根证书尚未加入360浏览器根证书信任计划

360是中国互联网安全公司,360团队一直致力于互联网的安全发展。为了增强360对证书滥发、错发、可信性,真实性无法及时有效的校验等情况时有发生问题的应对能力,可以通过提高问题处理的效率、缩短风险周期,有效识别出网站证书是由具体CA机构签发的真实性,进一步帮助用户识别可信安全证书,360决定创建自己的根证书计划。360浏览器通常信任底层操作系统信任的根证书,但现在也会配置自己的根信任库。360有权移除任何证书。360浏览器根证书计划主要适用于360浏览器。

LetsEncrypt证书尚未加入360浏览器根证书计划,未来可能不会被信任。

1 Like

Are you asking if Let’s Encrypt will be applying to the 360 root program?

It seems some more information about the program can be found at: https://caprogram.360.cn and clicking the “English” link in the top-right.

2 Likes

Yes. There are many users of 360 browser in China. If you do not join the 360 browser root certificate program, you may not be trusted by 360 browser in the future.

3 Likes

from their root program policy:

That for any root CA certificate to be include in 360 root store, the expiration date at the date of submission must be more than 8 years.

DST root CA x3 ruled out by this, as it expires on 2021. 9. 30. so we have to use ISRG intermediate to have any chance. but we only can provide single chain for it. but old android versions (before 7.1.1) won’t trust ISRG root x1 so… it’s one or else situation.

P.S : can WE cross sign DST root X3 and include it as single chain? (ISRG root -> DST root -> LE x3 -> leaf)

2 Likes

That’s a question for @josh as it’s not listed in Browser/OS vendors with ISRG root in their root certificate stores :

Is that list (Mozilla / Google Chrome / Google Android / Apple / Oracle (Java) / Blackberry / Microsoft) still up to date?

Do you plan to submit the ISRG Roots to other stores such as the 360 browser root certificate program?

2 Likes

Since Let’s Encrypt doesn’t include CRL URL in end entity certificate, does it make Let’s Encrypt ineligible to join this CA program?

All end user certificates must:

  • Contain valid OCSP, AIA and CRL URLs, and appropriate OIDs as defined by the CA/Browser Forum documents.
3 Likes

hmmmmmmmm.
Does this means it will fall back to OS trust store, or it will semi-trust all certificate?
Hopefully first one, but they are the guys behind Wosign (now changed its name to wotrust), so…

2 Likes

From the webpage and my friends, the browser will fall back to OS certificate store and give the second padlock.
I do also realize that some CA included in the program are not yet in Windows / Mozilla / Apple’s trust store (or still in progress). Not sure how that CA progressed that fast in this program. (But it’s up to the company)

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.