72.64 KB, application/pdf
As per Bug #1309707, new certificates issued after October 21, 2016 that chain up to certificates with the following Subject Distinguished Names will no longer be trusted in Mozilla products, beginning with Firefox 51. 1) CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN 2) CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN 3) CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN 4) CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN WoSign may apply for inclusion of new (replacement) root certificates following Mozilla's normal root inclusion/change process (minus waiting in the queue for the discussion), after they have completed all of the following action items, and no earlier than June 1, 2017. 1. Provide a list of changes that the CA plans to implement to ensure that there are no future violations of Mozilla's CA Certificate Policy and the CA/Browser Forum's Baseline Requirements. 2. Implement the changes, and update their CP/CPS to fully document their improved processes. The CP/CPS must explicitly state that it is prohibited to backdate the notBefore of certificates by more than one day. 3. Provide a public-facing attestation from a Licensed WebTrust Practitioner acceptable to Mozilla that the changes have been made. This audit may be part of an annual WebTrust CA audit. 4. Provide auditor attestation that a full performance audit has been performed confirming compliance with the CA/Browser Forum's Baseline Requirements. This audit may be part of an annual WebTrust BR audit. 5. Provide auditor attestation that a full security audit of the CA’s issuing infrastructure has been successfully completed. 6. 100% embedded CT for all issued certificates, with embedded SCTs from at least one Google and one non-Google log. The CA should not fulfill the non-Google log requirement by using logs that they run themselves. For as long as they do so, they will need to demonstrate ongoing evidence of efforts to get other logs to take their volume, and why those efforts have not been successful. Notes:  The new (replacement) root certificates may be cross-signed by the Affected Roots listed above. However, the Affected Roots may *not* be cross-signed by the new (replacement) root certificates, because that would bring the concerns about the Affected Roots into the scope of the new roots. Due to the way we are implementing the distrust, the new root certificates must have a Subject Distinguished Name that does not overlap with the Subject Distinguished Names listed above.  Mozilla's root inclusion/change process includes checking that certificates in the CA hierarchy comply with the CA/Browser Forum's Baseline Requirements.  The auditor must be an external company, and approved by Mozilla.
Based on the information from our E&Y External Auditors and from the WebTrust team that WoSign CA Limited has lost its WebTrust seal which has been applied to its roots: Certification Authority of WoSign CA 沃通根证书, CA WoSign ECC Root and Certification Authority of WoSign G2. Certum revoked subordinate CAs issued to Certification Authority of WoSign G2. The revoked CAs are posted to our public CRL at http://crl.certum.pl/ca.crl The CRL contains two entries for this event. These revocations have been marked at Mozilla Salesforce.
Could you please update https://wiki.mozilla.org/CA:WoSign_Issues#Cross_Signing?
The requirements in comment 0 have been communicated to WoSign, and so this bug is currently not actionable. If and when WoSign reapply for inclusion, we can make sure they have met all these conditions. Gerv
Created attachment 8882973 [details] WoSign system code security audit report summary 20170627.pdf WoSign New system and new infrastructure have passed the Cure 53 security audit, Cure53 is the Mozilla approved security auditor. The full version report including all finding details have sent to Mozilla Gerv and Kathleen. This attached file is the summary report for public, thanks.
and the full version report have sent to Google Ryan Sleevi, Microsoft CA program team, Apple CA program team.