Closed Bug 1156175 Opened 9 years ago Closed 8 years ago

Add WoSign two new root certificates and EV enable

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: richard, Assigned: kwilson)

References

Details

(Whiteboard: EV - in NSS 3.21, and Firefox 44)

Attachments

(8 files, 2 obsolete files)

Attached file WoSign two new roots information (obsolete) —
CA Details
----------

CA Name: WoSign CA Limited
Website: www.wosign.com
One Paragraph Summary of CA, including the following:
 - General nature (e.g., commercial, government, academic/research, nonprofit)
   A public commercial CA in China

 - Primary geographical area(s) served
   China and Worldwide

Audit Type (WebTrust, ETSI etc.): WebTrust
Auditor: Ernst & Young
Auditor Website: www.ey.com 
Audit Document URL(s): 
WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843
WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842 

Certificate Details
-------------------
(To be completed once for each certificate; note that we only include root
certificates in the store, not intermediates.)

Certificate Name: Certification Authority of WoSign G2 
Summary Paragraph, including the following:
 - End entity certificate issuance policy
   (i.e. what you plan to do with the root)
   Issue SSL certificate, code signing certificate and Client certificate to end users.
 
 - Number and type of subordinate CAs
   Currently, we only issued one sub CA for test: WoSign Class 4 EV SSL CA G2
   We plan to issue 10 sub CAs for 3 type of Certificates: SSL Certificate, Code Signing Certificate and Client Certificate.
 
 - Diagram and/or description of certificate hierarchy
 1. SSL certificate:
    Certification Authority of WoSign G2  
   --> WoSign Class 4/3/2/1 EV/OV/IV/DV SSL CA G2
       --> End entity certificate  
 2. Code Signing Certificate
    Certification Authority of WoSign G2  
   --> WoSign Class 4/3/2 EV/OV/IV Code Signing CA G2
       --> End entity certificate  
 3. Client Certificate
    Certification Authority of WoSign G2  
   --> WoSign Class 3/2/1 Client CA G2
       --> End entity certificate  

Certificate download URL (on CA website):  http://www.wosign.com/root/WS_CA1_G2.crt

Version: V3
SHA1 Fingerprint:  FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
Public key length (for RSA, modulus length) in bits: 2048 bits
Valid From (YYYY-MM-DD): 2014-11-08
Valid To (YYYY-MM-DD): 2044-11-08 

CRL HTTP URL: http://crls6.wosign.com
CRL issuing frequency for subordinate end-entity certificates: 5 day
CRL issuing frequency for subordinate CA certificates: 1 year
OCSP URL: http://ocsp6.wosign.com

Class (domain-validated, identity/organizationally-validated or EV): DV/IV/OV/EV
Certificate Policy URL: http://www.wosign.com/policy 
CPS URL: http://www.wosign.com/policy/wosign-policy-1-2-12.pdf 
Requested Trust Indicators (email and/or SSL and/or code signing): email/SSL/code
URL of example website using certificate subordinate to this root
(if applying for SSL): https://root4evtest.wosign.com  


Certificate Name: CA WoSign ECC Root
Summary Paragraph, including the following:
 - End entity certificate issuance policy
   (i.e. what you plan to do with the root)
   Issue SSL certificate, code signing certificate and Client certificate to end users.
 
 - Number and type of subordinate CAs
   Currently, we only issued one sub CA for test: WoSign Class 4 EV ECC SSL CA
   We plan to issue 10 sub CAs for 3 type of Certificates: SSL Certificate, Code Signing Certificate and Client Certificate.
 
 - Diagram and/or description of certificate hierarchy
 1. SSL certificate:
    CA WoSign ECC Root
   --> WoSign Class 4/3/2/1 EV/OV/IV/DV ECC SSL CA 
       --> End entity certificate  
 2. Code Signing Certificate
    CA WoSign ECC Root
   --> WoSign Class 4/3/2 EV/OV/IV ECC Code Signing CA
       --> End entity certificate  
 3. Client Certificate
    CA WoSign ECC Root
   --> WoSign Class 3/2/1 ECC Client CA
       --> End entity certificate  

Certificate download URL (on CA website):  http://www.wosign.com/root/ws_ecc.crt 

Version: V3
SHA1 Fingerprint: D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
Public key length (for RSA, modulus length) in bits: ECDSA 384bits
Valid From (YYYY-MM-DD): 2014-11-08
Valid To (YYYY-MM-DD): 2044-11-08 

