On Sat, Aug 13, 2011 at 3:00 AM,
<dev-security-...@lists.mozilla.org> wrote:
> Send dev-security-policy mailing list submissions to
> dev-secur...@lists.mozilla.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.mozilla.org/listinfo/dev-security-policy
> or, via email, send a message with subject or body 'help' to
> dev-security-...@lists.mozilla.org
>
> You can reach the person managing the list at
> dev-security...@lists.mozilla.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dev-security-policy digest..."
>
>
> Today's Topics:
>
> 1. Re: SHECA Root Inclusion Request (Kathleen Wilson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 12 Aug 2011 10:09:44 -0700
> From: Kathleen Wilson <kathle...@yahoo.com>
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: SHECA Root Inclusion Request
> Message-ID: <-KqdncoM15PFw9jT...@mozilla.org>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> On 8/2/11 4:14 PM, Kathleen Wilson wrote:
>> SHECA has applied to add the ?UCA Root? and ?UCA Global Root? root
>> certificates. For the ?UCA Root? the request is to enable all three
>> trust bits. For the ?UCA Global Root? the request is to enable the
>> websites and code signing trust bits.
>>
>> Shanghai Electronic Certification Authority Co., Ltd. (SHECA) is a
>> Shanghai-based commercial company and is one of the biggest
>> Certification Authorities in China. SHECA is a national recognized CA
>> and operates under China?s Electronic Signature Law. SHECA?s customers
>> include individuals and companies from mainland China, Taiwan and Hong
>> Kong. Four of SHECA?s major shareholders are government established
>> investment vehicles and government-owned enterprises.
>>
>> Mozilla Comment: Being affiliated with a government is not a reason that
>> Mozilla would reject a CA (there are several others already in the root
>> store for Japan, Taiwan, and others). We have not found evidence of
>> SHECA being compelled by another entity to issue an illegitimate
>> certificate (e.g. for a domain that it shouldn?t).
>>
>> In past discussions regarding Chinese CAs, concerns have been raised
>> about whether discussions in the mozilla.dev.security.policy forum are
>> accessible to participants in China. Based on recent testing we believe
>> that this forum is currently accessible to people in China. Testing
>> found that Google Groups is blocked when https is used. However, the
>> mozilla.dev.security.policy forum is in plain http, so it is accessible
>> to participants in China. Anyone with information to the contrary should
>> contact us immediately.
>>
>> The request is documented in the following bug:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=566310
>>
>> And in the pending certificates list here:
>> http://www.mozilla.org/projects/security/certs/pending/#SHECA
>>
>> Information Gathering Document:
>> https://bugzilla.mozilla.org/attachment.cgi?id=541405
>>
>> Noteworthy points:
>>
>> * Cert Download URL
>> ** UCA Root: http://ldap2.sheca.com/root/ucaroot.der
>> ** UCA Global Root: http://ldap2.sheca.com/root/ucaglobalroot.der
>>
>> * UCA is the acronym of UniTrust Certification Authority. UniTrust is a
>> registered trademark owned by SHECA.
>>
>> * The CP/CPS documents are provided in Chinese, and English translations
>> of certain sections are provided in the Information Gathering Document.
>>
>> Certificate Policy Documents: http://www.sheca.com/policy/
>>
>> CP (copy-enabled): https://bugzilla.mozilla.org/attachment.cgi?id=447948
>>
>> CPS (copy-enabled):
>> https://bugzilla.mozilla.org/attachment.cgi?id=447947
>>
>> * UCA Root has one internally-operated intermediate CA which signs
>> end-entity certificates for web servers, e-mail, and personal ID. UCA
>> Global Root has one internally-operated intermediate CA which signs web
>> server certificates. The intermediate CAs sign end-entity certificates
>> to the general public, government, enterprise, organizations,
>> institutes, and individuals.
>>
>> * For the ?UCA Root? the request is to enable all three trust bits. For
>> the ?UCA Global Root? the request is to enable the websites and code
>> signing trust bits. EV-treatment is not requested at this time.
>>
>
>
> Would at least two people please review and comment on this request?
>
> Also, please encourage our colleagues in China to review and comment on
> this request.
>
> Kathleen
>
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
> End of dev-security-policy Digest, Vol 32, Issue 15
> ***************************************************
>
At least CNNIC has it also. It's not impressive.
The kind of comment Kathleen is requesting is objective, facts based
comments, yours sounds quite a bit like if it were venally motivated.