Add ISRG Root to 360 Browser trust store

Hello there,

360 company's browser currently occupies a huge market share in Mainland China, they have previously launched their own trust store.

I guess they deployed their own trust store because many people in Mainland China are unwilling to open Windows Update, and the 360 ​​browser supports Windows XP so far.
Therefore, it is necessary for them to maintain a trust store.

caprogram.360.cn
Contact: caprogram@360.cn

But I don't like this company. WoSign and StartCom are subsidiaries of 360, which suffered major accidents.
https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/

Before it was acquired, StartCom's free SSL certificate and cheap code signing certificate were very affordable.

I put forward this proposal only considering that users can normally access websites that use Let's Encrypt certificates without updating the system. Although they should update the system.

2 Likes

from page you linked:

All end user certificates must:

  • Contain valid OCSP, AIA and CRL URLs, and appropriate OIDs as defined by the CA/Browser Forum documents.

Let's Encrypt doesn't make CRL and realistically can't because it would be gigabyte range if we try.
unless they change policy, LE can't satisfy the requirement.

3 Likes

Related: 根证书尚未加入360浏览器根证书信任计划

3 Likes

This is a problem. I am currently trying to contact them to see if there is a feasible solution.

2 Likes

Thank you, I tried searching but didn't notice this post.

3 Likes

Unfortunately, I did not get a response.
I took a look at the Trusted Root listed in website, they don't seem to be asking for "all", but just one of them.
For example, the CA of www.bilibili.com is GlobalSign Root CA - R1, and its certificate only contains OCSP.
So ISRG Root X1 meets the requirements.
As for X2, there seems to be no way.

--- UPDATE ---
Authority Information Access: CA Issuers - URI:http://x2.i.lencr.org/
I am not sure, but it seems that X2 is also eligible? After all, this is also AIA.

2 Likes

I received a response from 360 today, but their response is confusing.

The final response I got after communicating with them was:

OCSP and CRL are required, but CRL is not for website certificates, only root certificates and intermediate certificates

So ISRG Root X1 meets the requirements, and 360 Browser CA Policy section-10 is wrong.

2 Likes