Closed Bug 1156175 Opened 10 years ago Closed 9 years ago

Add WoSign two new root certificates and EV enable

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: richard, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: EV - in NSS 3.21, and Firefox 44)

Attachments

(8 files, 2 obsolete files)

Attached file WoSign two new roots information (obsolete) —
CA Details ---------- CA Name: WoSign CA Limited Website: www.wosign.com One Paragraph Summary of CA, including the following: - General nature (e.g., commercial, government, academic/research, nonprofit) A public commercial CA in China - Primary geographical area(s) served China and Worldwide Audit Type (WebTrust, ETSI etc.): WebTrust Auditor: Ernst & Young Auditor Website: www.ey.com Audit Document URL(s): WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843 WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842 Certificate Details ------------------- (To be completed once for each certificate; note that we only include root certificates in the store, not intermediates.) Certificate Name: Certification Authority of WoSign G2 Summary Paragraph, including the following: - End entity certificate issuance policy (i.e. what you plan to do with the root) Issue SSL certificate, code signing certificate and Client certificate to end users. - Number and type of subordinate CAs Currently, we only issued one sub CA for test: WoSign Class 4 EV SSL CA G2 We plan to issue 10 sub CAs for 3 type of Certificates: SSL Certificate, Code Signing Certificate and Client Certificate. - Diagram and/or description of certificate hierarchy 1. SSL certificate: Certification Authority of WoSign G2  --> WoSign Class 4/3/2/1 EV/OV/IV/DV SSL CA G2  --> End entity certificate 2. Code Signing Certificate Certification Authority of WoSign G2  --> WoSign Class 4/3/2 EV/OV/IV Code Signing CA G2  --> End entity certificate 3. Client Certificate Certification Authority of WoSign G2  --> WoSign Class 3/2/1 Client CA G2  --> End entity certificate Certificate download URL (on CA website): http://www.wosign.com/root/WS_CA1_G2.crt Version: V3 SHA1 Fingerprint: FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1 Public key length (for RSA, modulus length) in bits: 2048 bits Valid From (YYYY-MM-DD): 2014-11-08 Valid To (YYYY-MM-DD): 2044-11-08 CRL HTTP URL: http://crls6.wosign.com CRL issuing frequency for subordinate end-entity certificates: 5 day CRL issuing frequency for subordinate CA certificates: 1 year OCSP URL: http://ocsp6.wosign.com Class (domain-validated, identity/organizationally-validated or EV): DV/IV/OV/EV Certificate Policy URL: http://www.wosign.com/policy CPS URL: http://www.wosign.com/policy/wosign-policy-1-2-12.pdf Requested Trust Indicators (email and/or SSL and/or code signing): email/SSL/code URL of example website using certificate subordinate to this root (if applying for SSL): https://root4evtest.wosign.com Certificate Name: CA WoSign ECC Root Summary Paragraph, including the following: - End entity certificate issuance policy (i.e. what you plan to do with the root) Issue SSL certificate, code signing certificate and Client certificate to end users. - Number and type of subordinate CAs Currently, we only issued one sub CA for test: WoSign Class 4 EV ECC SSL CA We plan to issue 10 sub CAs for 3 type of Certificates: SSL Certificate, Code Signing Certificate and Client Certificate. - Diagram and/or description of certificate hierarchy 1. SSL certificate: CA WoSign ECC Root  --> WoSign Class 4/3/2/1 EV/OV/IV/DV ECC SSL CA  --> End entity certificate 2. Code Signing Certificate CA WoSign ECC Root  --> WoSign Class 4/3/2 EV/OV/IV ECC Code Signing CA  --> End entity certificate 3. Client Certificate CA WoSign ECC Root  --> WoSign Class 3/2/1 ECC Client CA  --> End entity certificate Certificate download URL (on CA website): http://www.wosign.com/root/ws_ecc.crt Version: V3 SHA1 Fingerprint: D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B Public key length (for RSA, modulus length) in bits: ECDSA 384bits Valid From (YYYY-MM-DD): 2014-11-08 Valid To (YYYY-MM-DD): 2044-11-08 CRL HTTP URL: http://crls8.wosign.com CRL issuing frequency for subordinate end-entity certificates: 5 day CRL issuing frequency for subordinate CA certificates: 1 year OCSP URL: http://ocsp8.wosign.com Class (domain-validated, identity/organizationally-validated or EV): DV/IV/OV/EV Certificate Policy URL: http://www.wosign.com/policy CPS URL: http://www.wosign.com/policy/wosign-policy-1-2-12.pdf Requested Trust Indicators (email and/or SSL and/or code signing): email/SSL/code URL of example website using certificate subordinate to this root (if applying for SSL): https://root5evtest.wosign.com
1_fingerprint FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1 2_readable_oid 1.3.6.1.4.1.36305.2 3_issuer MFgxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEtMCsGA1UEAxMkQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgb2YgV29TaWduIEcy 4_serial ayXaioidfLwPBbOxemFFRA==
1_fingerprint D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B 2_readable_oid 1.3.6.1.4.1.36305.2 3_issuer MEYxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEbMBkGA1UEAxMSQ0EgV29TaWduIEVDQyBSb290 4_serial aEpYcIBr8I8C+vbe6LCQkA==
Summary: Add WoSign two new root certificates → Add WoSign two new root certificates and EV enable
Attachment #8594620 - Attachment is obsolete: true
The 2014 WebTrust Seal link for WoSign is: WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843 WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842 WebTrust BR: https://cert.webtrust.org/ViewSeal?id=1860
Attached file 1156175-CAInformation.pdf (obsolete) —
I have entered the information for this request into SalesForce. Please review the attached document to make sure it is accurate and complete, and comment in this bug to either correct or confirm the information.
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
All correct except "DV SSL certs are valid up to 2 years", we changed to "DV SSL certs are valid up to 3 years" from April 04, 2015. Thanks.
Attachment #8600119 - Attachment is obsolete: true
Whiteboard: EV - Ready for Public Discussion
I am now opening the first public discussion period for this request from WoSign to include the "Certification Authority of WoSign G2" and "CA WoSign ECC Root" root certificates, turn on all three trust bits for both roots, and enable EV treatment for both roots. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy forum. https://www.mozilla.org/en-US/about/forums/#dev-security-policy The discussion thread is called “WoSign Root Renewal Request”. Please actively review, respond, and contribute to the discussion. A representative of WoSign must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Ready for Public Discussion → EV - In public discussion
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. Inclusion Policy Section 4 [Technical]. I am not aware of instances where WoSign has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. Inclusion Policy Section 6 [Relevance and Policy]. WoSign CA Limited' appears to provide a service relevant to Mozilla users; its SSL certificates are deployed in top 10 eCommerce websites in China; for bank, telecom, enterprise etc. WoSign's previous root certificates were included via Bug #851435. This request is to included the G2 and ECC roots. == Root Certificate 1 of 2 == Root Certificate Name: Certification Authority of WoSign G2 O From Issuer Field: WoSign CA Limited Trust Bits: Code; Email; Websites EV Policy OID(s): 1.3.6.1.4.1.36305.2 Root Certificate Download URL: http://www.wosign.com/root/WS_CA1_G2.crt Certificate Summary: This SHA-256 root cert will eventually replace the SHA-1 "Certification Authority of WoSign" root cert that was included via Bugzilla Bug #851435. It will have internally-operated intermediate certificates that issue certs to individuals and organizations Certificate Revocation CRL URL(s): http://crls6.wosign.com/ca6.crl http://crls6.wosign.com/ca6-ssl4.crl CPS 7.8: CRL Next Update: 5 days OCSP URL(s): http://ocsp6.wosign.com/ca6 http://ocsp6.wosign.com/ca6/ssl4 Inclusion Policy Section 18 [Certificate Hierarchy] CA Hierarchy: The plan is to have 10 internally-operated subCAs for 3 types of certificates: SSL Certificate, Code Signing Certificate and Client Certificate. 1. WoSign Class 4/3/2/1 EV/OV/IV/DV SSL CA G2 2. WoSign Class 4/3/2 EV/OV/IV Code Signing CA G2 3. WoSign Class 3/2/1 Client CA G2 Currently, one of the subCAs has been issued: WoSign Class 4 EV SSL CA G2 Externally Operated SubCAs: None, and none planned. Cross Signing: None, and none planned. == == Root Certificate 2 of 2 == Root Certificate Name: CA WoSign ECC Root O From Issuer Field: WoSign CA Limited Trust Bits: Code; Email; Websites EV Policy OID(s): 1.3.6.1.4.1.36305.2 Root Certificate Download URL: http://www.wosign.com/root/ws_ecc.crt Certificate Summary: This ECC root will have internally-operated intermediate certificates that issue SSL, Code Signing, and Client certificates to individuals and organizations Certificate Revocation CRL URL(s): http://crls8.wosign.com/ca8.crl http://crls8.wosign.com/ca8-ssl4.crl CPS 7.8: CRL Next Update: 5 days OCSP URL(s): http://ocsp8.wosign.com/ca8 http://ocsp8.wosign.com/ca8/ssl4 Inclusion Policy Section 18 [Certificate Hierarchy] CA Hierarchy: The plan is to have 10 internally-operated subCAs for 3 types of certificates: SSL Certificate, Code Signing Certificate and Client Certificate. 1. WoSign Class 4/3/2/1 EV/OV/IV/DV ECC SSL CA 2. WoSign Class 4/3/2 EV/OV/IV ECC Code Signing CA 3. WoSign Class 3/2/1 ECC Client CA Currently, one of the subCAs has been issued: WoSign Class 4 EV ECC SSL CA Externally Operated SubCAs: None, and none planned. Cross Signing: None, and none planned. == Documents are provided in Chinese, and the CPS has been translated into English. Document Repository (Chinese): http://www.wosign.com/policy/cps.htm CPS (English): http://www.wosign.com/policy/cps_e.htm Inclusion Policy Section 7 [Validation]. WoSign appears to meet the minimum requirements for subscriber verification, as follows. * SSL Verification Procedures: According to CPS section 3.2.2 WoSign confirms that the certificate subscriber owns/controls the domain name to be included in the certificate by sending an electronic mail message with a verification code to one of the following administrative electronic mail accounts: webmaster@domain.com, hostmaster@domain.com, postmaster@domain.com, admin@domain.com, administrator@domain.com. The subscriber has to return and submit the verification code as proof of ownership of the domain name within a limited period sufficient enough to receive an electronic mail message. Additionally the existence of the domain name is verified by checking the WHOIS records provided by the domain name registrar. * Email Verification Procedures: According to CPS section 3.2.2 Email accounts are validated by sending an electronic mail message with a verification code to the requested email account. The Subscriber has to return and submit the verification code as prove of ownership of the email account within a limited period sufficient enough to receive and electronic mail message. * Code Signing Subscriber Verification Procedure: According to section 3.1.1 of the CPS, the validation levels allowed for Code Signing certs are Class 2, Class 3, or Class 4/EV. Steps taken to verify the identity of the certificate subscriber and verify the organization are described in section 3.2.2 of the CPS, and steps taken to verify the authority of the certificate subscriber to act on behalf of the organization are described in section 3.2.4. Inclusion Policy Sections 11-14 [Audit]. Annual audits are performed by Ernst & Young (EY), according to the WebTrust criteria. Standard Audit: https://cert.webtrust.org/SealFile?seal=1843&file=pdf BR Audit: https://cert.webtrust.org/SealFile?seal=1860&file=pdf EV Audit: https://cert.webtrust.org/SealFile?seal=1842&file=pdf Based on this assessment I intend to approve this request from WoSign to include the "Certification Authority of WoSign G2" and "CA WoSign ECC Root" root certificates, turn on all three trust bits for both roots, and enable EV treatment for both roots.
Whiteboard: EV - In public discussion → EV - Pending Approval
As per the summary in Comment #13, and on behalf of Mozilla I approve this request from WoSign to include the following root certificates: ** "Certification Authority of WoSign G2" (websites, email, code signing), enable EV ** "CA WoSign ECC Root" (websites, email, code signing), enable EV I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM changes
Depends on: 1193476
Depends on: 1193480
I have filed bug #1193476 against NSS and bug #1193480 against PSM for the actual changes.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting NSS and PSM changes → EV - in NSS 3.21, and Firefox 44
Attached file WebTrustCA2016.pdf
WebTrust BR and EV are pending auditor signatures
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: