info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Are CAs required to update their CPS annually
121 views
Skip to first unread message
Eugene
Apr 4, 2015, 11:55:41 AM4/4/15
to mozilla-dev-s...@lists.mozilla.org
According to the CA Baseline Requirements section 8.2.1, "The CA SHALL develop, implement, enforce, and **annually update** a Certificate Policy and/or Certification Practice Statement that describes in detail how the CA implements the latest version of these Requirements."
But it seems that, among fifteen root and intermediate CAs that I have checked, four of them haven't updated their CP or CPS documents for more than one year.
All the CAs that I have checked are:
Google, Symantec, Go Daddy, DigiCert, CNNIC, GlobalSign, Microsoft, CyberTrust, GeoTrust, WoSign, StartCom, Comodo, Buypass, Chunghwa Telecom, China Financial CA
Four CAs whose CPS docs are older than 1 year:
* Google Internet Authority G2 (signed by GeoTrust Global CA): https://pki.google.com/index.html, last updated on September 2, 2013
* CNNIC: http://www.cnnic.cn/cps/, July 1, 2013
* StartCom: https://www.startssl.com/policy.pdf, October 31, 2012
* Chunghwa Telecom: https://epki.com.tw/repository_en.htm, January 19, 2009
Do they violate the Baseline Requirements?
But it seems that, among fifteen root and intermediate CAs that I have checked, four of them haven't updated their CP or CPS documents for more than one year.
All the CAs that I have checked are:
Google, Symantec, Go Daddy, DigiCert, CNNIC, GlobalSign, Microsoft, CyberTrust, GeoTrust, WoSign, StartCom, Comodo, Buypass, Chunghwa Telecom, China Financial CA
Four CAs whose CPS docs are older than 1 year:
* Google Internet Authority G2 (signed by GeoTrust Global CA): https://pki.google.com/index.html, last updated on September 2, 2013
* CNNIC: http://www.cnnic.cn/cps/, July 1, 2013
* StartCom: https://www.startssl.com/policy.pdf, October 31, 2012
* Chunghwa Telecom: https://epki.com.tw/repository_en.htm, January 19, 2009
Do they violate the Baseline Requirements?
Jeremy Rowley
Apr 4, 2015, 11:57:24 AM4/4/15
to Eugene, mozilla-dev-s...@lists.mozilla.org
We update ours annually. A new one is about to be posted.
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Jeremy Rowley
Apr 4, 2015, 11:59:55 AM4/4/15
to Eugene, mozilla-dev-s...@lists.mozilla.org
Should have read your email more carefully. Yes all cas are required to update annually. Those that don't are out of compliance. I think its even one of the criteria under webtrust.
Gervase Markham
Apr 6, 2015, 5:16:49 AM4/6/15
to Eugene
On 04/04/15 04:20, Eugene wrote:
> According to the CA Baseline Requirements section 8.2.1, "The CA
> SHALL develop, implement, enforce, and **annually update** a
> Certificate Policy and/or Certification Practice Statement that
> describes in detail how the CA implements the latest version of these
> Requirements."
>
> But it seems that, among fifteen root and intermediate CAs that I
> have checked, four of them haven't updated their CP or CPS documents
> for more than one year.
While I am keen on CAs following the BRs, and if the BRs say it they
> According to the CA Baseline Requirements section 8.2.1, "The CA
> SHALL develop, implement, enforce, and **annually update** a
> Certificate Policy and/or Certification Practice Statement that
> describes in detail how the CA implements the latest version of these
> Requirements."
>
> But it seems that, among fifteen root and intermediate CAs that I
> have checked, four of them haven't updated their CP or CPS documents
> for more than one year.
should do it, I'd be interested to know if anyone knows _why_ this is a
requirement. If nothing has changed about the CA's CP or CPS, why is
there a need to change the date on it every year?
Gerv
Kurt Roeckx
Apr 6, 2015, 5:42:45 AM4/6/15
to Gervase Markham, mozilla-dev-s...@lists.mozilla.org, Eugene
On Mon, Apr 06, 2015 at 10:16:14AM +0100, Gervase Markham wrote:
> On 04/04/15 04:20, Eugene wrote:
> On 04/04/15 04:20, Eugene wrote:
> > According to the CA Baseline Requirements section 8.2.1, "The CA
> > SHALL develop, implement, enforce, and **annually update** a
> > Certificate Policy and/or Certification Practice Statement that
> > describes in detail how the CA implements the latest version of these
> > Requirements."
> >
> > But it seems that, among fifteen root and intermediate CAs that I
> > have checked, four of them haven't updated their CP or CPS documents
> > for more than one year.