CRL HTTP URL: http://crls8.wosign.com
CRL issuing frequency for subordinate end-entity certificates: 5 day
CRL issuing frequency for subordinate CA certificates: 1 year
OCSP URL: http://ocsp8.wosign.com

Class (domain-validated, identity/organizationally-validated or EV): DV/IV/OV/EV
Certificate Policy URL: http://www.wosign.com/policy 
CPS URL: http://www.wosign.com/policy/wosign-policy-1-2-12.pdf 
Requested Trust Indicators (email and/or SSL and/or code signing): email/SSL/code
URL of example website using certificate subordinate to this root
(if applying for SSL): https://root5evtest.wosign.com
1_fingerprint FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
2_readable_oid 1.3.6.1.4.1.36305.2
3_issuer MFgxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEtMCsGA1UEAxMkQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgb2YgV29TaWduIEcy
4_serial ayXaioidfLwPBbOxemFFRA==
1_fingerprint D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
2_readable_oid 1.3.6.1.4.1.36305.2
3_issuer MEYxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEbMBkGA1UEAxMSQ0EgV29TaWduIEVDQyBSb290
4_serial aEpYcIBr8I8C+vbe6LCQkA==
Summary: Add WoSign two new root certificates → Add WoSign two new root certificates and EV enable
Attachment #8594620 - Attachment is obsolete: true
The 2014 WebTrust Seal link for WoSign is:
WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843
WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842
WebTrust BR: https://cert.webtrust.org/ViewSeal?id=1860
Attached file 1156175-CAInformation.pdf (obsolete) —
I have entered the information for this request into SalesForce.

Please review the attached document to make sure it is accurate and complete, and comment in this bug to either correct or confirm the information.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
All correct except "DV SSL certs are valid up to 2 years", we changed to "DV SSL certs are valid up to 3 years" from April 04, 2015.
Thanks.
Attachment #8600119 - Attachment is obsolete: true
I will try to start the discussion soon.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - Ready for Public Discussion
I am now opening the first public discussion period for this request from WoSign to include the "Certification Authority of WoSign G2" and "CA WoSign ECC Root" root certificates, turn on all three trust bits for both roots, and enable EV treatment for both roots. 

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy

The discussion thread is called “WoSign Root Renewal Request”.

Please actively review, respond, and contribute to the discussion.

A representative of WoSign must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Ready for Public Discussion → EV - In public discussion
The public comment period for this request is now over.

This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at

https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

Inclusion Policy Section 4 [Technical].
	 I am not aware of instances where WoSign has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Inclusion Policy Section 6 [Relevance and Policy].
WoSign CA Limited' appears to provide a service relevant to Mozilla users; its SSL certificates are deployed in top 10 eCommerce websites in China; for bank, telecom, enterprise etc. WoSign's previous root certificates were included via Bug #851435. This request is to included the G2 and ECC roots.
	 
== Root Certificate 1 of 2 ==
Root Certificate Name: Certification Authority of WoSign G2
O From Issuer Field: WoSign CA Limited
Trust Bits: Code; Email; Websites
EV Policy OID(s): 1.3.6.1.4.1.36305.2
Root Certificate Download URL: http://www.wosign.com/root/WS_CA1_G2.crt

Certificate Summary: This SHA-256 root cert will eventually replace the SHA-1 "Certification Authority of WoSign" root cert that was included via Bugzilla Bug #851435. It will have internally-operated intermediate certificates that issue certs to individuals and organizations

Certificate Revocation
CRL URL(s): http://crls6.wosign.com/ca6.crl
http://crls6.wosign.com/ca6-ssl4.crl
CPS 7.8: CRL Next Update: 5 days
OCSP URL(s): http://ocsp6.wosign.com/ca6
http://ocsp6.wosign.com/ca6/ssl4

Inclusion Policy Section 18 [Certificate Hierarchy]
CA Hierarchy: The plan is to have 10 internally-operated subCAs for 3 types of certificates: SSL Certificate, Code Signing Certificate and Client Certificate.
1. WoSign Class 4/3/2/1 EV/OV/IV/DV SSL CA G2
2. WoSign Class 4/3/2 EV/OV/IV Code Signing CA G2
3. WoSign Class 3/2/1 Client CA G2
Currently, one of the subCAs has been issued: WoSign Class 4 EV SSL CA G2
Externally Operated SubCAs: None, and none planned.
Cross Signing: None, and none planned.
==

