Shanghai Electronic Certificate Authority Center Co., Ltd. (“SHECA”) is a third-party electronic certificate authority established in 1998 in strict compliance with laws and regulations, Our core expertise lies in delivering electronic certification services, electronic identity-related products and services, as well as offering comprehensive solutions in information security product development and integrated system implementation services tailored for enterprises, institutions, and individuals.
With a proven track record spanning 25 years, SHECA has emerged as a leader in the industry, earning a stellar reputation through the provision of professional services to millions of enterprises and billions of individual users across diverse sectors. Our overarching mission is to excel as a digital service provider. Guided by this mission, we are unwaveringly dedicated to furnishing customers with dependable, secure, and compliant electronic identity authentication services and products, safeguarding the security, confidentiality, and accessibility of their data.
In alignment with Apple's robust security strategy, which prioritizes "end-to-end encryption," encompassing the use of the SSL protocol for network communication encryption, SHECA is deeply committed to advancing secure and reliable SSL services. Our strategic focus is on enhancing the trust of Apple users in the Safari browser by delivering localized and comprehensive digital certificate services. This strategic initiative aims not only to elevate the security of users' digital experiences but also to cultivate heightened loyalty to Safari.
Additionally, SHECA is actively championing S/MIME certificate services to fortify the privacy and integrity of electronic emails. The integration of SHECA into the Apple root store is poised to establish a more sophisticated and localized security framework for Apple users, amplifying their confidence in the security infrastructure within the Apple ecosystem.
SHECA has developed a robust "incident management procedure" to govern the classification standards of incidents. Corresponding management processes have been formulated for incidents of varying levels, clearly delineating personnel roles and responsibilities, as outlined in the "Incident Management Procedures" policy.
In addition, SHECA has instituted an "Applicable Laws and Regulations Catalogue" to define the laws, regulations, and mandatory standards that the company must adhere to. Our compliance team conducts annual evaluations to assess the impact of changes in external laws, regulations, and other requirements on information security management, updating the "Applicable Laws and Regulations Catalogue" accordingly.
SHECA remains steadfast in adhering to the latest baseline requirements, actively monitoring incidents reported by peers on Bugzilla. Internal audits and self-assessments are conducted annually by our compliance team to proactively identify potential compliance issues.
To address compliance incidents and abnormal activities, SHECA has implemented a multi-channel communication method. This includes reporting to department heads, Security Committees, and other government authorities, along with notifying subscribers through websites and other public media.
In the event of a compliance incident, our response team takes swift action within 24 hours, encompassing the collection of incident information, identification of the source and scope of the incident, and implementation of measures to mitigate its impact. Within 72 hours, the response team compiles an incident report, publicly disclosing it on Bugzilla, and notifying relevant parties such as browsers and subscribers. The response team diligently follows up on root cause analysis and remediation tasks, synchronizing progress on Bugzilla in a timely manner. All compliance incidents are transparently disclosed in SHECA's WebTrust reports.
Q: How does your organization's internal processes reflect PKI industry standards for annual audits and policy maintenance?
SHECA has implemented a comprehensive annual audit mechanism encompassing both external and internal audits, successfully passing WebTrust audits for an impressive 16 consecutive years. To ensure compliance with audit engagement requirements, we conduct an annual auditor qualification review prior to engaging in the audit. Our compliance team engages in proactive communication with auditors regarding the audit period, scope, and expected report date, ensuring alignment with the latest WebTrust and browser requirements. Audit reports are promptly uploaded to CCADB and our official website. Additionally, we are preparing to launch the ETSI audit engagement starting in 2024, with ongoing communication with the auditor.
Internally, we have established the "Internal Audit Policy" and "Internal Audit Management Procedure" to define internal audit institutions and regulate the procedures for establishing, implementing, and reporting an internal audit plan. General control objectives, formulated by the Board-authorized general manager, guide the development of policies, procedures, standards, and work guidelines by respective business departments. Annual internal audit plans are crafted in line with the macro environment, company strategy, and operating objectives, ensuring a comprehensive company-wide internal audit of information security is conducted semi-annually. This process verifies the proper execution of the information security management strategy.
In accordance with with CCADB requirements, SHECA's compliance team conducts self-assessment annually and posts the self-assessment reports on CCADB.
For policy maintenance, SHECA has established the UniTrust Certificate Policy (CP) and UniTrust Certification Practice Statement (CPS) to meet the relevant specifications of PKI industry. SHECA's compliance team identifies the updates of laws, regulations and industry requirements like BR, and propose modification suggestions for the CP/CPS. The proposal is submitted to the Security Committee for discussion and review. After the Security Committee's approval, the new CP/CPS is published on SHECA's official website and all historical versions are retained properly.
Q: How involved is your organization in the CA/B Forum, and how do you contribute to the CA community?
As a member of the CA/B Forum, SHECA engages in various working groups, including those focused on server certificates, code signing certificates, S/MIME certificates, and network security. To ensure effective communication within our team, dedicated personnel from SHECA are assigned to summarize and synchronize meeting minutes on a monthly basis. Frequent internal discussions on relevant CA/B topics are conducted by SHECA's SSL business department and compliance team.
SHECA also attends offline F2F meetings, grasping the latest developments in the PKI industry, such as the updates of browser root programs, CCADB usage and audit requirements. SHECA applies these updates to CA system operation, and makes adjustments to the audit plan and strategic research.
