June 2018 when
tested from
revocationcheck.com [3], meaning they were expired. Neither
SHECA or I were able to reproduce this problem at a later date.
* For reference, an older root inclusion request that SHECA ultimately
decided to replace with the current request is at
https://bugzilla.mozilla.org/show_bug.cgi?id=566310
==Bad==
* A few unrevoked certificates with IP Addresses encoded as DNSName type in
the SAN [4]. I reported these to SHECA in this bug and they said that they
would revoke them, but as of this writing they are still valid.
* Common name not in SAN and multiple CN entries in one unrevoked cert [5].
I reported these to SHECA in this bug and they filed an incident report and
revoked them.
* The SHECA Global G3 Code Signing subordinate [6] and the SHECA Extended
Validation Code Signing CA [7] are not constrained to code signing and are
not named on the most recent BR audit. I reported these to SHECA in this
bug and they chose to revoke them.
* Improper encoding of 17 EV certificates [8][9]. I reported these to SHECA
in this bug and they filed an incident report and revoked them.
* Section 4.2 of all policy docs was missing the recognized CAA domain
names. The EV CP and/or CPS did not state SHECA’s CAA processing policies.
I reported these to SHECA in this bug and they updated both CPS documents.
* Global G2 Root CPS section 3.2.5 did not document the BR methods used to
perform domain validation as recommended by Mozilla policy section 2.2(3),
nor did it “clearly specify” the procedures used. I reported this to SHECA
in the bug and they updated both CPS documents.
* Version 1.3 of the Global G2 Root CP and version 3.6 of the Global G2
Root CPS were published more than a year after the prior versions in
violation of Mozilla policy section 3.3.
* Non-EV CP section 3.2.4 seemed to state that an email address included in
a certificate will not be verified. SHECA responded that they do verify
email addresses in SSL certificates, and they clarified this section of the
CP.
* Section 4.6 of the non-EV CP/CPS seemed to permit certificate renewal
without revalidation, even when the information is more than 825 days old.
SHECA updated the CPS to clarify that SSL renewal is treated as a new
application.
* EV CP/CPS section 4.9.1.1 did not include all BR required revocations
reasons, such as (6). SHECA has fixed this in the latest version of the EV
CPS.
* The CP/CPS documents contain version histories, but they didn’t describe
what changed in each version. SHECA began including this information in the
latest versions of these documents.
* The non-EV CP and CPS section 6.1 seem to permit CA generation of key
pairs for SSL certificates in violation of section 5.2 of Mozilla policy.
SHECA states that they have never generated key pairs for Subscribers and
revised this section of the CPS, but my interpretation is that the revision
does not forbid SHECA from generating subscriber key pairs.
This begins the 3-week comment period for this request [10].
I will greatly appreciate your thoughtful and constructive feedback on the
acceptance of these roots into the Mozilla CA program.
- Wayne
[1]
https://crt.sh/?cablint=211&iCAID=505&minNotBefore=2016-01-01
[2]
https://groups.google.com/d/msg/mozilla.dev.security.policy/siHOXppxE9k/771PAebFAQAJ
[3]
https://certificate.revocationcheck.com/rsaovg3.expired.sheca.com
[4]
https://crt.sh/?CAID=40266&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
[5]
https://crt.sh/?id=329498950&opt=cablint
[6]
https://crt.sh/?id=154596200
[7]
https://crt.sh/?id=154596198
[8]
https://crt.sh/?caid=40251&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
[9]
https://crt.sh/?caid=83252&opt=cablint,zlint,x509lint&minNotBefore=2017-01-01
[10]
https://wiki.mozilla.org/CA/Application_Process