== Root Certificate 2 of 2 ==  
Root Certificate Name: CA WoSign ECC Root
O From Issuer Field: WoSign CA Limited
Trust Bits: Code; Email; Websites
EV Policy OID(s): 1.3.6.1.4.1.36305.2
Root Certificate Download URL: 	http://www.wosign.com/root/ws_ecc.crt

Certificate Summary: This ECC root will have internally-operated intermediate certificates that issue SSL, Code Signing, and Client certificates to individuals and organizations

Certificate Revocation
CRL URL(s): http://crls8.wosign.com/ca8.crl
http://crls8.wosign.com/ca8-ssl4.crl
CPS 7.8: CRL Next Update: 5 days
OCSP URL(s): http://ocsp8.wosign.com/ca8
http://ocsp8.wosign.com/ca8/ssl4

Inclusion Policy Section 18 [Certificate Hierarchy]
CA Hierarchy: The plan is to have 10 internally-operated subCAs for 3 types of certificates: SSL Certificate, Code Signing Certificate and Client Certificate.
1. WoSign Class 4/3/2/1 EV/OV/IV/DV ECC SSL CA
2. WoSign Class 4/3/2 EV/OV/IV ECC Code Signing CA
3. WoSign Class 3/2/1 ECC Client CA
Currently, one of the subCAs has been issued:
WoSign Class 4 EV ECC SSL CA
Externally Operated SubCAs: None, and none planned.
Cross Signing: None, and none planned.
==

Documents are provided in Chinese, and the CPS has been translated into English.

Document Repository (Chinese): http://www.wosign.com/policy/cps.htm
CPS (English): http://www.wosign.com/policy/cps_e.htm

Inclusion Policy Section 7 [Validation]. 
WoSign appears to meet the minimum requirements for subscriber verification, as follows.

* SSL Verification Procedures: 	According to CPS section 3.2.2 WoSign confirms that the certificate subscriber owns/controls the domain name to be included in the certificate by sending an electronic mail message with a verification code to one of the following administrative electronic mail accounts: webmaster@domain.com, hostmaster@domain.com, postmaster@domain.com, admin@domain.com, administrator@domain.com. The subscriber has to return and submit the verification code as proof of  ownership of the domain name within a limited period sufficient enough to receive an electronic mail message. Additionally the existence of the domain name is verified by checking the WHOIS records provided by the  domain name registrar.

* Email Verification Procedures: According to CPS section 3.2.2 Email accounts are validated by sending an electronic mail message with a verification code to the requested email account. The Subscriber has to return and submit the verification code as prove of ownership of the email account within a limited period sufficient enough to receive and electronic mail message.

* Code Signing Subscriber Verification Procedure: According to section 3.1.1 of the CPS, the validation levels allowed for Code Signing certs are Class 2, Class 3, or Class 4/EV. Steps taken to verify the identity of the certificate subscriber and verify the organization are described in section 3.2.2 of the CPS, and steps taken to verify the authority of the certificate subscriber to act on behalf of the organization are described in section 3.2.4.

Inclusion Policy Sections 11-14 [Audit]. Annual audits are performed by Ernst & Young (EY), according to the WebTrust criteria.
Standard Audit: 	https://cert.webtrust.org/SealFile?seal=1843&file=pdf
BR Audit: https://cert.webtrust.org/SealFile?seal=1860&file=pdf
EV Audit: https://cert.webtrust.org/SealFile?seal=1842&file=pdf

Based on this assessment I intend to approve this request from WoSign to include the "Certification Authority of WoSign G2" and "CA WoSign ECC Root" root certificates, turn on all three trust bits for both roots, and enable EV treatment for both roots.
Whiteboard: EV - In public discussion → EV - Pending Approval
As per the summary in Comment #13, and on behalf of Mozilla I approve this request from WoSign to include the following root certificates:

** "Certification Authority of WoSign G2" (websites, email, code signing), enable EV
** "CA WoSign ECC Root" (websites, email, code signing), enable EV

I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM changes
Depends on: 1193476
Depends on: 1193480
I have filed bug #1193476 against NSS and bug #1193480 against PSM for the actual changes.
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting NSS and PSM changes → EV - in NSS 3.21, and Firefox 44
Attached file WebTrustCA2016.pdf
WebTrust BR and EV are pending auditor signatures
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: