はじめに
煽っておいてすみません。ぶっちゃけGPKIよくわかってないです。
一応
の内容が理解できる程度にはわかっているつもりですが。
前提知識
誰がどんな立場にいるかわからんと全くわからんと思うので
CA/Policy Participants - MozillaWiki
問題
アプリケーション認証局2(Sub) | 政府認証基盤(GPKI)のホームページ
にもあるように、
https://www.gpki.go.jp/selfcert/finger_print.html
にアクセスしようとすると
のようにルート証明書が信用できんといわれるんですね。
それで、ルート証明書を信用してくれるように
mozilla.dev.security.policy › Japan GPKI Root Renewal Request (日本GPKIルート更新要求)
This begins the discussion of the request from the Government of Japan to include the GPKI 'ApplicationCA2 Root' certificate and enable the Websites trust bit.
要求を出していました。
それに対して、
2018年2月13日火曜日 8時31分43秒 UTC+9 Wayne Thayer
All of my questions regarding the CP/CPS and audits have been answered to my satisfaction. I am left with two concerns:
This root was signed on 12-March 2013. The first end-entity certificate that I'm aware of was signed later in 2013. Mozilla began requiring BR audits in 2014, but the first BR assessment for this root was on 30-September 2015. [1] The assessment shows 22 issues. [2] A PITRA was finally performed on January 31, 2017 [3] and no qualifications were noted. This was followed by a clean period-of-time audit. It is clear that hundreds of certificates were issued in this certificate hierarchy while it was not BR compliant, some of which have not yet expired.
A number of misissued certificates under this hierarchy have been logged [4], some of which are still valid. Some of these contain significant compatibility problems such as the lack of a SAN and the lack of an OCSP URL. The good news is that all of the bad certificates were issued prior to 2017.
At a minimum, the unexpired misissued certificates should be revoked, just as has been done by other CAs in the Mozilla program. However, given the demonstrated lack of BR compliance from 2013-2016, we should consider rejecting this request and requiring that a new root using a new key pair be generated and submitted for inclusion.
Please be aware that trust in this root will be constrained to .go.jp domains, significantly reducing the risk it presents to Mozilla users.
I would appreciate everyone's constructive feedback on these issues, and any others that are relevant to this inclusion request.
- Wayne
[1] https://bug870185.bmoattachments.org/attachment.cgi?id=8667814
[2] https://bug870185.bmoattachments.org/attachment.cgi?id=8667815
[3] https://bug870185.bmoattachments.org/attachment.cgi?id=8852738
[4] https://crt.sh/?caid=1419&opt=cablint,zlint,x509lint&minNotBefore=2013-01-01
*BR: Baseline Requirements
のように、すくなくとも問題の証明書失効させろよ、と言われて、
2018年2月23日金曜日 15時57分38秒 UTC+9 apca2...@gmail.com
We are a certificate authority controlled by the Government of Japan and issued only for servers operated by the government.
For certificates that you point out concerning, they will expire and will be reissued, so we think that the problem will be solved.
We will continue to take BR audits in the future so we will operate as a secure certification authority and we appreciate your continued support.
そのうち失効するし、そうしたら問題ないよね?とかのたまっていたら
2018年2月28日水曜日 7時51分23秒 UTC+9 Wayne Thayer
To conclude this discussion, Mozilla is denying the Japanese Government ApplicationCA2 Root inclusion request. I'd like to thank everyone for your constructive input into the discussion, and I'd like to thank the Japanese Government representatives for their patience and work to address issues as they have been discovered. I will be resolving the bug as "WONTFIX".
We are preparing to revoke certificates immediately, rather than waiting for certificates issued prior to 2017 to expire. However, even if we revoke those certificates, if your judgment is not affected and our request is rejected, there is no point in doing it. Please let us know if our request will be accepted by revoking all the certificates we issued prior to 2017.
I would like to again point out that simply waiting for misissued certificates to expire is not an acceptable response.
2017年までに発行されたすでにある証明書に不備があり、そんなあいまいな状態で信用するとかないわー、それらを失効してから出なおしてくれん?しかも問題の証明書をすぐに失効させろって言ってるのに、期限切れを待つとか何言ってるの?という感じになってRejectされた感じです。
これには大慌てのGPKI担当者、
2018年2月28日水曜日 14時58分50秒 UTC+9 apca2...@gmail.com
This is a misunderstanding. We are preparing to revoke certificates immediately, rather than waiting for certificates issued prior to 2017 to expire. However, even if we revoke those certificates, if your judgment is not affected and our request is rejected, there is no point in doing it. Please let us know if our request will be accepted by revoking all the certificates we issued prior to 2017.
誤読してたんや、すぐに失効させる準備に入る。しかしそれ以外に何をすればいい?
とわずか7時間でレスを返している。
有識者?の反応
8000円の元ネタは多分
その後の経過
2018年3月1日木曜日 1時15分06秒 UTC+9 Elic Mill
So, to be clear, you would only revoke misissued certificates if required to do so by Mozilla -- not because they represent control failures, or in order to demonstrate to other root programs your CA's responsiveness and the seriousness with which you take control failures.
Mozillaが求めてるんなら失効させるだけでいいんじゃない?という非公式見解が出たと思いきや(この人は.govドメインのメールアドレス以外はMozillaの公式見解ではない)、
2018年3月1日木曜日 1時26分58秒 UTC+9 Wayne Thayer
My comment was intended to point out that you are violating BR section 4.9.1.1(9) by not revoking these certificates. My comments were not intended to imply that revoking these certificates would change Mozilla's decision to deny this inclusion request.
Elic Millさん、それは違ってて、私のコメントは証明書を失効させないでいるのがBRに違反してるって言いたいだけなんだ。失効させてもMozillaがこの要求(そもそものroot証明書信用してくれという本題)をRejectしたことをひっくり返すことを意図してないんだ。
と速攻でMozillaの公式見解が覆した。時すでに遅し。
