WoSign two root certificate inclusion application

RESOLVED FIXED

Status

task
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: richard, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: EV - Included in FF 32, EV enabled in F34)

Attachments

(18 attachments, 20 obsolete attachments)

216.08 KB, application/pdf
Details
125.90 KB, application/pdf
Details
92.64 KB, application/pdf
Details
457.34 KB, application/pdf
Details
62.99 KB, application/pdf
Details
87.70 KB, application/pdf
Details
89.35 KB, application/pdf
Details
1.91 KB, application/x-x509-ca-cert
Details
1.87 KB, application/x-x509-ca-cert
Details
13.71 KB, image/png
Details
13.57 KB, image/png
Details
125.10 KB, application/pdf
Details
197.59 KB, image/jpeg
Details
158.82 KB, image/jpeg
Details
1.08 MB, application/pdf
Details
481.59 KB, application/pdf
Details
982.92 KB, application/pdf
Details
1.11 MB, application/pdf
Details
Reporter

Description

6 years ago
User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MDDS; .NET4.0C)

Steps to reproduce:

WoSign is a private-owned CA in China to issue certificate to general public. We started CA business from 2006 as a SubCA of Comodo at 2006. And WoSign setup its own root CA at 2009 and start to issue certificates at 2011 under this root CA that cross signed with Startcom CA. 


Actual results:

We issued thousands certificates to China customers, WoSign SSL certificate is deployed in top 10 eCommerce websites in China, and bank, telecom, enterprise etc., and most software developers in China choose WoSign certificate since it support Chinese.
And we passed the WebTrust audit for 2012 by Ernst & Young.


Expected results:

WoSign two root CA should include in Mozilla, this will benefit all Mozilla users in China and worldwide.
Assignee

Comment 4

6 years ago
I am accepting this bug, and will work on it as soon as possible, but I have a large backlog.
https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase

I will update this bug when I begin the Information Verification phase.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Reporter

Comment 5

6 years ago
please use this update one that we correct some error, thanks.
Attachment #725290 - Attachment is obsolete: true
Reporter

Updated

6 years ago
Attachment #725297 - Attachment is obsolete: true
Assignee

Comment 6

6 years ago
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
Assignee

Updated

6 years ago
Whiteboard: EV - Information incomplete
Reporter

Comment 7

6 years ago
Posted file WS_ca1.crt (obsolete) —
pleaae help to produce an ASCII-encoded representation of the DER encoding of this root CA certificate issuer name and its serial number, thanks.
Reporter

Comment 8

6 years ago
Posted file ws_ca2.crt (obsolete) —
pleaae help to produce an ASCII-encoded representation of the DER encoding of this root CA certificate issuer name and its serial number, thanks.
Reporter

Comment 9

6 years ago
Posted file WS_CA3.cer (obsolete) —
pleaae help to produce an ASCII-encoded representation of the DER encoding of this root CA certificate issuer name and its serial number, thanks.
This is a transfered root CA.
Reporter

Comment 10

6 years ago
I got my 3 root CA DER encodeing string by the help from Kai Engert and Eddy Nigg, thanks.
Reporter

Comment 11

6 years ago
Posted file 851435_update.pdf (obsolete) —
We update and completed the items highlighted in yellow(after or below it), or explained why it is not available now, please check it and update if it is OK.
Attachment #782587 - Attachment is obsolete: true
Reporter

Comment 12

6 years ago
Posted image ev_test_greenbar.png (obsolete) —
We complete the EV testing for WoSign CA1-"Certification Authority of WoSign", it can display green bar. this attached file is the screenshot for the test result.
Assignee

Comment 13

6 years ago
Do you want to proceed with the inclusion process for the "Certification Authority of WoSign" root cert now, and do a separate request later for the"CA WoSign" root inclusion?
Reporter

Comment 14

6 years ago
We like to include two root now, but the second root CA's test website only can be done at the end of this month, not now since we still don't use root CA2 to issue end user certificate, we need some time to setup it.
If you think you can't process the root CA2 without test side, then go on with root CA1 --"Certification Authority of WoSign" first, thanks.
Reporter

Comment 15

6 years ago
(In reply to Richard Wang from comment #14)
We like to include two root now, but the second root CA's test website can be done at the end of this month, not now since we still don't use root CA2 to issue end user certificate, we need some time to setup it.
If you think you can't process the root CA2 without test site, then go on with root CA1 --"Certification Authority of WoSign" first, thanks.
Assignee

Comment 16

6 years ago
(In reply to Richard Wang from comment #15)
Let's wait for the second root. A few weeks will not make any difference, because NSS changes are done as batches every 3 months or so, and the current batch is already in progress.

