Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: dev-security-policy Digest, Vol 32, Issue 15

27 views
Skip to first unread message

CY Cheung

unread,
Aug 17, 2011, 3:05:25 AM8/17/11
to dev-secur...@lists.mozilla.org
I am a user of SHECA's digital certificate. Their CPS and CP are well
written. I am impressed that they have obtained the WebTrust Seal
which is the first Chinese CA to have such certification. I also
noted that their root keys have been included in Microsoft's IE.
Obviously they are among the pioneers in the Chinese CA markets from
the perspective of co

On Sat, Aug 13, 2011 at 3:00 AM,
<dev-security-...@lists.mozilla.org> wrote:
> Send dev-security-policy mailing list submissions to
>        dev-secur...@lists.mozilla.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
>        https://lists.mozilla.org/listinfo/dev-security-policy
> or, via email, send a message with subject or body 'help' to
>        dev-security-...@lists.mozilla.org
>
> You can reach the person managing the list at
>        dev-security...@lists.mozilla.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dev-security-policy digest..."
>
>
> Today's Topics:
>
>   1. Re: SHECA Root Inclusion Request (Kathleen Wilson)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Fri, 12 Aug 2011 10:09:44 -0700
> From: Kathleen Wilson <kathle...@yahoo.com>
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Re: SHECA Root Inclusion Request
> Message-ID: <-KqdncoM15PFw9jT...@mozilla.org>
> Content-Type: text/plain; charset=windows-1252; format=flowed
>
> On 8/2/11 4:14 PM, Kathleen Wilson wrote:
>> SHECA has applied to add the ?UCA Root? and ?UCA Global Root? root
>> certificates. For the ?UCA Root? the request is to enable all three
>> trust bits. For the ?UCA Global Root? the request is to enable the
>> websites and code signing trust bits.
>>
>> Shanghai Electronic Certification Authority Co., Ltd. (SHECA) is a
>> Shanghai-based commercial company and is one of the biggest
>> Certification Authorities in China. SHECA is a national recognized CA
>> and operates under China?s Electronic Signature Law. SHECA?s customers
>> include individuals and companies from mainland China, Taiwan and Hong
>> Kong. Four of SHECA?s major shareholders are government established
>> investment vehicles and government-owned enterprises.
>>
>> Mozilla Comment: Being affiliated with a government is not a reason that
>> Mozilla would reject a CA (there are several others already in the root
>> store for Japan, Taiwan, and others). We have not found evidence of
>> SHECA being compelled by another entity to issue an illegitimate
>> certificate (e.g. for a domain that it shouldn?t).
>>
>> In past discussions regarding Chinese CAs, concerns have been raised
>> about whether discussions in the mozilla.dev.security.policy forum are
>> accessible to participants in China. Based on recent testing we believe
>> that this forum is currently accessible to people in China. Testing
>> found that Google Groups is blocked when https is used. However, the
>> mozilla.dev.security.policy forum is in plain http, so it is accessible
>> to participants in China. Anyone with information to the contrary should
>> contact us immediately.
>>
>> The request is documented in the following bug:
>> https://bugzilla.mozilla.org/show_bug.cgi?id=566310
>>
>> And in the pending certificates list here:
>> http://www.mozilla.org/projects/security/certs/pending/#SHECA
>>
>> Information Gathering Document:
>> https://bugzilla.mozilla.org/attachment.cgi?id=541405
>>
>> Noteworthy points:
>>
>> * Cert Download URL
>> ** UCA Root: http://ldap2.sheca.com/root/ucaroot.der
>> ** UCA Global Root: http://ldap2.sheca.com/root/ucaglobalroot.der
>>
>> * UCA is the acronym of UniTrust Certification Authority. UniTrust is a
>> registered trademark owned by SHECA.
>>
>> * The CP/CPS documents are provided in Chinese, and English translations
>> of certain sections are provided in the Information Gathering Document.
>>
>> Certificate Policy Documents: http://www.sheca.com/policy/
>>
>> CP (copy-enabled): https://bugzilla.mozilla.org/attachment.cgi?id=447948
>>
>> CPS (copy-enabled):
>> https://bugzilla.mozilla.org/attachment.cgi?id=447947
>>
>> * UCA Root has one internally-operated intermediate CA which signs
>> end-entity certificates for web servers, e-mail, and personal ID. UCA
>> Global Root has one internally-operated intermediate CA which signs web
>> server certificates. The intermediate CAs sign end-entity certificates
>> to the general public, government, enterprise, organizations,
>> institutes, and individuals.
>>
>> * For the ?UCA Root? the request is to enable all three trust bits. For
>> the ?UCA Global Root? the request is to enable the websites and code
>> signing trust bits. EV-treatment is not requested at this time.
>>
>
>
> Would at least two people please review and comment on this request?
>
> Also, please encourage our colleagues in China to review and comment on
> this request.
>
> Kathleen
>
>
>
>
>
>
> ------------------------------
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
> End of dev-security-policy Digest, Vol 32, Issue 15
> ***************************************************
>

Jean-Marc Desperrier

unread,
Aug 17, 2011, 11:06:11 AM8/17/11
to mozilla-dev-s...@lists.mozilla.org
CY Cheung wrote:
> I am impressed that they have obtained the WebTrust Seal
> which is the first Chinese CA to have such certification

At least CNNIC has it also. It's not impressive.

The kind of comment Kathleen is requesting is objective, facts based
comments, yours sounds quite a bit like if it were venally motivated.

0 new messages