On 04/06/2015 01:43 PM, Eugene wrote:
> I just checked the CPS of Gandi and the CPS of PublicCA of Chunghwa Telecom, both published in 2009. They are indeed not compliant with the current BR:
>
> "Gandi CA Certification Practice Statement" section 6.3.2: "The validity period of Gandi certificates varies dependent on the certificate type, but typically, a certificate will be valid for 1 to 5 years."[1]
>
> "Public Certificate Authority Certification Practice Statement" section 6.3..2.2: "The length of the publicCA subscriber public key and private key is RSA 1024 bits: The maximum usage period of private key is 5 years while the maximum valid period of the public key is 5 years."[2]
For Chunghwa Telecom, there appears to be a Chinese version of the
Certificate Policy at
http://epki.com.tw/download/ePKI_CP_v1.1_RFC3647.pdf (obvious pdf
warning) linked off the Chinese equivalent of the listed page. I guess
the BR doesn't actually say it has to be updated annually in English?
Not very useful for the rest of the world, though. Actually, the BR
only mentions the word "English" in the prologue about translating the
BR itself...
My reading of the updated (Chinese, 2014-12-22) 6.3.2.2 is that it
basically matches the BR requirements in terms of key strength; as far
as I can tell, though, it says that 1024-bit keys can be 5 years (up to
Dec 31, 2013), and 2048 bit keys can be 10 years. If you want to skim
through and pick out the numbers, remember that they are using a
calendar that starts from 1911 AD for historical reasons. Obviously,
though, it would be more useful to have a properly-translated English
version instead. Please don't trust my off-the-cuff translations too
much :)
--
Mook