Please update this bug with the remaining information for the second root when ready.
Reporter

Comment 17

6 years ago
Attachment #729388 - Attachment is obsolete: true
Attachment #782581 - Attachment is obsolete: true
Attachment #782582 - Attachment is obsolete: true
Attachment #785723 - Attachment is obsolete: true
Attachment #785724 - Attachment is obsolete: true
Reporter

Comment 18

6 years ago
Reporter

Comment 19

6 years ago
Attachment #806638 - Attachment is obsolete: true
Reporter

Comment 20

6 years ago
Posted file WS_CA1_new.cer (obsolete) —
Reporter

Comment 21

6 years ago
Posted file WS_CA2_new.cer (obsolete) —
Reporter

Comment 22

6 years ago
Posted image EV_CA1_Minefield_GreenBar.png (obsolete) —
Reporter

Comment 23

6 years ago
Posted image EV_CA2_Minefield_GreenBar.png (obsolete) —
Reporter

Updated

6 years ago
Whiteboard: EV - Information incomplete → EV - Information complete
Reporter

Comment 25

6 years ago
This time update included:
(1) Company name changed from "WoSign eCommerce Services Limited" to "WoSign CA Limited";
(2) Finished the setup ev test website for root CA2;
(3) Finished the EV greenbar test
Please check if it is OK, thanks for your help.
Assignee

Comment 26

6 years ago
As per the attached document, there are two remaining things:

1) Please clarify the (current and planned) CA hierarchy for the "CA WoSign" root.

2) I think the audits were for one root. Will need audits that cover both roots. Also, it appears that perhaps the roots were re-generated, so maybe need to clarify in regards to EV readiness. Anyways, we can move forward with the approval process once the CA hierarchy information for the "CA WoSign" root is provided. If this request is approved, then actual inclusion will be dependent on audit statements covering both new root certs.
Reporter

Comment 27

6 years ago
Posted file 851435-Updated CA Information.pdf (obsolete) —
Reporter

Comment 28

6 years ago
Reporter

Comment 29

6 years ago
Thank you, Kathleen.
I update the CA hierarchy for "CA WoSign" root.
and I attached the EY auditor audited "CA WoSign" key generatuon ceremeny report in the "851435-Updated CA Information.pdf".
But one thing I need to clarify that we are NOT "roots were re-generated", we resigned the root certificate that change the company name in subject, no any root CA and sub CA new key generatated.
If you think the second CA "CA WoSign" that don't have EV readiness report that can't include as EV root, move forward for root CA1 - "Certification Authority of WoSign" that include CA1 for EV root, and include CA2 for normal root. 
Please advice if this solution is OK, thanks a lot.
Assignee

Comment 31

6 years ago
I'll try to start the discussion soon.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - Information complete → EV - Information confirmed complete
Reporter

Updated

6 years ago
Attachment #808150 - Attachment is obsolete: true
Assignee

Comment 32

6 years ago
I am now opening the first public discussion period for this request from WoSign to include the “Certification Authority of WoSign” and “CA WoSign” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “WoSign Root Inclusion Request”.

Please actively review, respond, and contribute to the discussion.

A representative of WoSign must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion
Reporter

Comment 33

6 years ago
Posted file WS_ca1.cer
New resigned CA1
Attachment #806641 - Attachment is obsolete: true
Attachment #806643 - Attachment is obsolete: true
Reporter

Comment 34

6 years ago
Posted file WS_ca2.cer (obsolete) —
New resigned CA2
Reporter

Comment 35

6 years ago
resigning ceremony witnessed by Ernst & Young auditor
Assignee

Comment 36

6 years ago
(In reply to Kathleen Wilson from comment #32)
> I am now opening the first public discussion period for this request from
> WoSign to include the “Certification Authority of WoSign” and “CA WoSign”
> root certificates, turn on all three trust bits for both root certs, and
> enable EV treatment for both root certs.
> 

I have closed the first public discussion.
https://groups.google.com/d/msg/mozilla.dev.security.policy/DYrrxCsD6CA/9y8a5NnshRgJ

Richard, Please resolve the issues that were raised in the discussion, and have a new full audit performed over the new root certificates. Note that the new audit must included the CA/Browser Forum's Baseline Requirements. Mozilla's audit requirements are listed in items #11 through #14 of http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html.

