CNNIC Inclusion Request for Additional Root

293 views
Skip to first unread message

Kathleen Wilson

unread,
May 30, 2012, 4:59:28 PM5/30/12
to mozilla-dev-s...@lists.mozilla.org
China Internet Network Information Center (CNNIC) has applied to add the
“China Internet Network Information Center EV Certificates Root”
certificate, turn on the websites trust bit, and enable EV.

China Internet Network Information Center (CNNIC), the state network
information center of China, is a non-profit organization. CNNIC takes
orders from the Ministry of Information Industry (MII) to conduct daily
business, while it is administratively operated by the Chinese Academy
of Sciences (CAS). The CNNIC Steering Committee, a working group
composed of well-known experts and commercial representatives in
domestic Internet community, supervises and evaluates the structure,
operation and administration of CNNIC. The objective customers of the
CNNIC root are domain owners from general public, including enterprise,
government, organization, league, individual, etc.

Previous applications from CNNIC have generated considerable discussion.
Participants are reminded that Mozilla is committed to even-handed
analysis of applications, and objections based on alleged misbehavior
must have evidence of that misbehavior.

People in China have confirmed that they can access this discussion
forum via
http://groups.google.com/group/mozilla.dev.security.policy/. However, if
anyone finds themselves technically constrained from contributing to the
discussion, they should email their comments to me, and include an
account of their problems in connecting.

This inclusion request information and related documents may be freely
redistributed.

Previously regarding CNNIC there were many complaints about
"Zhongwenshangwang", which is activeX product of browser to help Chinese
people to access the internet with Chinese characters. It was warned as
a malware by some anti-virus software. CNNIC stopped distribution of
this product in 2006. In recent years, CNNIC initialized and built
Anti-Phishing alliance of China. This organization is a NGO. CNNIC
handled more than 75000 phishing website, and protected Chinese netizen
from personal information lost. Technically, CA root certificates cannot
be used to trace and monitor end-user’s internet activities.
Additionally, CNNIC has strict process to verify each applicant and make
sure they are legal enterprise.

The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=607208

And in the pending certificates list here:
http://www.mozilla.org/projects/security/certs/pending/#CNNIC

Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=622926

Noteworthy points:

* The primary documents are the CPS documents, which are also provided
in English.

CNNIC Trusted Network Service Center: http://tns.cnnic.cn
CNNIC Policy Documents: http://www.cnnic.cn/html/Dir/2007/04/29/4568.htm
CNNIC Trusted Network Service Center EV CPS (English):
http://www.cnnic.cn/uploadfiles/pdf/2010/9/10/141005.pdf
CNNIC Trusted Network Service Center CPS (English):
http://www.cnnic.cn/uploadfiles/20100414/CNNIC_CPS_V2_07_EN.pdf

Currently there is one internally-operated subordinate CA named CNNIC EV
SSL, which only signs EV SSL Certificates. In the future CNNIC may also
add another internally-operated subCA for issuing code signing certificates.

The request is to turn on the Websites trust bit.

As per sections 3.2 and 4.1 of the (non-EV) CPS, the Local Registration
Authority performs a domain name registration information inquiry
(whois), gets the information of the domain name registrar of the domain
name certificate application, checks whether the domain name registrar
is consistent with the domain name certificate applicant, and determines
whether the domain name certificate applicant indeed owns this domain
name. Then the RA auditor checks whether the legal domain name
subscriber is consistent with the certificate applicant (also using the
whois function), and whether the information is true, and compares it
with the application information in the RA system.

* EV CPS Section 1.10: CNNIC Trusted Network Service Center issues and
manages EV Certificate under EV Guideline issued on the Website
http://www.cabforum. If inconsistence arises between the clauses of EV
Guideline and this document, EV Guideline shall prevail.

* EV CPS Section 4.1.1:
1. The application operator for EV Certificate submits application
materials to the data processor of LRA. For the independent server (The
server with certificate is managed by the certificate applicant, the
same as below), the application material shall include the following
documents:
- Identity certification of EV Certificate applicant:
-- Provided by enterprise: duplicate copy of Organization Code
Certificate or
Enterprise Business License for Enterprise's Legal Person (with each page
sealed);
-- Provided by government authority: duplicate copy of Organization Code
Certificate (with each page sealed);
-- Provided by institution: duplicate copy of Organization Code
Certificate (with each
page sealed);
-- Provided by social club: duplicate copy of Organization Code
Certificate (with each
page sealed);
-- Account opening certificate issued by bank (with each page sealed).
- Original copy of application letter for EV Certificate registration
(with each page sealed).
- When the EV Certificate applicant is an enterprise/government
authority/institution/social club, the duplicate copies of identity
certificates for manager and operator need to be submitted.
For the hosted server (The server with certificate is managed by other
organization authorized by the certificate applicant, the same as
below), the certificate is handled by the authorized organization and
the application material shall include the following documents:
- Identity certification of EV Certificate applicant:
-- Provided by enterprise: duplicate copy of Organization Code
Certificate or Enterprise Business License for Enterprise's Legal Person
(with each page sealed);
-- Provided by government authority: duplicate copy of Organization Code
Certificate (with each page sealed);
-- Provided by institution: duplicate copy of Organization Code
Certificate (with each
page sealed);
-- Provided by social club: duplicate copy of Organization Code
Certificate (with each
page sealed);
-- Account opening certificate issued by bank (with each page sealed).
- Original copy of application letter for EV Certificate registration
(with each page sealed).
- Duplicate copy of identity certification of operator for authorized
organization
- When the EV Certificate applicant is an enterprise/government
authority/institution/social club, the duplicate copy of identity
certificate for manager needs to be submitted.
2. The data processor for LRA carries out primary verification. It
obtains, through domain name registration inquiry (whois) function, the
material for domain name register material of applied EV certificate,
check whether the domain name register is identical with the applicant
of EV Certificate and determine whether the EV Certificate register
actually owns such domain name through primary verification.
3. After the primary verification of data processor of LRA is passed,
input the above material through RA system; submit the application and
all the paper application material to the RA reviewer of CNNIC RA. If
the primary verification is not passed, the EV certificate applicant is
required to modify the material of domain name register and then apply
for EV Certificate.
4. The RA reviewer verifies whether the legal domain name holder is
identical with the certificate holder (whois function is also used),
examine whether material is true, make comparison on the application
information in RA system and meanwhile make confirmation with the
manager and operator by phone.
5. If the confirmation is passed, the RA reviewer will log on RA system,
approve the certificate application and send the first 13 bits of
Reference No. and Authorization Code by email and the last 13 bits by
phone to the operator of certificate application. If the conformation
fails to be passed, the EV Certificate application is rejected; all
materials will be returned to LRA and reasons for rejection will be
added. LRA will communicate with the application operator, make relevant
modification on rejection reasons and reapply.
6. When the application letter is submitted to legal processing
authority delegated by Trusted Network Service Center, there must be
certificate for attest issued onsite by authority personnel and such
attested personnel shall sign on the certificate.

