Closed
Bug 1156175
Opened 10 years ago
Closed 9 years ago
Add WoSign two new root certificates and EV enable
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: richard, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: EV - in NSS 3.21, and Firefox 44)
Attachments
(8 files, 2 obsolete files)
CA Details
----------
CA Name: WoSign CA Limited
Website: www.wosign.com
One Paragraph Summary of CA, including the following:
- General nature (e.g., commercial, government, academic/research, nonprofit)
A public commercial CA in China
- Primary geographical area(s) served
China and Worldwide
Audit Type (WebTrust, ETSI etc.): WebTrust
Auditor: Ernst & Young
Auditor Website: www.ey.com
Audit Document URL(s):
WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843
WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842
Certificate Details
-------------------
(To be completed once for each certificate; note that we only include root
certificates in the store, not intermediates.)
Certificate Name: Certification Authority of WoSign G2
Summary Paragraph, including the following:
- End entity certificate issuance policy
(i.e. what you plan to do with the root)
Issue SSL certificate, code signing certificate and Client certificate to end users.
- Number and type of subordinate CAs
Currently, we only issued one sub CA for test: WoSign Class 4 EV SSL CA G2
We plan to issue 10 sub CAs for 3 type of Certificates: SSL Certificate, Code Signing Certificate and Client Certificate.
- Diagram and/or description of certificate hierarchy
1. SSL certificate:
Certification Authority of WoSign G2
--> WoSign Class 4/3/2/1 EV/OV/IV/DV SSL CA G2
--> End entity certificate
2. Code Signing Certificate
Certification Authority of WoSign G2
--> WoSign Class 4/3/2 EV/OV/IV Code Signing CA G2
--> End entity certificate
3. Client Certificate
Certification Authority of WoSign G2
--> WoSign Class 3/2/1 Client CA G2
--> End entity certificate
Certificate download URL (on CA website): http://www.wosign.com/root/WS_CA1_G2.crt
Version: V3
SHA1 Fingerprint: FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
Public key length (for RSA, modulus length) in bits: 2048 bits
Valid From (YYYY-MM-DD): 2014-11-08
Valid To (YYYY-MM-DD): 2044-11-08
CRL HTTP URL: http://crls6.wosign.com
CRL issuing frequency for subordinate end-entity certificates: 5 day
CRL issuing frequency for subordinate CA certificates: 1 year
OCSP URL: http://ocsp6.wosign.com
Class (domain-validated, identity/organizationally-validated or EV): DV/IV/OV/EV
Certificate Policy URL: http://www.wosign.com/policy
CPS URL: http://www.wosign.com/policy/wosign-policy-1-2-12.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): email/SSL/code
URL of example website using certificate subordinate to this root
(if applying for SSL): https://root4evtest.wosign.com
Certificate Name: CA WoSign ECC Root
Summary Paragraph, including the following:
- End entity certificate issuance policy
(i.e. what you plan to do with the root)
Issue SSL certificate, code signing certificate and Client certificate to end users.
- Number and type of subordinate CAs
Currently, we only issued one sub CA for test: WoSign Class 4 EV ECC SSL CA
We plan to issue 10 sub CAs for 3 type of Certificates: SSL Certificate, Code Signing Certificate and Client Certificate.
- Diagram and/or description of certificate hierarchy
1. SSL certificate:
CA WoSign ECC Root
--> WoSign Class 4/3/2/1 EV/OV/IV/DV ECC SSL CA
--> End entity certificate
2. Code Signing Certificate
CA WoSign ECC Root
--> WoSign Class 4/3/2 EV/OV/IV ECC Code Signing CA
--> End entity certificate
3. Client Certificate
CA WoSign ECC Root
--> WoSign Class 3/2/1 ECC Client CA
--> End entity certificate
Certificate download URL (on CA website): http://www.wosign.com/root/ws_ecc.crt
Version: V3
SHA1 Fingerprint: D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
Public key length (for RSA, modulus length) in bits: ECDSA 384bits
Valid From (YYYY-MM-DD): 2014-11-08
Valid To (YYYY-MM-DD): 2044-11-08
CRL HTTP URL: http://crls8.wosign.com
CRL issuing frequency for subordinate end-entity certificates: 5 day
CRL issuing frequency for subordinate CA certificates: 1 year
OCSP URL: http://ocsp8.wosign.com
Class (domain-validated, identity/organizationally-validated or EV): DV/IV/OV/EV
Certificate Policy URL: http://www.wosign.com/policy
CPS URL: http://www.wosign.com/policy/wosign-policy-1-2-12.pdf
Requested Trust Indicators (email and/or SSL and/or code signing): email/SSL/code
URL of example website using certificate subordinate to this root
