Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Something About CFCA (China Financial Certification Authority)
2,744 views
Skip to first unread message
Han Yuwei
Oct 30, 2016, 7:19:12 AM10/30/16
to mozilla-dev-s...@lists.mozilla.org
According to their CPS (Chinese version 3.2 Jul.2016),
1. All CAs can issue SM2 certificates and uses SM3 Hash.
2. There is a "signing key" generated by subscriber and "encryption key" generated by CFCA which transmitted to subscriber.
3. For SSL certificate, the longest vaild duration is 5 years, which is much more than 39 months.
Are those conflicting with Mozilla's policy?
1. All CAs can issue SM2 certificates and uses SM3 Hash.
2. There is a "signing key" generated by subscriber and "encryption key" generated by CFCA which transmitted to subscriber.
3. For SSL certificate, the longest vaild duration is 5 years, which is much more than 39 months.
Are those conflicting with Mozilla's policy?
jonath...@gmail.com
Oct 30, 2016, 10:26:57 AM10/30/16
to mozilla-dev-s...@lists.mozilla.org
1, It’s not true. CFCA's RSA root that included in Mozilla is not able to issue sm2 certificate with sm3 hash. CFCA do have sm2 root that issue sm2 certificate but that root is not included in Mozilla or any other root store such as Apple, Microsoft or Google. And our CPS never indicate that our RSA root is able to issue sm2 certificate. It is impossible.
2, The signing key and encrypting key issue is a standard relate to Chinese double certificate, which is different from ssl, codesigning and email certificate. CFCA's root that included in Mozilla, Google and Apple is never able to issue this kind of certificate.
3, CFCA OV certificate have a longest valid period of 3 years. EV certificate have a longest valid of 2 years. There is no root of CFCA that included in Mozilla, Google and Apple can issue 5 year long certificate. Please note that the sub root that use to be able to issue 5 year long certificate is the GT root, which is a sha1 root that we already turned off. This root issue 0 certificate after 2016 Jan 1, and this root is never included in Mozilla, Apple and Google.
2, The signing key and encrypting key issue is a standard relate to Chinese double certificate, which is different from ssl, codesigning and email certificate. CFCA's root that included in Mozilla, Google and Apple is never able to issue this kind of certificate.
3, CFCA OV certificate have a longest valid period of 3 years. EV certificate have a longest valid of 2 years. There is no root of CFCA that included in Mozilla, Google and Apple can issue 5 year long certificate. Please note that the sub root that use to be able to issue 5 year long certificate is the GT root, which is a sha1 root that we already turned off. This root issue 0 certificate after 2016 Jan 1, and this root is never included in Mozilla, Apple and Google.
Han Yuwei
Oct 30, 2016, 11:26:16 AM10/30/16
to mozilla-dev-s...@lists.mozilla.org
在 2016年10月30日星期日 UTC+8下午10:26:57,jonath...@gmail.com写道:
> 1, It’s not true. CFCA's RSA root that included in Mozilla is not able to issue sm2 certificate with sm3 hash. CFCA do have sm2 root that issue sm2 certificate but that root is not included in Mozilla or any other root store such as Apple, Microsoft or Google. And our CPS never indicate that our RSA root is able to issue sm2 certificate. It is impossible.
> 2, The signing key and encrypting key issue is a standard relate to Chinese double certificate, which is different from ssl, codesigning and email certificate. CFCA's root that included in Mozilla, Google and Apple is never able to issue this kind of certificate.
> 3, CFCA OV certificate have a longest valid period of 3 years. EV certificate have a longest valid of 2 years. There is no root of CFCA that included in Mozilla, Google and Apple can issue 5 year long certificate. Please note that the sub root that use to be able to issue 5 year long certificate is the GT root, which is a sha1 root that we already turned off. This root issue 0 certificate after 2016 Jan 1, and this root is never included in Mozilla, Apple and Google.
So why I didn't see these statements in the CPS or in the website?
> 2, The signing key and encrypting key issue is a standard relate to Chinese double certificate, which is different from ssl, codesigning and email certificate. CFCA's root that included in Mozilla, Google and Apple is never able to issue this kind of certificate.
> 3, CFCA OV certificate have a longest valid period of 3 years. EV certificate have a longest valid of 2 years. There is no root of CFCA that included in Mozilla, Google and Apple can issue 5 year long certificate. Please note that the sub root that use to be able to issue 5 year long certificate is the GT root, which is a sha1 root that we already turned off. This root issue 0 certificate after 2016 Jan 1, and this root is never included in Mozilla, Apple and Google.
jonath...@gmail.com
Oct 30, 2016, 9:35:04 PM10/30/16
to mozilla-dev-s...@lists.mozilla.org
Please see 6.1.7 which describes these content.
Han Yuwei
Oct 30, 2016, 11:28:04 PM10/30/16
to mozilla-dev-s...@lists.mozilla.org
在 2016年10月31日星期一 UTC+8上午9:35:04,jonath...@gmail.com写道:
And I don't see any other informations about SM2 usage
> Please see 6.1.7 which describes these content.
In version 3.2 I see that "证书最长期限(年)" (maxium validity period) about "SSL服务器证书" (SSL Server Certficates) is 5.
And I don't see any other informations about SM2 usage
jonath...@gmail.com
Oct 31, 2016, 6:19:44 AM10/31/16
to mozilla-dev-s...@lists.mozilla.org
在 2016年10月31日星期一 UTC+8上午11:28:04,Han Yuwei写道:
We feel that there is no need to discuss those root that NOT included in Mozilla and other public trusted root store. sm2 is not valid for BR right now,so we didn't apply our sm2 root for inclusion. It is as simple as that. hence, we do not plan to explain further about our NOT included root.
Message has been deleted
Eric Mill
Nov 1, 2016, 1:33:05 AM11/1/16
to Percy, mozilla-dev-s...@lists.mozilla.org
On Mon, Oct 31, 2016 at 8:29 PM, Percy <percy...@gmail.com> wrote:
> https://www.ssllabs.com/ssltest/analyze.html?d=www.cfca.com.cn
>
> This server is vulnerable to the OpenSSL Padding Oracle vulnerability
> (CVE-2016-2107) and insecure. Grade set to F.
>
> Rather ironical for a CA's official site, isn't it?
>
But off-topic for this thread.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
--
konklone.com | @konklone <https://twitter.com/konklone>
>
> This server is vulnerable to the OpenSSL Padding Oracle vulnerability
> (CVE-2016-2107) and insecure. Grade set to F.
>
> Rather ironical for a CA's official site, isn't it?
>
But off-topic for this thread.
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
--
konklone.com | @konklone <https://twitter.com/konklone>
Han Yuwei
Nov 1, 2016, 7:07:35 AM11/1/16
to mozilla-dev-s...@lists.mozilla.org
0 new messages