* EV Policy OID: 1.3.6.1.4.1.29836.1.10

* Root Cert URL
http://www.cnnic.cn/download/cert/CNNICEVROOT.cer

* Test Website
https://evdemo.cnnic.cn/

* CRL
http://www.cnnic.cn/download/evrootcrl/crl1.crl
http://www.cnnic.cn/download/evcrl/crl1.crl
CPS Section 4.5.9 and 4.5.10: CRL of intermediate root every 12 hours

* OCSP
http://ocsproot.cnnic.cn
http://ocspev.cnnic.cn
EV CPS Section 2.13.1, Max expiration time of OCSP response: every 12 hours

* Audit: Annual audits are performed by Ernst & Young according to the
WebTrust CA and WebTrust EV criteria and posted on the webtrust.org website.
https://cert.webtrust.org/ViewSeal?id=1204
https://cert.webtrust.org/ViewSeal?id=1205

* Potentially Problematic Practices – None Noted
(http://wiki.mozilla.org/CA:Problematic_Practices):

This begins the discussion of the request from CNNIC to add the “China
Internet Network Information Center EV Certificates Root” certificate,
turn on the websites trust bit, and enable EV. At the conclusion of this
discussion I will provide a summary of issues noted and action items. If
there are outstanding issues, then an additional discussion may be
needed as follow-up. If there are no outstanding issues, then I will
recommend approval of this request in the bug.

I will appreciate thoughtful and constructive input on this request.

Kathleen

Erwann Abalea

unread,
May 31, 2012, 5:21:45 AM5/31/12
to mozilla-dev-s...@lists.mozilla.org
Le mercredi 30 mai 2012 22:59:28 UTC+2, Kathleen Wilson a écrit :
> China Internet Network Information Center (CNNIC) has applied to add the
> “China Internet Network Information Center EV Certificates Root”
> certificate, turn on the websites trust bit, and enable EV.

I was recently in China (2 weeks ago), and I can confirm that Google Groups is not accessible from there, which makes it difficult for chinese users to comment on this inclusion.

Gervase Markham

unread,
May 31, 2012, 7:30:19 AM5/31/12
to mozilla-dev-s...@lists.mozilla.org
On 31/05/12 10:21, Erwann Abalea wrote:
> I was recently in China (2 weeks ago), and I can confirm that Google
> Groups is not accessible from there, which makes it difficult for
> chinese users to comment on this inclusion.

It seems from Kathleen's message that our check came out differently;
but then, I believe the GFW works differently in different places.
Regardless, she is accepting emailed comments, and there is a specific
note that:

"This inclusion request information and related documents may be freely
redistributed."

so people inside China should feel free to republish and circulate her
post to aid informed discussion.

Gerv

Erwann Abalea

unread,
May 31, 2012, 9:12:57 AM5/31/12
to mozilla-dev-s...@lists.mozilla.org
Le jeudi 31 mai 2012 13:30:19 UTC+2, Gervase Markham a écrit :
> On 31/05/12 10:21, Erwann Abalea wrote:
> > I was recently in China (2 weeks ago), and I can confirm that Google
> > Groups is not accessible from there, which makes it difficult for
> > chinese users to comment on this inclusion.
>
> It seems from Kathleen's message that our check came out differently;
> but then, I believe the GFW works differently in different places.

I read the bug ticket after writing my comment, and noticed the access confirmation to the http version of google groups (notice the non-TLS URL, which is redirected to an HTTPS URL).
I tried to connect from my hotel (wired), from the wifi airport, and from the wifi during the PKDBoard meeting, in Hangzhou. I had access to gmail and google+, but any connection attempt to google groups timed out.

> Regardless, she is accepting emailed comments, and there is a specific
> note that:

> "This inclusion request information and related documents may be freely
> redistributed."
>
> so people inside China should feel free to republish and circulate her
> post to aid informed discussion.

Will "no answer" be considered as "no negative comment"?

Gervase Markham

unread,
Jun 1, 2012, 7:37:31 AM6/1/12
to Erwann Abalea
On 31/05/12 14:12, Erwann Abalea wrote:
> Will "no answer" be considered as "no negative comment"?

How else would you interpret silence?

Gerv

Stephen Schultze

unread,
Jun 1, 2012, 10:46:02 AM6/1/12
to mozilla-dev-s...@lists.mozilla.org
Given that CNNIC is the single most controversial CA that I've ever seen
go through our approval process, and given that the pending Cert Policy
updates have the potential to affect the approval process, I propose
that consideration of this request wait until after the policy update.

David E. Ross

unread,
Jun 1, 2012, 10:58:54 AM6/1/12
to mozilla-dev-s...@lists.mozilla.org
"No answer" could also be "no positive comment".

--

David E. Ross
<http://www.rossde.com/>.

Anyone who thinks government owns a monopoly on inefficient, obstructive
bureaucracy has obviously never worked for a large corporation.
© 1997 by David E. Ross

ianG

unread,
Jun 1, 2012, 11:39:23 PM6/1/12
to dev-secur...@lists.mozilla.org
Alternatively, it might be better to do the process as best as possible,
and note the reservations. E.g., it is noted that the locals have less
chance to comment. It could be also noted that alternate CAs based
outside China would receive a fair hearing too.