As a CA owner, SHECA contributes to browsers' root programs by providing feedbacks and suggestions to their policies. When the browser preparing an update to its policy and is requesting our review and clarifying feedback, SHECA is always glad to give detailed suggestions and examples to help the browser understand both the underlying concern and how that concern might be addressed.
Looking ahead, SHECA is in the process of integrating into the Certificate Transparency (CT) system in 2024, with related work currently underway.
Through these proactive measures, SHECA is committed to making meaningful contributions to the CA community.
As one of the foremost certification authorities in China, SHECA is dedicated to being a trusted third party in identity authentication. Our future goals align closely with the CA community's objectives in several key areas.
Secure and Trustworthy Identity Authentication: SHECA's primary objective is to deliver a secure method of identity authentication. This involves associating identities with cryptographic keys, meticulously validating entity identities, and issuing certificates to affirm the validity of their public keys. To bolster our reliability in providing trust services, we have attained qualifications such as ISO9001, ISO27001, CMMI3, and have successfully undergone WebTrust audits for 16 consecutive years.
Interoperability: Ensuring the interoperability of our certificates across diverse systems, platforms, and applications is a focal point for SHECA. We achieve this by adhering to standards and protocols established by organizations like CA/B Forum and CPA Canada. Additionally, we actively participate in root inclusion programs of major browsers to enhance compatibility.
Compliance: SHECA aims to comply with the laws and regulations relating to data protection, privacy, and electronic transactions.
Transparency and Accountability: SHECA aims to operate in a transparent manner, providing clear information about our policies and practices, participating in regular audits and maintaining detailed records of certificate issuance and revocation.
Innovation: SHECA strives to adapt and innovate in order to effectively meet the changing needs and expectations of users, by developing linters and improving the efficiency and scalability of certificate issuance processes.
SHECA consistently acknowledges Apple's exemplary leadership in privacy protection and considers Apple as a role model. In line with this commitment, SHECA has instituted the "Personal Information Protection Management Rules." These rules articulate the objectives and principles governing the protection of personal data, outlining comprehensive regulations for the collection, use, retention, disposal, disclosure, and security control of personal information. Regular reviews by management ensure ongoing compliance with access, retention, disposal, transmission, disclosure, and security protection measures concerning personal information.
SHECA exclusively collects relevant personal information from registered customers with explicit authorization and active provision by the customers themselves. Prior to utilizing SHECA's services, customers are informed of the privacy policy within the subscriber agreement. Consent to the privacy policy is signed by customers on a voluntary basis and is a prerequisite for accessing the electronic identity authentication service.
For sensitive customer data and personal privacy data obtained from the Multi-source Authentication System of SHECA Identity Electronic Certification Service, SHECA employs an encryption storage mechanism. Encryption keys are securely stored in the identity authentication system's security module and must be accessed through this module. In the Letusign - Electronic Signature Business Module, sensitive data is encrypted and stored, with customers setting encryption keys that are hashed and stored in the database. Data transmission within SHECA's Identity Electronic Certification Service system is encrypted and digitally signed, ensuring confidentiality, integrity, and non-repudiation. The Letusign Electronic Signature Business Module utilizes encryption protocols for secure data transmission.
Data disposal procedures are activated under specific circumstances, including data owner requests (e.g., from clients and other subjects) and when data reaches its retention limit. SHECA management approval is mandatory before initiating data destruction. The process involves thorough formatting and logical destruction of the storage medium. If necessary, physical and chemical damage measures may be implemented on the storage medium. This meticulous approach ensures secure and responsible handling of personal data throughout its lifecycle.
SHECA has implemented comprehensive security policies across all facets of its operations to safeguard Apple users. These policies cover Physical and Environmental Security, Operational Security, Information and Data Security, Development Security, Access Security, Threat and Vulnerability Management, Incident Management, and Business Continuity Management.
Responsibility for the custody and approval of our root keys lies with the Security Committee and Key Control Group. The Business Continuity Team oversees the approval and maintenance of the Business Continuity Plan (BCP) and orchestrates its implementation. The Risk Control Team is tasked with conducting internal audits of company information security.
SHECA's "Personal Information Protection Policy" is transparently disclosed on the official website, allowing customers easy access to review it. Updates to the policy are promptly communicated on the official website whenever the privacy policy undergoes changes. In the event of a change in the use of personal information, SHECA ensures that customers are informed of the updated purpose in a clear and reasonable manner, seeking confirmation from customers.
In instances of personal information security incidents, SHECA promptly notifies affected customers and reports significant incidents to regulatory authorities in a timely fashion.
To underscore its commitment to robust security practices, SHECA has obtained international certifications such as ISO27001 and ISO9001. The organization pledges strict adherence to relevant regulations throughout the entire CA operation process, further solidifying its dedication to maintaining the highest standards of information security and compliance.
SHECA is steadfast in its adherence to local personal information protection laws and international regulations, including the PIPL (Personal Information Protection Law). Upholding user privacy, SHECA refrains from disclosing any user information to third parties without explicit authorization.
In alignment with our "Personal Information Protection Management Rules," we diligently seek consent from data subjects when the provision of personal information to third parties becomes necessary for business needs.
Prior to sharing data with third parties, a comprehensive background investigation is conducted to ensure the third party complies with data usage regulations. Agreements are established between SHECA and the third-party vendors, outlining the purpose of data usage, the delineation of rights and responsibilities, the scope of personal information transmitted, and confidentiality clauses. The Compliance Department plays a pivotal role in reviewing and validating these agreements, ensuring strict adherence to privacy and data protection standards.