>
> > SHALL develop, implement, enforce, and **annually update** a
> > Certificate Policy and/or Certification Practice Statement that
> > describes in detail how the CA implements the latest version of these
> > Requirements."
> >
> > But it seems that, among fifteen root and intermediate CAs that I
> > have checked, four of them haven't updated their CP or CPS documents
> > for more than one year.
>
> While I am keen on CAs following the BRs, and if the BRs say it they
> should do it, I'd be interested to know if anyone knows _why_ this is a
> requirement. If nothing has changed about the CA's CP or CPS, why is
> there a need to change the date on it every year?
I think the point is that changes in the BR might require you to
> should do it, I'd be interested to know if anyone knows _why_ this is a
> requirement. If nothing has changed about the CA's CP or CPS, why is
> there a need to change the date on it every year?
update it.
Kurt
Eugene
Apr 6, 2015, 11:29:15 AM4/6/15
to mozilla-dev-s...@lists.mozilla.org
Thanks! Yes, I think it is a required item in webtrust audit as well. But, for example, Google's CPS was updated on Sept 2, 2013, so Google should have its CPS updated by Sept 2, 2014. Right? But its audit report states "during the period October 1, 2013 through September 30, 2014 [...] The Certificate Practice Statement are available 24*7 basis and updated annually".[1]
[1] https://cert.webtrust.org/SealFile?seal=1751&file=pdf
[1] https://cert.webtrust.org/SealFile?seal=1751&file=pdf
Eugene
Apr 6, 2015, 1:53:26 PM4/6/15
to mozilla-dev-s...@lists.mozilla.org
I have found four more CAs that are not compliant with this requirement:
1. Entrust: http://www.entrust.net/about/practices.cfm, last updated on Mar 4, 2014
2. Taiwan CA: https://www.twca.com.tw/Portal/english/coporate_profile/Repository.html, last updated on Jan 22, 2013
3. Trend Micro: https://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/ssl-certificates/index.html#resources, last updated on Feb 17, 2014
4. Gandi CA (signed by AddTrust): http://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf, last updated on Feb 15, 2009
Does Mozilla want to remind these CAs to update their CP/CPS? Or is it fine to relax this requirement?
1. Entrust: http://www.entrust.net/about/practices.cfm, last updated on Mar 4, 2014
2. Taiwan CA: https://www.twca.com.tw/Portal/english/coporate_profile/Repository.html, last updated on Jan 22, 2013
3. Trend Micro: https://www.trendmicro.com/us/enterprise/cloud-solutions/deep-security/ssl-certificates/index.html#resources, last updated on Feb 17, 2014
4. Gandi CA (signed by AddTrust): http://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf, last updated on Feb 15, 2009
Does Mozilla want to remind these CAs to update their CP/CPS? Or is it fine to relax this requirement?
Bruce
Apr 6, 2015, 2:06:08 PM4/6/15
to mozilla-dev-s...@lists.mozilla.org
Thanks for the heads up. We currently have the updated CPS under review and it we be published within the next week.
Bruce.
Jeremy Rowley
Apr 6, 2015, 3:48:01 PM4/6/15
to Kurt Roeckx, Gervase Markham, mozilla-dev-s...@lists.mozilla.org, Eugene
And to make sure they at least looked at it. If nothing changed, then you can simply update the date and republish.
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digice...@lists.mozilla.org] On Behalf Of Kurt Roeckx
Sent: Monday, April 6, 2015 3:42 AM
To: Gervase Markham
Cc: mozilla-dev-s...@lists.mozilla.org; Eugene
Subject: Re: Are CAs required to update their CPS annually
On Mon, Apr 06, 2015 at 10:16:14AM +0100, Gervase Markham wrote:
> On 04/04/15 04:20, Eugene wrote:
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+jeremy.rowley=digice...@lists.mozilla.org] On Behalf Of Kurt Roeckx
Sent: Monday, April 6, 2015 3:42 AM
To: Gervase Markham
Cc: mozilla-dev-s...@lists.mozilla.org; Eugene
Subject: Re: Are CAs required to update their CPS annually
On Mon, Apr 06, 2015 at 10:16:14AM +0100, Gervase Markham wrote:
> On 04/04/15 04:20, Eugene wrote:
> > According to the CA Baseline Requirements section 8.2.1, "The CA
> > SHALL develop, implement, enforce, and **annually update** a
> > Certificate Policy and/or Certification Practice Statement that
> > describes in detail how the CA implements the latest version of
> > these Requirements."
> >
> > But it seems that, among fifteen root and intermediate CAs that I
> > have checked, four of them haven't updated their CP or CPS documents
> > for more than one year.
>
> > SHALL develop, implement, enforce, and **annually update** a
> > Certificate Policy and/or Certification Practice Statement that
> > describes in detail how the CA implements the latest version of
> > these Requirements."
> >
> > But it seems that, among fifteen root and intermediate CAs that I
> > have checked, four of them haven't updated their CP or CPS documents
> > for more than one year.
>
> While I am keen on CAs following the BRs, and if the BRs say it they
> should do it, I'd be interested to know if anyone knows _why_ this is
> a requirement. If nothing has changed about the CA's CP or CPS, why is
> there a need to change the date on it every year?
I think the point is that changes in the BR might require you to update it.
Kurt
> should do it, I'd be interested to know if anyone knows _why_ this is
> a requirement. If nothing has changed about the CA's CP or CPS, why is
> there a need to change the date on it every year?
I think the point is that changes in the BR might require you to update it.
Kurt
Eugene
Apr 6, 2015, 4:43:18 PM4/6/15
to mozilla-dev-s...@lists.mozilla.org
I just checked the CPS of Gandi and the CPS of PublicCA of Chunghwa Telecom, both published in 2009. They are indeed not compliant with the current BR:
"Gandi CA Certification Practice Statement" section 6.3.2: "The validity period of Gandi certificates varies dependent on the certificate type, but typically, a certificate will be valid for 1 to 5 years."[1]
"Public Certificate Authority Certification Practice Statement" section 6.3.2.2: "The length of the publicCA subscriber public key and private key is RSA 1024 bits: The maximum usage period of private key is 5 years while the maximum valid period of the public key is 5 years."[2]
[1] http://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf
[2] https://epki.com.tw/download/PublicCA_CPS_English.pdf
"Gandi CA Certification Practice Statement" section 6.3.2: "The validity period of Gandi certificates varies dependent on the certificate type, but typically, a certificate will be valid for 1 to 5 years."[1]
"Public Certificate Authority Certification Practice Statement" section 6.3.2.2: "The length of the publicCA subscriber public key and private key is RSA 1024 bits: The maximum usage period of private key is 5 years while the maximum valid period of the public key is 5 years."[2]
[1] http://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf
[2] https://epki.com.tw/download/PublicCA_CPS_English.pdf
Mook
Apr 7, 2015, 1:45:51 AM4/7/15
to mozilla-dev-s...@lists.mozilla.org
On 04/06/2015 01:43 PM, Eugene wrote:
> I just checked the CPS of Gandi and the CPS of PublicCA of Chunghwa Telecom, both published in 2009. They are indeed not compliant with the current BR:
>
> "Gandi CA Certification Practice Statement" section 6.3.2: "The validity period of Gandi certificates varies dependent on the certificate type, but typically, a certificate will be valid for 1 to 5 years."[1]
>
> "Public Certificate Authority Certification Practice Statement" section 6.3..2.2: "The length of the publicCA subscriber public key and private key is RSA 1024 bits: The maximum usage period of private key is 5 years while the maximum valid period of the public key is 5 years."[2]
> I just checked the CPS of Gandi and the CPS of PublicCA of Chunghwa Telecom, both published in 2009. They are indeed not compliant with the current BR:
>
> "Gandi CA Certification Practice Statement" section 6.3.2: "The validity period of Gandi certificates varies dependent on the certificate type, but typically, a certificate will be valid for 1 to 5 years."[1]
>
>
> [1] http://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf
> [2] https://epki.com.tw/download/PublicCA_CPS_English.pdf
>
For Chunghwa Telecom, there appears to be a Chinese version of the
> [1] http://www.gandi.net/static/docs/en/gandi-certification-practice-statement.pdf
> [2] https://epki.com.tw/download/PublicCA_CPS_English.pdf
>
Certificate Policy at
http://epki.com.tw/download/ePKI_CP_v1.1_RFC3647.pdf (obvious pdf
warning) linked off the Chinese equivalent of the listed page. I guess
the BR doesn't actually say it has to be updated annually in English?
Not very useful for the rest of the world, though. Actually, the BR
only mentions the word "English" in the prologue about translating the
BR itself...
My reading of the updated (Chinese, 2014-12-22) 6.3.2.2 is that it
basically matches the BR requirements in terms of key strength; as far
as I can tell, though, it says that 1024-bit keys can be 5 years (up to
Dec 31, 2013), and 2048 bit keys can be 10 years. If you want to skim
through and pick out the numbers, remember that they are using a
calendar that starts from 1911 AD for historical reasons. Obviously,
though, it would be more useful to have a properly-translated English
version instead. Please don't trust my off-the-cuff translations too
much :)
--
Mook
0 new messages