The history of punitive tariffs is littered with unforeseen consequences.


On 2/06/12 06:43 AM, Kyle Hamilton wrote:
> As soon as the government of China permits free communication, I'll
> reconsider my stock position on anything coming from China. Until then,
> my stock answer for anything CNNIC is and always shall be "NAY".
>
> -Kyle H
>
> On Wed, May 30, 2012 at 1:59 PM, Kathleen Wilson <kwi...@mozilla.com>
>> _______________________________________________
>> dev-security-policy mailing list
>> dev-secur...@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>
>
>
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

Message has been deleted
Message has been deleted
Message has been deleted
Message has been deleted

Jan Schejbal

unread,
Jun 3, 2012, 8:33:20 PM6/3/12
to mozilla-dev-s...@lists.mozilla.org
Am 2012-05-30 22:59, schrieb Kathleen Wilson:
> Technically, CA root certificates cannot be used to trace and monitor
> end-user’s internet activities.

I think that this is incorrent. A CA certificate can be used to create
fake certificates for MITM intercepts of encrypted connections. Most
people who oppose the inclusion of CNNIC do it for this reason. Only
organizations trusted not to misuse their certificates should be added
as trusted root CAs, obviously.

It is improbable that any CA's certificate would be abused for issuing
fake certificates for wholesale surveillance, as this would be too easy
to notice and each fake certificate is digitally signed proof of the
misuse. However, any root CA's certificates could be used in targetted
attacks, if the CA chose to do so.

CNNIC itself states on http://www.cnnic.net.cn/en/index/ that "CNNIC
takes orders from the Ministry of Information Industry (MII) to conduct
daily business". For this reason, CNNIC has to be considered under
government control/part of the government. This is not a problem by
itself, as we already have multiple Goverment-controlled CAs.

The Chinese government is censoring the internet. This is a well-known
and well-documented fact.

Are there any objections up to here, or do we all agree on these points?


For the censorship attempts, false DNS responses/DNS poisoning attacks
are employed, as reported on:
http://viewdns.info/research/dns-cache-poisoning-in-the-peoples-republic-of-china/

I can confirm having seen multiple responses (for a single request)
matching the pattern described in this dodocument, after sending DNS
requests to random chinese IPs. I have reported this in this group in
2010: http://web.archiveorange.com/archive/v/mN8dW9a7eBGQoLaBm7g8

http://cs.nyu.edu/~pcw216/work/nds/final.pdf provides more information
about this DNS tampering.

http://cyber.law.harvard.edu/filtering/china/appendix-tech.html provides
more insight in the internet censorhip in general, including filtering
of network traffic based on URL.

Due to the evidence above, I consider it proven that the Chinese
government, which is in control of CNNIC, is performing attacks on
internet users, and is thus not a party that can be trusted with
operating a CA. For this reason, believe that adding the additional
CNNIC root would cause undue risks to users' security. I oppose the
inclusion of the additional CNNIC root, and I would like to request a
review of the original inclusion decision for the CNNIC root(s)
currently included.

Kind regards,
Jan


P.S.: I could not verify the following allegation I found, so I am not
basing my opinion on it, but I still think it should be checked by
someone who understands Chinese:

http://en.wikipedia.org/w/index.php?title=China_Internet_Network_Information_Center&oldid=495545503#Malware_Production_And_Distribution
mentions claims that CNNIC created and distributed malware, and provides
a link to a chines article alledgedly describing it.



--
Please avoid sending mails, use the group instead.
If you really need to send me an e-mail, mention "FROM NG"
in the subject line, otherwise my spam filter will delete your mail.
Sorry for the inconvenience, thank the spammers...

ianG

unread,
Jun 4, 2012, 5:26:50 AM6/4/12
to dev-secur...@lists.mozilla.org
Good post! It is helpful to get the reasons and understanding laid out.
Then we can be objective and relate that to what we know and can
measure against.

So in the spirit of comparison, here are some devil's advocate
responses. I'll pick the USA because it resonates with most people
here, but we could equally pick European or Asian or Latin governments.

On 2/06/12 16:16 PM, Bing wrote:
> Hi,
>
> Most Chinese citizens who understand the matter expressed ongoing concerns.

Yes, we have the same situation with all CAs.

> I appreciate the facts that Kathleen mentioned, but the key reason that Chinese people do not trust CNNIS is not (or no longer) related to '中文上网' (or Zhong Wen Shang Wang) ActiveX plugin.
>
> CNNIC is established and funded by the Chinese government despite its self-claimed standalone status. Its key Internet Policy and Resource Committee (#1), established in 2002, is chaired by a government official Han Xia, who is the Director of Bureau of Telecommunication Administration under Ministry of Industry and Information Technology. (#2)

In the USA they have ICANN which is contracted by the US Commerce
Department to be a stand-alone self-claimed organisation.

> I do not know whether it is acceptable for a government to run a browser trusted CA.

It is acceptable for a government to run a CA. It's up to the browsers
as relying parties whether to add the CAs to their default accepted list
(sometimes called trust list). There are many such CAs in Mozilla's
default-accepted list.

We have to sort of be relaxed and circumspect about what it means to be
a CA. Anyone can be an "authority" as long as the follow the steps.
There isn't any particular reason why we'd trust governments more or
less than evil western marketing organisations or etc etc.

> But most Chinese citizens are seriously concerned (#3) because their government is well-known for DNS poisoning foreign websites. (#4) There have been hundreds of thousands pages online telling people how to remove CNNIC CA from the trusted list, and people have even published tools for that purpose. (#5)

Many citizens around the world are annoyed at their respective
governments. Probably the governments in some countries are better at
keeping their secrets. In the 1990s there was a big push in USA to
regulate cryptography, and they more or less contained it then by
winning the war with a token loosening of export conditions. Recently
it has emerged that cyberwarfare was launched by USA.

