Chunghwa Telecom Root Inclusion Request

[Kathleen Wilson]

As per the CA Schedule at https://wiki.mozilla.org/CA:Schedule
Chunghwa Telecom is the next request in the queue for public
discussion.

Chunghwa Telecom (a public corporation in Taiwan) has applied to add
one root CA certificate to the Mozilla root store, as documented in
the following bug:

https://bugzilla.mozilla.org/show_bug.cgi?id=448794

and in the pending certificates list here:

http://www.mozilla.org/projects/security/certs/pending/#Chunghwa%20Telecom

Summary of Information Gathered and Verified:

https://bug448794.bugzilla.mozilla.org/attachment.cgi?id=378091

Noteworthy points:

* The ePKI Root Certification Authority (eCA) root has two internally-
operated subordinate CAs: CHTCA and Public CA. CHTCA is the internal
CA of Chunghwa Telecom (CHT) which signs certificates for CHT
employees. The Public CA signs certificates for CHT clients.

* The CP and CPS documents have been provided in English.

* The request is to enable all three trust bits for this root:
Websites, Email, and Code Signing.

** eCA CPS section 3.1.8: “For a certificate to be used for SSL-
enabled servers, the registrant shall prove its ownership of the domain
(s) referenced in the certificate or its authorization from the domain
owner to act on the owner’s behalf. The Subject CA shall take
reasonable measures to verify that the registrant has registered the
domain(s) referenced in the certificate or has been authorized by the
domain owner to act on the owner’s behalf; For instance, the Subject
CA will verify the ownership of the domain name by checking against an
internal or publicly available database.”
** From CHT: “Our company also provides DNS register service in Taiwan
therefore we have a lot of organization data to verify the application
information or using whois function.”
** eCA CPS section 3.1.8: “For a certificate issued to be used for
digitally signing and/or encrypting email messages, the registrant
shall prove its ownership of the email address or its authorization
from the email address owner to act on the email address owner’s
behalf. The Subject CA shall take reasonable measures to verify that
the registrant controls the email account associated with the email
address referenced in the certificate or has been authorized by the
email address owner to act on the address owner’s behalf”
** From CHT: “After the authentication procedure finish, they will
receive an email from PublicCA then they must use the information of
this email to finish the certificate acceptance.”
** eCA CPS section 3.1.8: “For a certificate to be used for digitally
signing code objects, the registrant shall provide its identity for
verification. The Subject CA shall take reasonable measures to verify
that the registrant is the same entity referenced in the certificate
or has been authorized by the entity referenced in the certificate to
act on that entity’s behalf.”

* Test websites:
https://epki.com.tw/index_en.htm
https://5th.hinet.net/higoods/index.php?action=member_login&b_action=shopping_cart

* Chunghwa Telecom provides both CRL and OCSP.
** Next update for CRLs of end-entity certs is 48 hours.
** The AIA extension of any EE certificate issued by PublicCA contains
the URL of the OCSP responder.

** Note: I recently requested updated test websites, when I tried to
import the corresponding CRLs into Firefox I got Error Code:ffffe095.
Chunghwa Telecom is working to fix this as soon as possible.

* Chunghwa Telecom has been audited against the WebTrust CA criteria,
and their audit of October, 2008, is posted on the cert.webtrust.org
website.

This begins the one-week discussion period. After that week, I will
provide a summary of issues noted and action items. If there are no
outstanding issues, then this request can be approved for inclusion.
If there are outstanding issues or action items, then an additional
discussion may be needed as follow-up.

Kathleen

[Eddy Nigg]

On 05/18/2009 09:35 PM, Kathleen Wilson:

> * Chunghwa Telecom has been audited against the WebTrust CA criteria,
> and their audit of October, 2008, is posted on the cert.webtrust.org
> website.
>
> This begins the one-week discussion period. After that week, I will
> provide a summary of issues noted and action items. If there are no
> outstanding issues, then this request can be approved for inclusion.
> If there are outstanding issues or action items, then an additional
> discussion may be needed as follow-up.
>
>

Thanks Kathleen for another very well prepared request. I've nothing
seen of concern.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: star...@startcom.org
Blog: https://blog.startcom.org

[Kathleen Wilson]

Thanks Eddy!

All, If any of you have reviewed this request, would you please
indicate so in this discussion thread so I can proceed with making the
recommendation for approval? As per previous discussions, it has been
suggested that at least two people should comment on each request
before proceeding with approval.

Thanks,
Kathleen

[Nelson Bolyard]

Kathleen Wilson wrote, On 2009-05-18 11:35:

> ** eCA CPS section 3.1.8: “For a certificate issued to be used for
> digitally signing and/or encrypting email messages, the registrant
> shall prove its ownership of the email address or its authorization
> from the email address owner to act on the email address owner’s
> behalf. The Subject CA shall take reasonable measures to verify that
> the registrant controls the email account associated with the email
> address referenced in the certificate or has been authorized by the
> email address owner to act on the address owner’s behalf”

> ** From CHT: “After the authentication procedure finish, they will
> receive an email from PublicCA then they must use the information of
> this email to finish the certificate acceptance.”

This begs the question: what email address do they use for that
verification? Is it any address of the applicant's choosing?
Or is it limited to something like "postmaster@<DNS name in application>" ?

[Eddy Nigg]

On 05/27/2009 07:29 AM, Nelson Bolyard:

I think this applies to email certificates, not server. The server section states:

** eCA CPS section 3.1.8: “For a certificate to be used for SSL-
enabled servers, the registrant shall prove its ownership of the domain
(s) referenced in the certificate or its authorization from the domain
owner to act on the owner’s behalf. The Subject CA shall take
reasonable measures to verify that the registrant has registered the
domain(s) referenced in the certificate or has been authorized by the
domain owner to act on the owner’s behalf; For instance, the Subject
CA will verify the ownership of the domain name by checking against an
internal or publicly available database.”
  

Therefore I believe that's just fine. The interesting thing with this CA are of course the Chinese characters (which render quite nicely in Firefox), but we've discussed that previously already with a different CA.

[f...@cht.com.tw]

On 5月27日, 下午12時29分, Nelson Bolyard <NOnelsonS...@NObolyardSPAM.me>
wrote:

This section applies to email certificates not SSL certificates.
Our subscribers can fill their own email in the certificate
application form.

After the authentication procedure finish, they will receive an email
from PublicCA then they must use the information of this email to
finish the certificate acceptance.

Regards

NienHua Cheng
ChungHwa Telecom Co., Ltd.
f...@cht.com.tw

[Kathleen Wilson]

Thank you to those of you who have reviewed this request and provided
your feedback. Your time and commitment to this process is greatly
appreciated!

No action items have resulted from this discussion.

This concludes the comment period for this request from Chunghwa
Telecom. I will post my recommendation for approval into the bug. If
you have further comments, please post them directly into the bug.

https://bugzilla.mozilla.org/show_bug.cgi?id=448794

Thanks,
Kathleen