CA Certificate Mis-Issuance
9 months ago
23 days ago


(Reporter: Kathleen Wilson, Assigned: Kathleen Wilson)


Firefox Tracking Flags

(Not tracked)


(Whiteboard: [ca-incident-response])


(1 attachment)



9 months ago
As per Bug #1309707, new certificates issued after October 21, 2016 that chain up to certificates with the following Subject Distinguished Names will no longer be trusted in Mozilla products, beginning with Firefox 51.

1) CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN 
2) CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN 
3) CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN 
4) CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN 

WoSign may apply for inclusion of new (replacement) root certificates[1] following Mozilla's normal root inclusion/change process[2] (minus waiting in the queue for the discussion), after they have completed all of the following action items, and no earlier than June 1, 2017. 

1. Provide a list of changes that the CA plans to implement to ensure that there are no future violations of Mozilla's CA Certificate Policy and the CA/Browser Forum's Baseline Requirements.

2. Implement the changes, and update their CP/CPS to fully document their improved processes. The CP/CPS must explicitly state that it is prohibited to backdate the notBefore of certificates by more than one day.

3. Provide a public-facing attestation from a Licensed WebTrust Practitioner acceptable to Mozilla[3] that the changes have been made. This audit may be part of an annual WebTrust CA audit.

4. Provide auditor[3] attestation that a full performance audit has been performed confirming compliance with the CA/Browser Forum's Baseline Requirements. This audit may be part of an annual WebTrust BR audit. 

5. Provide auditor[3] attestation that a full security audit of the CA’s issuing infrastructure has been successfully completed.

6. 100% embedded CT for all issued certificates, with embedded SCTs from at least one Google and one non-Google log. The CA should not fulfill the non-Google log requirement by using logs that they run themselves. For as long as they do so, they will need to demonstrate ongoing evidence of efforts to get other logs to take their volume, and why those efforts have not been successful.

[1] The new (replacement) root certificates may be cross-signed by the Affected Roots listed above. However, the Affected Roots may *not* be cross-signed by the new (replacement) root certificates, because that would bring the concerns about the Affected Roots into the scope of the new roots. Due to the way we are implementing the distrust, the new root certificates must have a Subject Distinguished Name that does not overlap with the Subject Distinguished Names listed above.
[2] Mozilla's root inclusion/change process includes checking that certificates in the CA hierarchy comply with the CA/Browser Forum's Baseline Requirements.
[3] The auditor must be an external company, and approved by Mozilla.


8 months ago
Whiteboard: Incident Action Items

Comment 1

8 months ago
Based on the information from our E&Y External Auditors and from
the WebTrust team that WoSign CA Limited has lost its WebTrust seal which has been applied to its roots: Certification Authority of WoSign CA 沃通根证书, CA WoSign ECC Root and Certification Authority of WoSign G2.

Certum revoked subordinate CAs issued to Certification Authority of WoSign G2. The revoked CAs are posted to our public CRL at
The CRL contains two entries for this event.

These revocations have been marked at Mozilla Salesforce.

Comment 2

8 months ago
Could you please update


4 months ago
Component: CA Certificates → CA Certificate Mis-Issuance
Whiteboard: Incident Action Items → [ca-incident-response]
The requirements in comment 0 have been communicated to WoSign, and so this bug is currently not actionable. If and when WoSign reapply for inclusion, we can make sure they have met all these conditions.

Last Resolved: 4 months ago
Resolution: --- → INCOMPLETE
Summary: WoSign Action Items → WoSign: Action Items


3 months ago
Product: → NSS

Comment 4

23 days ago
Created attachment 8882973 [details]
WoSign system code security audit report summary 20170627.pdf

WoSign New system and new infrastructure have passed the Cure 53 security audit, Cure53 is the Mozilla approved security auditor. The full version report including all finding details have sent to Mozilla Gerv and Kathleen. This attached file is the summary report for public, thanks.

Comment 5

23 days ago
and the full version report have sent to Google Ryan Sleevi, Microsoft CA program team, Apple CA program team.
You need to log in before you can comment on or make changes to this bug.