> Technically, if CNNIC's EV Root becomes trusted, with the cert and the existing DNS poisoning facilities, the government can easily implement MITM attacks.

Yes. This is the security weakness of the CA concept. Any CA can
conduct or facilitate MITMs, and any organisation that controls a CA can
partake in that bounty. Concerns were raised about VeriSign when it was
also in the DNS business.

> Without manually inspecting the issuer (how many average people would do?), users won't notice any difference whey they use foreign SSL-enabled services, e.g. Gmail, Hotmail, online banking, discussion forums, etc. It would be very difficult to collect evidences of such implementation beacuse in most cases, the government will only apply it to a small group of peoples, e.g. human rights activists. It would be too late to revoke the trust when someone has been imprisoned or even given captial punishment for 'treason' or 'illegal attempts to subvert the socialist system'. It's worth to note that hearing for such cases is usually not public and neither evidence or the verdict would be published online.

Another consequence of the design. Recently, people have started using
plugins (e.g. CertPatrol) to also address this. In fullness of time,
these plugins will cache certs so as to present proof when possible.
We're all waiting for proof of this; there is widespread mistrust of
the entire business because of this suspicion.


> There have been arguments that CNNIC is standalone and is not controlled by the government. People believe that usually do not understand mainland politics. In December 2009, CNNIC was instructed by the government to stop accepting personal users from registering or renewing .CN domains. Before the ban, personal registrations contributed to over 90% of .CN registrations mainly because of CNNIC's '1-yuan ($0.15) domain registration experience' campaign. The registration fees collected by CNNIC between 2008 and 2009 were reported some 200 million yuan. The number of new registrations and renewals of .CN domains has since plunged to minimum and forced CNNIC to lift the ban on 28 May 2012 (yes, just days ago). (#6) (#7)

People don't usually understand Washington politics either. Nor do they
understand intelligence alliances. So what is true of one country can
often be more true of another, just because of alliances. The old
western politeness about not spying on your own citizens is generally
finessed by asking an alliance partner to spy for you and just pass back
the results.


> Similar arguments about DNS poisoning were mainly that it is not done by the government but ISPs. It is, however, important to remember that the largest ISPs are all state-owned. It is possible that no government official has ever instructed any ISP to implement DNS poisoning as they probably have never heard of the term, but they would have certainly instructed the Board Chairmen (and General Manager - usually the same person) of the largest ISPs to do everything possible to block 'illegal' (unwanted) foreign information. According to the official website of China Mobile, the Central Committee of the CCP (aka. CPC) decides who manage the world's largest mobile telecom (by market cap). (#8) This is same for China Telecom and China Unicom.

Reminds me of the telcos in USA which "allegedly" all have their secret
rooms which have fiber going back to Maryland -- totally illegal but
what can we do?

> In terms of the accessibility of this discussion in Mainland China, I have asked my friends there to check. Unfortunately, none of them (6 persons) could access this site without '翻墙' (getting over the wall, a term used to describe a variety of ways to bypass the GFW - 'Great FireWall'). They reside in Beijing, Shanghai, Shenzhen, and Hubei. Apparently, the Chinese government believes this discussion group is 'illegal' as their Spokesman of the Foreign Ministry stated many times that "Internet in China is completely free (as in freedom). We only censor illegal information."
>
> Even if this page is accessible, it won't be to beneficial to most Chinese people. Unlike Chinese people living in Hong Kong, utmost in Mainland China has no or limited (below functional) English skills.

One plus, one minus.



To sum it all up, I don't see a reason why Mozilla shouldn't continue to
pursue its long-standing practices: engage in a review and contract the
CA concerned according to its written policy. If you think about what
other CAs and governments can do, there isn't a lot of distinction
except perhaps China does it more aggressively and more openly (honestly?).

Also, think of the game theory aspects here. What is it that hurts
China more than anything? Not saying no to them upfront. More likely
it is that if CNNIC is added to Mozilla and then later on shown to be
conducting MITMs, it can be dropped.

We have been through this and had some warm-up exercises. When and if
people present definite evidence of *any CA participating in MITMs* then
that CA will face serious pressure to drop it from Mozilla and other
browsers.

That event will make news. That will hurt. Not accepting CNNIC because
of unproven grumbling won't. You can achieve far more -- I suggest --
by contracting them to our standards, and then holding them up to their
word.



(This all is just my opinion. Debate away........)


iang




> References:
> #1 http://www.cnnic.net.cn/gywm/zjmr/201009/t20100909_15137.html (Chinese. Related information is not available on CNNIC's English website)
> #2 http://www.prcgov.org/center/center-gov-b-360-7.html
> #3 https://www.google.com/search?hl=en&q=CNNIC+CA
> #4 https://www.google.com/search?hl=en&q=china+dns+poisoning
> #5 https://www.google.com/search?hl=en&q=CNNIC+%E5%88%A0%E9%99%A4
> #6 http://www.cnbeta.com/articles/189489.htm (Chinese)
> #7 http://www.williamlong.info/archives/2018.html
> The most interesting thing in this article is the screenshot from the state-run CCTV (China Central Television), which showed a clear picture that CNNIC is taking direct orders from Ministry of Industry and Information Technology (MIIT, formerly Ministry of Information Industry).
> #8 http://10086.cn/aboutus/news/201005/t20100531_20241.htm (Chinese)
> Traslate link: http://translate.google.com/translate?sl=auto&tl=en&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2F10086.cn%2Faboutus%2Fnews%2F201005%2Ft20100531_20241.htm
>
> * I'm a former Chinese citizen.

Kathleen Wilson

unread,
Jun 4, 2012, 12:43:06 PM6/4/12
to mozilla-dev-s...@lists.mozilla.org
The representative of CNNIC has asked me to post the following:

--

I can see post information in
http://groups.google.com/group/mozilla.dev.security.policy/
but it seems I can’t post reply on it inside China.

Can you add a note to recommend people inside China send email
to you if they want to post information in discussion.

--

Ernst & Young audit CNNIC CA annually, they checked all Cert logs
which CNNIC CA delivered, the security strategy CNNIC CA operated.
CNNIC CA gets WebTrust audit report annually after these strict audit
process.

CNNIC CA would never deliver a fake Cert for MITM. And I don’t believe
a CA can get WebTrust Seal if they deliver a Cert fake MITM.

--

Kathleen

Jan Schejbal

unread,
Jun 4, 2012, 5:51:12 PM6/4/12
to mozilla-dev-s...@lists.mozilla.org
Am 2012-06-04 18:43, schrieb Kathleen Wilson:
> The representative of CNNIC has asked me to post the following:

Do I understand it correctly that even official CNNIC representatives
are technically prevented from accessing this discussion using the
regular means of access?

Kind regards,
Jan

Kathleen Wilson

unread,
Jun 4, 2012, 6:23:47 PM6/4/12
to mozilla-dev-s...@lists.mozilla.org
On 6/4/12 2:51 PM, Jan Schejbal wrote:
> Do I understand it correctly that even official CNNIC representatives
> are technically prevented from accessing this discussion using the
> regular means of access?


This still needs to be verified, but apparently from within China you
can post to the discussion forum by sending a regular email to
mozilla-dev-s...@lists.mozilla.org.

Kathleen



ianG

unread,
Jun 5, 2012, 10:12:18 PM6/5/12
to dev-secur...@lists.mozilla.org
Devil's advocate hat on again :)




On 4/06/12 10:33 AM, Jan Schejbal wrote:
> Am 2012-05-30 22:59, schrieb Kathleen Wilson:
>> Technically, CA root certificates cannot be used to trace and monitor
>> end-user’s internet activities.
>
> I think that this is incorrent. A CA certificate can be used to create
> fake certificates for MITM intercepts of encrypted connections. Most
> people who oppose the inclusion of CNNIC do it for this reason. Only
> organizations trusted not to misuse their certificates should be added
> as trusted root CAs, obviously.
>
> It is improbable that any CA's certificate would be abused for issuing
> fake certificates for wholesale surveillance, as this would be too easy
> to notice and each fake certificate is digitally signed proof of the
> misuse. However, any root CA's certificates could be used in targetted
> attacks, if the CA chose to do so.
>
> CNNIC itself states on http://www.cnnic.net.cn/en/index/ that "CNNIC
> takes orders from the Ministry of Information Industry (MII) to conduct
> daily business". For this reason, CNNIC has to be considered under
> government control/part of the government. This is not a problem by
> itself, as we already have multiple Goverment-controlled CAs.


Actually this is the situation for all CAs, pretty much. They all
operate under the laws of some land in which they are based. If there
is a valid court order for interception, the CA is somewhat kinda bound
to follow it. Although it is not written up anywhere formally, to my
knowledge it was Mozilla's position that a court-ordered intercept is an
accepted exception to the rule of no-MITMs.

Correct me if I'm wrong... please. I don't like it, but it is Mozilla's
position as far as I am aware. At one point Frank posted on this and
confirmed it. However the language and concept is uncomfortable for
many so perhaps there has never been the desire to nail it down in
documentation?

(Yes, ok, I left out the step of "valid court order" but that's quickly
shown as easy enough.)

> The Chinese government is censoring the internet. This is a well-known
> and well-documented fact.


Stipulated. Two men of straw:

Many governments do that - censorship. Are we to exclude them or engage
them?

How does "censorship" and classical western liberal concepts such as
freedom of speech fit into Mozilla's manifesto and the CA policy
project? How far do we go here?

Does propaganda count? Some western governments make a practice of
employing people to fill blogsphere with official party lines, and
employing journalists to produce documentaries pressing certain official
projects.

> Are there any objections up to here, or do we all agree on these points?
>
>
> For the censorship attempts, false DNS responses/DNS poisoning attacks
> are employed, as reported on:
> http://viewdns.info/research/dns-cache-poisoning-in-the-peoples-republic-of-china/


This makes a distinction between censorship as a legal practice and
interference of the Internet as a practical and active step.

> I can confirm having seen multiple responses (for a single request)
> matching the pattern described in this dodocument, after sending DNS
> requests to random chinese IPs. I have reported this in this group in
> 2010: http://web.archiveorange.com/archive/v/mN8dW9a7eBGQoLaBm7g8
>
> http://cs.nyu.edu/~pcw216/work/nds/final.pdf provides more information
> about this DNS tampering.
>
> http://cyber.law.harvard.edu/filtering/china/appendix-tech.html provides
> more insight in the internet censorhip in general, including filtering
> of network traffic based on URL.


OK, so the claim is that the Chinese government uses active methods (DNS
poisoning) and passive methods (filtering) to enforce its censorship policy.


> Due to the evidence above, I consider it proven that the Chinese
> government, which is in control of CNNIC, is performing attacks on
> internet users, and is thus not a party that can be trusted with
> operating a CA. For this reason, believe that adding the additional
> CNNIC root would cause undue risks to users' security. I oppose the
> inclusion of the additional CNNIC root, and I would like to request a
> review of the original inclusion decision for the CNNIC root(s)
> currently included.



Your case is based then on tarring the CA with the same brush as the
rest of the government that runs that CA. Fine, let's assume that is a
precedent.

What is the general principle you wish to propose? Something like:

A CA shall not be listed if it is run by a government
that conducts active interference of the
Internet and/or interfere with Mozilla users.

How's that? Now apply the principle to other actors. Today's news is
that USA & Israel have now been outed as the actors behind Stuxnet and
have in effect declared cyberwar on Iran. They therefore meet the above
test, right?

We should also strike out all CAs that root up to those governments.

Right?

Speculation: it won't take much to make a case against most other
western governments.



iang

Tom Lowenthal

unread,
Jun 6, 2012, 5:07:50 PM6/6/12
to mozilla-dev-s...@lists.mozilla.org
On 06/01/2012 07:46 AM, Stephen Schultze wrote:
> Given that CNNIC is the single most controversial CA that I've ever seen
> go through our approval process, and given that the pending Cert Policy
> updates have the potential to affect the approval process, I propose
> that consideration of this request wait until after the policy update.

I second Steve's suggestion.


signature.asc

Peter Kurrasch

unread,
Jun 6, 2012, 6:34:15 PM6/6/12
to Tom Lowenthal, mozilla-dev-s...@lists.mozilla.org
If Mozilla *were* to include the root cert...

It seems to me that including the CNNIC root could be of benefit to the
internet community. Whenever I encounter a chain that's rooted by CNNIC I
would have very good reason to be suspicious and/or distrustful. It's an
affirmation of negative trust, as opposed to assuming/expecting positive
trust.

It sort of goes to a point ianG made recently about the purpose of certs
being for identity. If I encounter a CNNIC-rooted chain, and it's properly
formed and validated, I pretty much know for certain that I'm talking to
the Chinese government. Maybe that would be useful?

Just some thoughts. I have no strong opinion about including CNNIC and/or
when to consider its inclusion.


On Wed, Jun 6, 2012 at 4:07 PM, Tom Lowenthal <t...@mozilla.com> wrote:

> On 06/01/2012 07:46 AM, Stephen Schultze wrote:
> > Given that CNNIC is the single most controversial CA that I've ever seen
> > go through our approval process, and given that the pending Cert Policy
> > updates have the potential to affect the approval process, I propose
> > that consideration of this request wait until after the policy update.
>
> I second Steve's suggestion.
>
>
>

Kathleen Wilson

unread,
Jun 6, 2012, 7:35:35 PM6/6/12
to mozilla-dev-s...@lists.mozilla.org
The proposed policy updates are in red text here:
http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html

Please point out the ones that you think have the potential to affect
the approval process for this particular root certificate.

As a CA with a root certificate currently in NSS (and in Microsoft's and
Apple's root programs), they are already aware of the multi-factor auth
requirement, the cert hierarchy requirement, and the CAB Forum BRs. This
root cert and their already included root cert do not have and will not
have externally-operated subCAs. Also CNNIC's responses to Mozilla's
recent CA communication is included here:
https://wiki.mozilla.org/CA:Communications#Responses

Thanks,
Kathleen

Stephen Schultze

unread,
Jun 7, 2012, 11:07:39 AM6/7/12
to mozilla-dev-s...@lists.mozilla.org
Thanks Tom. It's good to hear from another Mozilla employee on this one.

I'd like to hear from the other module peers on this issue. Sid? Gerv?
Johnathan?

Sid Stamm

unread,
Jun 7, 2012, 1:10:14 PM6/7/12
to Stephen Schultze
Kathleen asked in her last message:

> The proposed policy updates are in red text here:
> http://www.mozilla.org/projects/security/certs/policy/WorkInProgress/InclusionPolicy.html
>
> Please point out the ones that you think have the potential to
> affect the approval process for this particular root certificate.

I'm also curious which you think are the ones that will affect approval
in this case.

-Sid

Stephen Schultze

unread,
Jun 7, 2012, 1:50:26 PM6/7/12
to mozilla-dev-s...@lists.mozilla.org
All I can do is speculate, given that the text of the policy update
still isn't finalized.

As a general matter, it seems to me to be a good idea to finish a
long-overdue policy update before proceeding on a controversial root
approval.

But, in terms of specific speculation, we continue to discuss disclosure
and audit requirements for internal SubCAs as part of the changes to #9.
That certainly would have effects on this root approval.

Stephen Schultze

unread,
Jun 13, 2012, 10:37:17 AM6/13/12
to mozilla-dev-s...@lists.mozilla.org
On 5/30/12 4:59 PM, Kathleen Wilson wrote:
> * Audit: Annual audits are performed by Ernst & Young according to the
> WebTrust CA and WebTrust EV criteria and posted on the webtrust.org
> website.
> https://cert.webtrust.org/ViewSeal?id=1204
> https://cert.webtrust.org/ViewSeal?id=1205

These audits are more than a year old.

anyin

unread,
Jun 13, 2012, 8:53:37 PM6/13/12
to Stephen Schultze, mozilla-dev-s...@lists.mozilla.org
Hi Stephen,

The audit report period from Aug, 2011 to Aug 2012. It still in valid
period.
CNNIC CA finished audit this year in May 2012 by Ernst & Young. I think
CNNIC CA can get new WebTrust audits report before Aug 2012.

Regards,
Ken
-----邮件原件-----
发件人: dev-security-policy-bounces+anyin=cnni...@lists.mozilla.org
[mailto:dev-security-policy-bounces+anyin=cnni...@lists.mozilla.org] 代表
Stephen Schultze
发送时间: 2012年6月13日 22:37
收件人: mozilla-dev-s...@lists.mozilla.org
主题: Re: CNNIC Inclusion Request for Additional Root

On 5/30/12 4:59 PM, Kathleen Wilson wrote:
> * Audit: Annual audits are performed by Ernst & Young according to the
> WebTrust CA and WebTrust EV criteria and posted on the webtrust.org
> website.
> https://cert.webtrust.org/ViewSeal?id=1204
> https://cert.webtrust.org/ViewSeal?id=1205

These audits are more than a year old.

Stephen Schultze

unread,
Jun 13, 2012, 9:31:06 PM6/13/12
to mozilla-dev-s...@lists.mozilla.org
Kathleen,

What's the policy for when an audit statement "expires"? (ie: at what
point is a root eligible for revocation due to outdated audit documents?)

On 6/13/12 8:53 PM, anyin wrote:
> Hi Stephen,
>
> The audit report period from Aug, 2011 to Aug 2012. It still in valid
> period.
> CNNIC CA finished audit this year in May 2012 by Ernst& Young. I think
> CNNIC CA can get new WebTrust audits report before Aug 2012.
>
> Regards,
> Ken
> -----邮件原件-----
> 发件人: dev-security-policy-bounces+anyin=cnni...@lists.mozilla.org
> [mailto:dev-security-policy-bounces+anyin=cnni...@lists.mozilla.org] 代表
> Stephen Schultze
> 发送时间: 2012年6月13日 22:37
> 收件人: mozilla-dev-s...@lists.mozilla.org
> 主题: Re: CNNIC Inclusion Request for Additional Root
>
> On 5/30/12 4:59 PM, Kathleen Wilson wrote:
>> * Audit: Annual audits are performed by Ernst& Young according to the

Kathleen Wilson

unread,
Jun 13, 2012, 10:08:08 PM6/13/12
to mozilla-dev-s...@lists.mozilla.org
On 6/13/12 6:31 PM, Stephen Schultze wrote:
> Kathleen,
>
> What's the policy for when an audit statement "expires"? (ie: at what
> point is a root eligible for revocation due to outdated audit documents?)
>


CAB Forum BR #17.3:
"For both government and commercial CAs, the CA SHOULD make its Audit
Report publicly available no later than three months after the end of
the audit period. In the event of a delay greater than three months, and
if so requested by an Application Software Supplier, the CA SHALL
provide an explanatory letter signed by the Qualified Auditor."

My past experience with getting updated audit statements is it usually
takes about 3 months (sometimes up to 5 months) after the audit
completes. The government CAs tend to take longer than the commercial CAs.

Kathleen

Kathleen Wilson

unread,
Jun 28, 2012, 6:55:58 PM6/28/12
to mozilla-dev-s...@lists.mozilla.org
On 5/30/12 1:59 PM, Kathleen Wilson wrote:
> China Internet Network Information Center (CNNIC) has applied to add the
> “China Internet Network Information Center EV Certificates Root”
> certificate, turn on the websites trust bit, and enable EV.
>
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=607208
>
> And in the pending certificates list here:
> http://www.mozilla.org/projects/security/certs/pending/#CNNIC
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=622926
>
> Noteworthy points:
>
> * The primary documents are the CPS documents, which are also provided
> in English.
>
> CNNIC Trusted Network Service Center: http://tns.cnnic.cn
> CNNIC Policy Documents: http://www.cnnic.cn/html/Dir/2007/04/29/4568.htm
> CNNIC Trusted Network Service Center EV CPS (English):
> http://www.cnnic.cn/uploadfiles/pdf/2010/9/10/141005.pdf
> CNNIC Trusted Network Service Center CPS (English):
> http://www.cnnic.cn/uploadfiles/20100414/CNNIC_CPS_V2_07_EN.pdf
>
> Currently there is one internally-operated subordinate CA named CNNIC EV
> SSL, which only signs EV SSL Certificates. In the future CNNIC may also
> add another internally-operated subCA for issuing code signing
> certificates.
>


Thank you to those of you who have reviewed and commented on this request.

Here is a summary of this discussion.

1) There were concerns that people in China may not be able to view and
post to this discussion forum. It has been confirmed that they can view
this discussion forum, and they can post to it by sending email to
mozilla-dev-s...@lists.mozilla.org.

2) There was a lot of discussion about government, politics, legal
jurisdiction, what-if scenarios, and people’s opinions about the Chinese
government. While I sympathize with people’s feelings about this,
Mozilla’s root program is based on policy and evidence. While CNNIC has
provided all of the required information to demonstrate their compliance
with Mozilla’s CA Certificate Policy, no usable evidence has been
provided to show non-compliance with Mozilla’s CA Certificate Policy.

3) It was suggested that this root inclusion request be put on hold
until after the current draft of policy changes have been made official.
I have carefully considered the currently proposed policy changes, and
concluded that they do not have impact on this root inclusion request.
In any case, CNNIC is already an included CA, so the updates to the
policy will apply to them the same as every other CA that has root certs
included in NSS.

4) It was noted that the date in the audit statement is May 31, 2011.
The representative of CNNIC confirmed that the next audit statement is
expected to be received in August. This is in compliance with policy and
practices, and is in line with what is expected of all CAs with root
certificates included in NSS.

Are there any further comments about this request in regards to
compliance with Mozilla’s CA Certificate Policy? If not, I plan to close
this discussion and recommend approval in the bug.

Thanks,
Kathleen

Erwann Abalea

unread,
Jun 28, 2012, 8:55:36 PM6/28/12
to mozilla-dev-s...@lists.mozilla.org
Le vendredi 29 juin 2012 00:55:58 UTC+2, Kathleen Wilson a écrit :
[...]
> Are there any further comments about this request in regards to
> compliance with Mozilla’s CA Certificate Policy? If not, I plan to close
> this discussion and recommend approval in the bug.

As usual, the serial number of the EV certificates is not random (long, but still sequential), and the certificates are signed with sha1withRSA.

Tom Lowenthal

unread,
Jul 19, 2012, 5:52:28 PM7/19/12
to mozilla-dev-s...@lists.mozilla.org
Kathleen Wilson:
> 2) There was a lot of discussion about government, politics, legal
> jurisdiction, what-if scenarios, and people’s opinions about the Chinese
> government. While I sympathize with people’s feelings about this,
> Mozilla’s root program is based on policy and evidence. While CNNIC has
> provided all of the required information to demonstrate their compliance
> with Mozilla’s CA Certificate Policy, no usable evidence has been
> provided to show non-compliance with Mozilla’s CA Certificate Policy.
>
> Are there any further comments about this request in regards to
> compliance with Mozilla’s CA Certificate Policy? If not, I plan to close
> this discussion and recommend approval in the bug.

I do not agree with your conclusion on point 2 above. The statement that
"CNNIC takes orders from the Ministry of Information Industry (MII) to
conduct daily business" indicates that their effective CSP is not
compliant with Mozilla's root program.

Further, that "Mozilla’s root program is based on policy and evidence"
while practical risk-management is not a factor, should indicate that we
have a more fundamental problem which is in need of
more-more-than-evolutionary improvement.

