Re: Second Discussion of CFCA Root Inclusion Request

[Richard Barnes]

This question is somewhat unrelated to the inclusion of CFCA in the root
program, but I'm interested to know the answer:

Based on some survey data I've gotten from the University of Michigan, it
appears that the CFCA root(s) have been used only within a limited scope
(TLDs in issued EE certificates):

CFCA OCA2: cn, com, net
CFCA EV OCA: com

Does CFCA agree with this assessment, or are there certificates that were
missed by the UMich survey?

Would CFCA be willing to be name constrained by relying party software to
names ending in .cn, .com, or .net? (Thus, relying parties would reject
certificates for names under other TLDs that chain to CFCA.) This
constraint would help bound the risk posed by errors or compromises at CFCA
or any subordinates.

--Richard



On Wed, Jan 7, 2015 at 9:23 PM, Kathleen Wilson <kwi...@mozilla.com> wrote:

> China Financial Certification Authority (CFCA) has applied to include the
> “CFCA EV ROOT” root certificate, turn on the websites trust bit, and enable
> EV treatment.
>
> The first discussion resulted in CA action items, which have been
> completed.
> https://groups.google.com/d/msg/mozilla.dev.security.policy/2G6KuAT9Ekk/
> GyakphSLS5EJ
> https://bugzilla.mozilla.org/show_bug.cgi?id=926029#c26
>
> For your convenience, and because the request has been changed to be just
> for the EV root, I will re-summarize the request below.
>
> CFCA is a national authority of security authentication approved by the
> People’s Bank of China and state information security administration. CFCA
> is a critical national infrastructure of financial information security and
> one of the first certification service suppliers granted a certification
> service license after the release of the Electronic Signature Law of the
> People’s Republic of China. There are more than 200 Chinese banks that are
> using CFCA’s certificates to ensure the security of online banking trade.
>
> The request is documented in the following bug:
> https://bugzilla.mozilla.org/show_bug.cgi?id=926029
>
> And in the pending certificates list:
> http://www.mozilla.org/en-US/about/governance/policies/
> security-group/certs/pending/
>
> Summary of Information Gathered and Verified:
> https://bugzilla.mozilla.org/attachment.cgi?id=8545426
>
> Noteworthy points:
>
> * The primary documents are the CPS and CP, which are provided in Chinese,
> and the CPS has been translated into English.
>
> Document repository: http://www.cfca.com.cn/us/us-12.htm
> CPS (Chinese) http://www.cfca.com.cn/file/qqfwq-cps.zip
> CP (Chinese): http://www.cfca.com.cn/file/qqfwq-cp.zip
>
> CPS (English): http://www.cfca.com.cn/file/CFCA-1403-CPS-en.rar
>
> * CA Hierarchy: The “CFCA EV ROOT” root has one internally-operated
> subordinate CA, “CFCA EV OCA”, which issues EV SSL certificates.
>
> * This request is to turn on the websites trust bit for the “CFCA EV ROOT”
> root certificate, and enable EV treatment.
>
> ** CPS section 3.2.2.3: Applications for SSL Certificates can only be
> submitted to CFCA, who accepts applications from both organizations and
> individuals.
>
> ** CPS section 3.2.2.3: CFCA verifies not only the ID, address, and
> country of the applicant, but also the IP and the compliance of CSR. The
> procedures are as follows:
> CFCA performs a WHOIS inquiry on the internet for the domain name supplied
> by the applicant, to verify that the applicant is the entity to whom the
> domain name is registered. Where the WHOIS record indicates otherwise, CFCA
> will ask for a letter of authorization, or email to the register to inquiry
> whether the applicant has been authorized to use the domain name.
> To verify the public IP, the subscriber can supply a sealed paper document
> or email from the ISP showing the IP is allocated by the ISP to the
> applicant.
>
> ** CPS section 3.2.2.4: Applications for EV SSL Certificates can only be
> submitted to CFCA. The subject must be the domain name of the web server,
> not the IP address. The domain name must not contain wildcards. The
> applicants can only be private organizations, business entities, government
> entities and non-commercial entities and should meet the following
> requirements: … [verification of identity, organization, and authority of
> the certificate subscriber]
>
> ** CPS section 3.2.2.4 part 6, Domain Name of the Applicant:
> (1) The Applicant is the registered holder of the domain name or has been
> granted the exclusive right to use the domain name by the registered holder
> of the domain name
> (2) Domain registration information in the WHOIS database SHOULD be public
> and SHOULD show the name, physical address, and administrative contact
> information for the organization.
> (3) The Applicant is aware of its registration or exclusive control of the
> domain name.
>
> * EV Policy OID: 2.16.156.112554.3
>
> * Root Cert: https://bugzilla.mozilla.org/attachment.cgi?id=8356494
>
> * Test Website: https://pub.cebnet.com.cn
>
> * OCSP
> http://ocsp.cfca.com.cn/ocsp/
> CPS 4.8.9: The maximum validity period for OCSP response does not exceed 7
> days.
>
> * Audit: Annual audits are performed by PricewaterhouseCoopers according
> to the WebTrust criteria.
> WebTrust CA: https://cert.webtrust.org/SealFile?seal=1788&file=pdf
> WebTrust EV: https://cert.webtrust.org/SealFile?seal=1786&file=pdf
> WebTrust BR: https://cert.webtrust.org/SealFile?seal=1787&file=pdf
>
> * Potentially Problematic Practices – None noted for this EV root and
> hierarchy.
> (http://wiki.mozilla.org/CA:Problematic_Practices)
>
> This begins the second discussion of the request from CFCA to include the
> “CFCA EV ROOT” root certificate, turn on the websites trust bit, and enable
> EV treatment. At the conclusion of this discussion I will provide a summary
> of issues noted and action items. If there are outstanding issues, then an
> additional discussion may be needed as follow-up. If there are no
> outstanding issues, then I will recommend approval of this request in the
> bug.
>
> Kathleen
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Kathleen Wilson]