(if applying for SSL): https://root5evtest.wosign.com
Reporter | ||
Comment 1•10 years ago
|
||
1_fingerprint FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
2_readable_oid 1.3.6.1.4.1.36305.2
3_issuer MFgxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEtMCsGA1UEAxMkQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgb2YgV29TaWduIEcy
4_serial ayXaioidfLwPBbOxemFFRA==
Reporter | ||
Comment 2•10 years ago
|
||
1_fingerprint D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
2_readable_oid 1.3.6.1.4.1.36305.2
3_issuer MEYxCzAJBgNVBAYTAkNOMRowGAYDVQQKExFXb1NpZ24gQ0EgTGltaXRlZDEbMBkGA1UEAxMSQ0EgV29TaWduIEVDQyBSb290
4_serial aEpYcIBr8I8C+vbe6LCQkA==
Reporter | ||
Updated•10 years ago
|
Summary: Add WoSign two new root certificates → Add WoSign two new root certificates and EV enable
Reporter | ||
Comment 3•10 years ago
|
||
Attachment #8594620 -
Attachment is obsolete: true
Reporter | ||
Comment 4•10 years ago
|
||
Reporter | ||
Comment 5•10 years ago
|
||
Reporter | ||
Comment 6•10 years ago
|
||
Reporter | ||
Comment 7•10 years ago
|
||
The 2014 WebTrust Seal link for WoSign is:
WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843
WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842
WebTrust BR: https://cert.webtrust.org/ViewSeal?id=1860
Assignee | ||
Comment 8•10 years ago
|
||
I have entered the information for this request into SalesForce.
Please review the attached document to make sure it is accurate and complete, and comment in this bug to either correct or confirm the information.
Assignee | ||
Updated•10 years ago
|
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Reporter | ||
Comment 9•10 years ago
|
||
All correct except "DV SSL certs are valid up to 2 years", we changed to "DV SSL certs are valid up to 3 years" from April 04, 2015.
Thanks.
Assignee | ||
Comment 10•10 years ago
|
||
Attachment #8600119 -
Attachment is obsolete: true
Assignee | ||
Comment 11•10 years ago
|
||
I will try to start the discussion soon.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - Ready for Public Discussion
Assignee | ||
Comment 12•10 years ago
|
||
I am now opening the first public discussion period for this request from WoSign to include the "Certification Authority of WoSign G2" and "CA WoSign ECC Root" root certificates, turn on all three trust bits for both roots, and enable EV treatment for both roots.
For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion
Public discussion will be in the mozilla.dev.security.policy forum.
https://www.mozilla.org/en-US/about/forums/#dev-security-policy
The discussion thread is called “WoSign Root Renewal Request”.
Please actively review, respond, and contribute to the discussion.
A representative of WoSign must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Ready for Public Discussion → EV - In public discussion
Assignee | ||
Comment 13•9 years ago
|
||
The public comment period for this request is now over.
This request has been evaluated as per Mozilla’s CA Certificate Inclusion Policy at
https://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/
Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.
Inclusion Policy Section 4 [Technical].
I am not aware of instances where WoSign has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.
Inclusion Policy Section 6 [Relevance and Policy].
WoSign CA Limited' appears to provide a service relevant to Mozilla users; its SSL certificates are deployed in top 10 eCommerce websites in China; for bank, telecom, enterprise etc. WoSign's previous root certificates were included via Bug #851435. This request is to included the G2 and ECC roots.
== Root Certificate 1 of 2 ==
Root Certificate Name: Certification Authority of WoSign G2
O From Issuer Field: WoSign CA Limited
Trust Bits: Code; Email; Websites
EV Policy OID(s): 1.3.6.1.4.1.36305.2
Root Certificate Download URL: http://www.wosign.com/root/WS_CA1_G2.crt
Certificate Summary: This SHA-256 root cert will eventually replace the SHA-1 "Certification Authority of WoSign" root cert that was included via Bugzilla Bug #851435. It will have internally-operated intermediate certificates that issue certs to individuals and organizations
Certificate Revocation
CRL URL(s): http://crls6.wosign.com/ca6.crl
http://crls6.wosign.com/ca6-ssl4.crl
CPS 7.8: CRL Next Update: 5 days
OCSP URL(s): http://ocsp6.wosign.com/ca6
http://ocsp6.wosign.com/ca6/ssl4
Inclusion Policy Section 18 [Certificate Hierarchy]
CA Hierarchy: The plan is to have 10 internally-operated subCAs for 3 types of certificates: SSL Certificate, Code Signing Certificate and Client Certificate.