Kathleen Wilson

unread,
Jul 25, 2012, 6:46:04 PM7/25/12
to mozilla-dev-s...@lists.mozilla.org
On 6/28/12 3:55 PM, Kathleen Wilson wrote:
>
> 4) It was noted that the date in the audit statement is May 31, 2011.
> The representative of CNNIC confirmed that the next audit statement is
> expected to be received in August. This is in compliance with policy and
> practices, and is in line with what is expected of all CAs with root
> certificates included in NSS.
>
> Are there any further comments about this request in regards to
> compliance with Mozilla’s CA Certificate Policy? If not, I plan to close
> this discussion and recommend approval in the bug.
>


Erwann, Thank you for reviewing this request in regards to compliance
with Mozilla's CA Certificate Policy.


> As usual, the serial number of the EV certificates is not random
> (long, but still sequential), and the certificates are signed
> with sha1withRSA.

As per
http://www.mozilla.org/projects/security/certs/policy/MaintenancePolicy.html
" 9. We expect CAs to maintain current best practices to prevent
algorithm attacks against certificates. As such, the following steps
will be taken: ...
- all new end-entity certificates must contain at least 20 bits of
unpredictable random data (preferably in the serial number)."

So now we have one action item resulting from this discussion.

ACTION CNNIC: Make sure there is at least 20 bits of entropy in all new
end-entity certificates.

There continues to be discussion and personal feelings about the Chinese
government and their involvement with this CA, and what the CA would do
if their government forced them to do something that did not comply with
Mozilla policy. As indicated throughout this discussion, these concerns
actually apply to all CAs, especially all government CAs. Our practice
in this regards is to uphold Mozilla's CA Certificate Policy. Other than
the one stated action item, this CA has demonstrated their full
compliance with Mozilla's CA Certificate Policy, and no evidence has
been provided to the contrary.

If there are no further comments on this request that are based on
actually reviewing this request and the evidence available in regards to
Mozilla's CA Certificate Policy and the CAB Forum's Baseline
Requirements and EV Requirements, then I plan to close this discussion,
track the action item in the bug, and recommend approval.

Thanks,
Kathleen

Kathleen Wilson

unread,
Aug 21, 2012, 3:52:12 PM8/21/12
to mozilla-dev-s...@lists.mozilla.org
For those of you wondering about the status of CNNIC's 2012 audit
statements, I am waiting for them to be correctly posted on the
webtrust.org website.

https://cert.webtrust.org/ViewSeal?id=1332
Currently this provides a link to the WebTrust EV audit statement for
the audit through May 31, 2012.

https://cert.webtrust.org/ViewSeal?id=1333
Was the other url given to CNNIC, but as you can see it isn't correctly
set up to have a link to the WebTrust CA audit statement.

In regards to the action item about entropy, Ken has submitted the
request to their development team, and he will track it. I plan to track
it separately in the bug.

After I confirm that the current audit statements are available on
webtrust.org I plan to close this discussion and recommend approval of
this request in the bug.

Kathleen




Kathleen Wilson

unread,
Sep 19, 2012, 1:00:57 PM9/19/12
to mozilla-dev-s...@lists.mozilla.org
The audit statements are now correctly posted on the webtrust.org website:

https://cert.webtrust.org/ViewSeal?id=1332

https://cert.webtrust.org/ViewSeal?id=1347


Ken, please provide an update on the entropy action item.
ACTION CNNIC: Make sure there is at least 20 bits of entropy in all new
end-entity certificates.

Kathleen

anyin

unread,
Sep 19, 2012, 10:14:49 PM9/19/12
to Kathleen Wilson, mozilla-dev-s...@lists.mozilla.org
Actually I forward the request to R&D team for a while. As our development
team are concentrating all energies on the Chinese Domain(.中国) project .
They still need time to start to fix this entropy issue.
PS: The Domain project will be finished by the end of Oct, 2012. I will
update info into the bug as soon as the issue fixed.

Regards,
Ken

-----邮件原件-----
发件人: dev-security-policy-bounces+anyin=cnni...@lists.mozilla.org
[mailto:dev-security-policy-bounces+anyin=cnni...@lists.mozilla.org] 代表
Kathleen Wilson
发送时间: 2012年9月20日 1:01
收件人: mozilla-dev-s...@lists.mozilla.org
主题: Re: CNNIC Inclusion Request for Additional Root

On 8/21/12 12:52 PM, Kathleen Wilson wrote:
The audit statements are now correctly posted on the webtrust.org website:

https://cert.webtrust.org/ViewSeal?id=1332

https://cert.webtrust.org/ViewSeal?id=1347


Ken, please provide an update on the entropy action item.
ACTION CNNIC: Make sure there is at least 20 bits of entropy in all new
end-entity certificates.

Kathleen

Kathleen Wilson

unread,
Sep 27, 2012, 1:12:47 PM9/27/12
to mozilla-dev-s...@lists.mozilla.org
>> For those of you wondering about the status of CNNIC's 2012 audit
>> statements, I am waiting for them to be correctly posted on the
>> webtrust.org website.
>>
>> https://cert.webtrust.org/ViewSeal?id=1332
>> Currently this provides a link to the WebTrust EV audit statement for
>> the audit through May 31, 2012.
>>
>> https://cert.webtrust.org/ViewSeal?id=1333
>> Was the other url given to CNNIC, but as you can see it isn't
>> correctly set up to have a link to the WebTrust CA audit statement.
>>
>> In regards to the action item about entropy, Ken has submitted the
>> request to their development team, and he will track it. I plan to
>> track it separately in the bug.
>>
>> After I confirm that the current audit statements are available on
>> webtrust.org I plan to close this discussion and recommend approval of
>> this request in the bug.
>>
>
> The audit statements are now correctly posted on the webtrust.org website:
>
> https://cert.webtrust.org/ViewSeal?id=1332
>
> https://cert.webtrust.org/ViewSeal?id=1347
>


Thanks again to those of you who have reviewed and commented on this
request.

I am now closing this discussion, and I will post a summary of this
request and my recommendation for approval in the bug. I will also track
the open action item in the bug.

ACTION CNNIC: Make sure there is at least 20 bits of entropy in all new
end-entity certificates.

https://bugzilla.mozilla.org/show_bug.cgi?id=607208

Any further follow-up on this request should be added directly to the bug.

Thanks,
Kathleen


Reply all
Reply to author
Forward
0 new messages