[cfcazha...@gmail.com]

I'm CFCA's representative Zhao GaiXia and this is the officially respond account(using google groups).

Thanks for your reply!

CFCA do not have limits relate to TLDs in SSL certificates, as is listed above
http://www.cfca.com.cn/file/CFCA-1403-CPS-en.rar

"
** CPS section 3.2.2.4: Applications for EV SSL Certificates can only be
submitted to CFCA. The subject must be the domain name of the web
server, not the IP address. The domain name must not contain wildcards.
The applicants can only be private organizations, business entities,
government entities and non-commercial entities and should meet the

following requirements: ...
"

The survey from the University of Michigan may reflect the status of customers of CFCA for a period, but it's not a specification or a statement such as CPS.

for example the EV certificate in the test website https://pub.cebnet.com.cn is an EV certificate with TLD "cn"

and as listed above, if an organization wants an EV certificate with TLD "org", and conform all specifications and standards including CPS 3.2.2.4, there is no reason to reject.

CFCA do not have plans to be name constrained for EV/GT system now.


--Zhao GaiXia

[Kathleen Wilson]

All,

Does anyone have questions or comments about CFCA's request for root
inclusion and EV treatment?

Thanks,
Kathleen

[Erwann Abalea]

Le mercredi 7 janvier 2015 22:25:00 UTC+1, Kathleen Wilson a écrit :
> China Financial Certification Authority (CFCA) has applied to include
> the "CFCA EV ROOT" root certificate, turn on the websites trust bit, and
> enable EV treatment.

[...]

> * Root Cert: https://bugzilla.mozilla.org/attachment.cgi?id=8356494
>
> * Test Website: https://pub.cebnet.com.cn
>
> * OCSP
> http://ocsp.cfca.com.cn/ocsp/
> CPS 4.8.9: The maximum validity period for OCSP response does not exceed
> 7 days.

Sorry for the delay.

Getting the CRL issued by "CFCA EV ROOT" shows 2 revoked certificates (serial numbers 0x844543D3B8 and 0xE6A7F45CF7).
When requesting the OCSP for the status of these serial numbers, the OCSP responder replies with an "unknown" status.

[cfcazha...@gmail.com]

在 2015年1月23日星期五 UTC+8上午12:20:38，Erwann Abalea写道：

Erwann, Thanks for your review.

We checked the issue you mentioned, it appears that the 2 certificate with SN 0x844543D3B8 and 0xE6A7F45CF7 are OCSP signing certificates we replaced in 2014 in order to conform Baseline Requirement.

The problem is resolved by now, OCSP responses for 0x844543D3B8 and 0xE6A7F45CF7 are revoked instead of unknown.

Ocsp signing certificates's revoke status in OCSP system use to be offline for EV OCA level.
These certificates can't issue any certificates or be used as website certificates.

Now we updated the model, once there is any changes take place in EV OCA level, including issuance of new (EV OCA level)certificates and certificates revoke/replace(in EV OCA level) , the database of OCSP service for EV OCA level will update.

So this problem won't happen again.
In addition, this problem do not affect our current subscriber/user.

[Kathleen Wilson]

Thanks, Erwann, for reviewing and commenting on this request again.

I believe that all of the questions and concerns that were raised during
the first discussion and this discussion have been resolved.

If there are no further questions or comments about CFCA's root
inclusion request, then I will close this discussion and recommend
approval in the bug.

Thanks,
Kathleen

[Kathleen Wilson]

Thanks to all of you who reviewed and commented on this request from
CFCA to include the “CFCA EV ROOT” root certificate, turn on the

websites trust bit, and enable EV treatment.

I am closing this discussion, and I will recommend approval in the bug.

https://bugzilla.mozilla.org/show_bug.cgi?id=926029

Any further follow-up on this request should be added directly to the bug.

Thanks,
Kathleen