1. WoSign Class 4/3/2/1 EV/OV/IV/DV SSL CA G2
2. WoSign Class 4/3/2 EV/OV/IV Code Signing CA G2
3. WoSign Class 3/2/1 Client CA G2
Currently, one of the subCAs has been issued: WoSign Class 4 EV SSL CA G2
Externally Operated SubCAs: None, and none planned.
Cross Signing: None, and none planned.
==
== Root Certificate 2 of 2 ==
Root Certificate Name: CA WoSign ECC Root
O From Issuer Field: WoSign CA Limited
Trust Bits: Code; Email; Websites
EV Policy OID(s): 1.3.6.1.4.1.36305.2
Root Certificate Download URL: http://www.wosign.com/root/ws_ecc.crt
Certificate Summary: This ECC root will have internally-operated intermediate certificates that issue SSL, Code Signing, and Client certificates to individuals and organizations
Certificate Revocation
CRL URL(s): http://crls8.wosign.com/ca8.crl
http://crls8.wosign.com/ca8-ssl4.crl
CPS 7.8: CRL Next Update: 5 days
OCSP URL(s): http://ocsp8.wosign.com/ca8
http://ocsp8.wosign.com/ca8/ssl4
Inclusion Policy Section 18 [Certificate Hierarchy]
CA Hierarchy: The plan is to have 10 internally-operated subCAs for 3 types of certificates: SSL Certificate, Code Signing Certificate and Client Certificate.
1. WoSign Class 4/3/2/1 EV/OV/IV/DV ECC SSL CA
2. WoSign Class 4/3/2 EV/OV/IV ECC Code Signing CA
3. WoSign Class 3/2/1 ECC Client CA
Currently, one of the subCAs has been issued:
WoSign Class 4 EV ECC SSL CA
Externally Operated SubCAs: None, and none planned.
Cross Signing: None, and none planned.
==
Documents are provided in Chinese, and the CPS has been translated into English.
Document Repository (Chinese): http://www.wosign.com/policy/cps.htm
CPS (English): http://www.wosign.com/policy/cps_e.htm
Inclusion Policy Section 7 [Validation].
WoSign appears to meet the minimum requirements for subscriber verification, as follows.
* SSL Verification Procedures: According to CPS section 3.2.2 WoSign confirms that the certificate subscriber owns/controls the domain name to be included in the certificate by sending an electronic mail message with a verification code to one of the following administrative electronic mail accounts: webmaster@domain.com, hostmaster@domain.com, postmaster@domain.com, admin@domain.com, administrator@domain.com. The subscriber has to return and submit the verification code as proof of ownership of the domain name within a limited period sufficient enough to receive an electronic mail message. Additionally the existence of the domain name is verified by checking the WHOIS records provided by the domain name registrar.
* Email Verification Procedures: According to CPS section 3.2.2 Email accounts are validated by sending an electronic mail message with a verification code to the requested email account. The Subscriber has to return and submit the verification code as prove of ownership of the email account within a limited period sufficient enough to receive and electronic mail message.
* Code Signing Subscriber Verification Procedure: According to section 3.1.1 of the CPS, the validation levels allowed for Code Signing certs are Class 2, Class 3, or Class 4/EV. Steps taken to verify the identity of the certificate subscriber and verify the organization are described in section 3.2.2 of the CPS, and steps taken to verify the authority of the certificate subscriber to act on behalf of the organization are described in section 3.2.4.
Inclusion Policy Sections 11-14 [Audit]. Annual audits are performed by Ernst & Young (EY), according to the WebTrust criteria.
Standard Audit: https://cert.webtrust.org/SealFile?seal=1843&file=pdf
BR Audit: https://cert.webtrust.org/SealFile?seal=1860&file=pdf
EV Audit: https://cert.webtrust.org/SealFile?seal=1842&file=pdf
Based on this assessment I intend to approve this request from WoSign to include the "Certification Authority of WoSign G2" and "CA WoSign ECC Root" root certificates, turn on all three trust bits for both roots, and enable EV treatment for both roots.
Whiteboard: EV - In public discussion → EV - Pending Approval
Assignee | ||
Comment 14•9 years ago
|
||
As per the summary in Comment #13, and on behalf of Mozilla I approve this request from WoSign to include the following root certificates:
** "Certification Authority of WoSign G2" (websites, email, code signing), enable EV
** "CA WoSign ECC Root" (websites, email, code signing), enable EV
I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending Approval → EV - Approved - awaiting NSS and PSM changes
Assignee | ||
Comment 15•9 years ago
|
||
I have filed bug #1193476 against NSS and bug #1193480 against PSM for the actual changes.
Assignee | ||
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - awaiting NSS and PSM changes → EV - in NSS 3.21, and Firefox 44
Assignee | ||
Comment 16•9 years ago
|
||
WebTrust BR and EV are pending auditor signatures
Updated•8 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•