ZoTrus Trusted Root ProgramEffect Date: April 20, 2022 , Updated Sept.30,2022

certThe included SM2 algorithm trusted root certificates

certTrusted SM2 Certificate Transparency Log System List

1.Program Requirements

ZT Browser uses public key infrastructure (PKI) to secure and enhance the experience for users, it supports RSA/ECC/SM2 algorithm, the requirements for root certificate using RSA/ECC algorithm must be compliant with the international standards, and the root certificate using SM2 algorithm must be compliant with the Chinese Cryptography standards.

1.1 CA providers using RSA/ECC algorithm requirements

  • CA providers must ensure their CAs are audited against at least one of the below criteria at least annually:
    ✦ WebTrust Principles and Criteria for Certification Authorities (Preferred)
    ✦ ETSI EN 319 411-1 LCP, NCP, or NCP+ (Accepted on a case-by-case basis)
  • CA providers must ensure their SSL/TLS enabled root CAs and all subordinate CAs capable of issuing TLS certificates are audited against at least one of the below sets of criteria at least annually:
    ✦ WebTrust Principles and Criteria for Certification Authorities and WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security (Preferred)
    ✦ ETSI EN 319 411-1 LCP and (DVCP or OVCP) (Accepted on a case-by-case basis)
  • CA providers must ensure their Extended Validation (EV) enabled root CAs and all subordinate CAs capable of issuing EV TLS certificates are audited against at least one of the below sets of criteria at least annually:
    ✦ WebTrust Principles and Criteria for Certification Authorities, WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security, and WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL (Preferred)
    ✦ ETSI EN 319 411-1 NCP and EVCP (Accepted on a case-by-case basis)
  • CA providers must strictly adhere to their Certificate Policy (CP) and/or Certification Practices Statement (CPS) documents.
  • TLS CA providers must constantly maintain compliance with the CA/Browser Forum Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates, and must incorporate and commit to compliance with the CA/Browser Forum’s Baseline Requirements in their CP and/or CPS documents.
  • EV CA providers must constantly maintain compliance with the CA/Browser Forum Guidelines for The Issuance And Management Of Extended Validation Certificates, and must incorporate and commit to compliance with the CA/Browser Forum’s EV Guidelines in their CP and/or CPS documents.
  • CA providers must notify ZoTrus if they anticipate any change in control or ownership of any CA certificate (whether directly included or subordinate thereto). Do not assume inclusion is transferable.
  • A root certificate must provide broad value to ZT Browser's users.
  • CA providers applying for inclusion in the ZoTrus Trusted Root Program are expected to meet all Program and Policy requirements prior to submitting an application.

1.2 CA providers using SM2 algorithm requirements

  • CA providers must a valid China CA license issued by MIIT and SCA, must have its own SM2 Root certificate or sub-CA issued by the Chinese SM2 Root CA for issuing SM2 SSL/TLS certificates.
  • If CA providers don’t have valid China CA license, then must have WebTrust audited annual report and at least one RSA/ECC root is included in Microsoft/Mozilla/Google/Apple Root Certificate Program, the non-licensed root CA’s application is accepted on a case-by-case basis.
  • Other requirements are same as RSA/ECC algorithm related standard as above described, just the algorithm is different.

2.Policy Requirements

2.1 CA providers using RSA/ECC algorithm requirements

  • CA providers must disclose all sub-CA certificates which chain up to their root CA Certificate(s) included in the ZoTrus Trusted Root Program.
  • Other policy requirements are compliant with CAB Forum requirements.

2.2 CA providers using SM2 algorithm requirements

  • The Chinese SM2 Root Certificate is included and trusted in ZT Browser, but all sub CAs must contact us to apply its sub-CA trusted so that ZT Browser can properly validate the certificate chain and display the correct trusted level icon.
  • To quickly identify the SSL certificate type, CAs must declare one of the following Policy OIDs in its Certificate Policy extension for end-entity TLS/SSL certificate:
    ✦ DV SSL Certificate: 1.2.156.157933.11, Corresponds to CABF OID: 2.23.140.1.2.1
    ✦ IV SSL Certificate: 1.2.156.157933.12, Corresponds to CABF OID: 2.23.140.1.2.3
    ✦ OV SSL Certificate: 1.2.156.157933.13, Corresponds to CABF OID: 2.23.140.1.2.2
    ✦ EV SSL Certificate: 1.2.156.157933.14, Corresponds to CABF OID: 2.23.140.1.1
  • To quickly validate the TLS/SSL certificate, the certificate must have Authority Key Identifier (KeyID), Authority Information Access URL (AIA), and the Enhanced Key Usage must be Server Authentication and Client Authentication. The intermediate root certificate must also have Authority Key Identifier (KeyID), Authority Information Access URL (AIA).
  • SM2 Certificate Transparency Policy: SM2 SSL certificates with a certificate validity period of less than or equal to 180 days must contain 2 SM2 SCT data, and SM2 SSL certificates greater than 180 days must contain 3 SM2 SCT data. But due to there are currently only three SM2 certificate transparency log systems available provided by ZoTrus, for the time being, only one SM2 SCT data is required for less than or equal to 180 days SM2 SSL certificate, and two SM2 SCT data are required for the greater than 180 days SM2 SSL certificate. If there are more SM2 certificate transparency log systems available on the market in the future that pass the certification of ZT Browser, the formal certificate transparency policy will be implemented.
  • Starting on July 1, 2022, ZT Browser no longer trusts the SM2 SSL certificate that does not embed the ZT Browser trusted SCT data, it will display “Not secure” in the address bar. Prior to this, only display “SM2 Certificate NOT Transparency” in the SM2 encryption icon details.
  • Other requirements are same as RSA/ECC algorithm related standard as above described, just the algorithm is different.

3.Submission Process

To begin the submission process, send email to ca mail with the details of your Root Inclusion information such as company name, contact info, root certificate, test website etc. CA providers will be contacted if any additional information is required, and when consideration of the inclusion request is complete.

4.Root Acceptance

ZoTrus accepts and removes root certificates as it deems appropriate at its sole discretion. ZoTrus prioritizes root inclusion requests as it deems appropriate at its sole discretion.

All RSA/ECC algorithm root certificates included in Chromium 97 is trusted as default, but we will change our policy at any time without notice that we may des-include some default roots.

SM2 algorithm root certificate inclusion applicant must have a valid China CA license issued by MIIT and SCA and must have its own SM2 Root certificate or sub-CA issued by the China Pubic Root CA (SM2) for issuing SM2 SSL/TLS certificates. Other special cases are dealt with on a case-by-case basis.

All ZT Browser trusted root CA operators are qualified to provide ZT Browser trusted Website Trusted Identity Validation service. ZT Browser not only display the validation level of the SSL certificate issued by trusted CA for free, but also trust its website validation data that the CA operators are qualified to synchronize to the trusted website data to ZT Browser Trusted Website Validation Database, and ZT Browser will also display its validation level in the address bar for free.

5.Incidents

Failure to comply with the above requirements in any way is considered an incident. CA providers must report such incidents to ZoTrus Trusted Root Program at 邮件 with a full incident report.