China Internet Network Information Center (CNNIC) has applied to add the
“China Internet Network Information Center EV Certificates Root”
certificate, turn on the websites trust bit, and enable EV.
China Internet Network Information Center (CNNIC), the state network
information center of China, is a non-profit organization. CNNIC takes
orders from the Ministry of Information Industry (MII) to conduct daily
business, while it is administratively operated by the Chinese Academy
of Sciences (CAS). The CNNIC Steering Committee, a working group
composed of well-known experts and commercial representatives in
domestic Internet community, supervises and evaluates the structure,
operation and administration of CNNIC. The objective customers of the
CNNIC root are domain owners from general public, including enterprise,
government, organization, league, individual, etc.
Previous applications from CNNIC have generated considerable discussion.
Participants are reminded that Mozilla is committed to even-handed
analysis of applications, and objections based on alleged misbehavior
must have evidence of that misbehavior.
People in China have confirmed that they can access this discussion
forum via
http://groups.google.com/group/mozilla.dev.security.policy/. However, if
anyone finds themselves technically constrained from contributing to the
discussion, they should email their comments to me, and include an
account of their problems in connecting.
This inclusion request information and related documents may be freely
redistributed.
Previously regarding CNNIC there were many complaints about
"Zhongwenshangwang", which is activeX product of browser to help Chinese
people to access the internet with Chinese characters. It was warned as
a malware by some anti-virus software. CNNIC stopped distribution of
this product in 2006. In recent years, CNNIC initialized and built
Anti-Phishing alliance of China. This organization is a NGO. CNNIC
handled more than 75000 phishing website, and protected Chinese netizen
from personal information lost. Technically, CA root certificates cannot
be used to trace and monitor end-user’s internet activities.
Additionally, CNNIC has strict process to verify each applicant and make
sure they are legal enterprise.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=607208
And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#CNNIC
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=622926
Noteworthy points:
* The primary documents are the CPS documents, which are also provided
in English.
CNNIC Trusted Network Service Center:
http://tns.cnnic.cn
CNNIC Policy Documents:
http://www.cnnic.cn/html/Dir/2007/04/29/4568.htm
CNNIC Trusted Network Service Center EV CPS (English):
http://www.cnnic.cn/uploadfiles/pdf/2010/9/10/141005.pdf
CNNIC Trusted Network Service Center CPS (English):
http://www.cnnic.cn/uploadfiles/20100414/CNNIC_CPS_V2_07_EN.pdf
Currently there is one internally-operated subordinate CA named CNNIC EV
SSL, which only signs EV SSL Certificates. In the future CNNIC may also
add another internally-operated subCA for issuing code signing certificates.
The request is to turn on the Websites trust bit.
As per sections 3.2 and 4.1 of the (non-EV) CPS, the Local Registration
Authority performs a domain name registration information inquiry
(whois), gets the information of the domain name registrar of the domain
name certificate application, checks whether the domain name registrar
is consistent with the domain name certificate applicant, and determines
whether the domain name certificate applicant indeed owns this domain
name. Then the RA auditor checks whether the legal domain name
subscriber is consistent with the certificate applicant (also using the
whois function), and whether the information is true, and compares it
with the application information in the RA system.
* EV CPS Section 1.10: CNNIC Trusted Network Service Center issues and
manages EV Certificate under EV Guideline issued on the Website
http://www.cabforum. If inconsistence arises between the clauses of EV
Guideline and this document, EV Guideline shall prevail.
* EV CPS Section 4.1.1:
1. The application operator for EV Certificate submits application
materials to the data processor of LRA. For the independent server (The
server with certificate is managed by the certificate applicant, the
same as below), the application material shall include the following
documents:
- Identity certification of EV Certificate applicant:
-- Provided by enterprise: duplicate copy of Organization Code
Certificate or
Enterprise Business License for Enterprise's Legal Person (with each page
sealed);
-- Provided by government authority: duplicate copy of Organization Code
Certificate (with each page sealed);
-- Provided by institution: duplicate copy of Organization Code
Certificate (with each
page sealed);
-- Provided by social club: duplicate copy of Organization Code
Certificate (with each
page sealed);
-- Account opening certificate issued by bank (with each page sealed).
- Original copy of application letter for EV Certificate registration
(with each page sealed).
- When the EV Certificate applicant is an enterprise/government
authority/institution/social club, the duplicate copies of identity
certificates for manager and operator need to be submitted.
For the hosted server (The server with certificate is managed by other
organization authorized by the certificate applicant, the same as
below), the certificate is handled by the authorized organization and
the application material shall include the following documents:
- Identity certification of EV Certificate applicant:
-- Provided by enterprise: duplicate copy of Organization Code
Certificate or Enterprise Business License for Enterprise's Legal Person
(with each page sealed);
-- Provided by government authority: duplicate copy of Organization Code
Certificate (with each page sealed);
-- Provided by institution: duplicate copy of Organization Code
Certificate (with each
page sealed);
-- Provided by social club: duplicate copy of Organization Code
Certificate (with each
page sealed);
-- Account opening certificate issued by bank (with each page sealed).
- Original copy of application letter for EV Certificate registration
(with each page sealed).
- Duplicate copy of identity certification of operator for authorized
organization
- When the EV Certificate applicant is an enterprise/government
authority/institution/social club, the duplicate copy of identity
certificate for manager needs to be submitted.
2. The data processor for LRA carries out primary verification. It
obtains, through domain name registration inquiry (whois) function, the
material for domain name register material of applied EV certificate,
check whether the domain name register is identical with the applicant
of EV Certificate and determine whether the EV Certificate register
actually owns such domain name through primary verification.
3. After the primary verification of data processor of LRA is passed,
input the above material through RA system; submit the application and
all the paper application material to the RA reviewer of CNNIC RA. If
the primary verification is not passed, the EV certificate applicant is
required to modify the material of domain name register and then apply
for EV Certificate.
4. The RA reviewer verifies whether the legal domain name holder is
identical with the certificate holder (whois function is also used),
examine whether material is true, make comparison on the application
information in RA system and meanwhile make confirmation with the
manager and operator by phone.
5. If the confirmation is passed, the RA reviewer will log on RA system,
approve the certificate application and send the first 13 bits of
Reference No. and Authorization Code by email and the last 13 bits by
phone to the operator of certificate application. If the conformation
fails to be passed, the EV Certificate application is rejected; all
materials will be returned to LRA and reasons for rejection will be
added. LRA will communicate with the application operator, make relevant
modification on rejection reasons and reapply.
6. When the application letter is submitted to legal processing
authority delegated by Trusted Network Service Center, there must be
certificate for attest issued onsite by authority personnel and such
attested personnel shall sign on the certificate.
* EV Policy OID: 1.3.6.1.4.1.29836.1.10
* Root Cert URL
http://www.cnnic.cn/download/cert/CNNICEVROOT.cer
* Test Website
https://evdemo.cnnic.cn/
* CRL
http://www.cnnic.cn/download/evrootcrl/crl1.crl
http://www.cnnic.cn/download/evcrl/crl1.crl
CPS Section 4.5.9 and 4.5.10: CRL of intermediate root every 12 hours
* OCSP
http://ocsproot.cnnic.cn
http://ocspev.cnnic.cn
EV CPS Section 2.13.1, Max expiration time of OCSP response: every 12 hours
* Audit: Annual audits are performed by Ernst & Young according to the
WebTrust CA and WebTrust EV criteria and posted on the
webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1204
https://cert.webtrust.org/ViewSeal?id=1205
* Potentially Problematic Practices – None Noted
(
http://wiki.mozilla.org/CA:Problematic_Practices):
This begins the discussion of the request from CNNIC to add the “China
Internet Network Information Center EV Certificates Root” certificate,
turn on the websites trust bit, and enable EV. At the conclusion of this
discussion I will provide a summary of issues noted and action items. If
there are outstanding issues, then an additional discussion may be
needed as follow-up. If there are no outstanding issues, then I will
recommend approval of this request in the bug.
I will appreciate thoughtful and constructive input on this request.
Kathleen