Upon completion of the audit, please update this bug with the new root cert information, test websites, and links to documentation and audit. Then I will update the CA Information document and start the second round of discussion.
Whiteboard: EV - In public discussion → EV - Information incomplete
Reporter

Comment 37

6 years ago
Thanks.
My auditor said the WebTrust Reeport for 2012 only covered two roots "Certification Authority of WoSign" and "CA 沃通根证书", not covered root "CA WoSign". So we will apply inclusion for the covered two roots "Certification Authority of WoSign" and "CA 沃通根证书". We will setup the new test site and update the CA information soon, thanks.
Assignee

Updated

6 years ago
Attachment #831456 - Attachment is obsolete: true
Reporter

Comment 38

6 years ago
Posted file WS_ca2.cer
root CA2 -- "CA 沃通根证书"
Attachment #806644 - Attachment is obsolete: true
Attachment #806645 - Attachment is obsolete: true
Attachment #831454 - Attachment is obsolete: true
Reporter

Comment 39

6 years ago
CA1 EV Minefield Green Bar Screenshot
Reporter

Comment 40

6 years ago
CA2 EV Minefield Green Bar Screenshot
Reporter

Comment 41

6 years ago
2012 WebTrust Report covered two roots "Certification Authority of WoSign" and "CA 沃通根证书", so we decided to apply this two root for inclusion. The two EV test site is up now: https://root1evtest.wosign.com and https://root1evtest.wosign.com, and we will update the CA information document soon.
Reporter

Comment 42

6 years ago
sorry, the two new test site are: https://root1evtest.wosign.com  and https://root2evtest.wosign.com, you should doown the two root CA and install it to test.
Assignee

Comment 43

6 years ago
(In reply to Richard Wang from comment #41)
> 2012 WebTrust Report covered two roots "Certification Authority of WoSign"
> and "CA 沃通根证书", so we decided to apply this two root for inclusion. 

If these two root certs are included, then the annual audits will have to continue covering them until they are removed. If you are planning to move to a new CA hierarchy, then you can have the 2013 audit cover the new roots and request inclusion of them instead.

When do you expect to have the next (2013) audit done?

Will it include the Baseline Requirements criteria?

Have the issues that were raised during the public discussion all been resolved?
Reporter

Comment 44

6 years ago
Very thanks for your advice, Kathleen. 
Yes, we like to include the 2012 WebTrust audit covered two root CA and continute to cover it in 2013 audit.
Yes, we solved all issues in the public discussion that I will update the CA information document today.
Please move forward to second round of discussion, thanks a lot.
Reporter

Comment 45

6 years ago
Posted file mozilla_812771_update_20131120.pdf (obsolete) —
This is the final update CA information for WebTrust audit covered two root CA: "Certification Authority of WoSign" and "CA 沃通根证书"
Attachment #806639 - Attachment is obsolete: true
Attachment #808151 - Attachment is obsolete: true
Reporter

Comment 46

6 years ago
Yes, it will include the Baseline Requirements criteria that we are compliant now.
Reporter

Comment 47

6 years ago
Posted file mozilla_812771_update_20131230.pdf (obsolete) —
correct a little mistake that change the CA2 CRL/OCSP/AIA url to wosign.cn domain, not wosign.com domain.
Attachment #8335195 - Attachment is obsolete: true
Assignee

Comment 48

6 years ago
Regarding starting the second discussion... I will wait until after the new audit statements are available (including the audit statement about compliance with the Baseline Requirements). Please update this bug when the links to those audit statements are available.


What is the status of inclusion in the other browsers?


(In reply to Richard Wang from comment #47)
> Created attachment 8352728 [details]
> mozilla_812771_update_20131230.pdf

I'm planning to use your document, because I don't have the correct character set on my system. 
However, I think the following statement needs to be removed from the "Audits" section:
"Note: the roots were resigned to change the company name in the subject."
Reporter

Comment 49

6 years ago
Removed the word "Note: the roots were resigned to change the company name in the subject."
Our 2013 audit report will be ready before March 30th, we will update the new report that including the BR audit. the new report will use my new company name that same as the name in the root subject.
Attachment #8352728 - Attachment is obsolete: true
Reporter

Comment 50

6 years ago
Posted image 851435_Page1
In case you and any person can't read the Chinese well, I attached the screenshot for page 1 and page 3 that display the root name and subCA name in Chinese.
The second root name means "CA WoSign Root Certificate" in English.
Reporter

Comment 51

6 years ago
Posted image 851435_Page 3
Assignee

Updated

5 years ago
Whiteboard: EV - Information incomplete → EV - Pending updated audit statements, then second round of discussion
Reporter

Comment 52

5 years ago
We got the WebTrust Seal, EV seal and BR auditor report(attached)at Mar.29:
WebTrust seal:  https://cert.webtrust.org/ViewSeal?id=1654
WebTrust EV Seal:  https://cert.webtrust.org/ViewSeal?id=1653
So please move on, thanks.
Assignee

Comment 53

5 years ago
I am now opening the second public discussion period for this request from WoSign to include the “Certification Authority of WoSign” and “CA 沃通根证书” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “Second Discussion of WoSign Root Inclusion Request”.

Please actively review, respond, and contribute to the discussion.

A representative of WoSign must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Pending updated audit statements, then second round of discussion → EV - In second round of discussion
Assignee

Comment 54

5 years ago
Please update this bug with your responses to the recent CA Communication,
https://wiki.mozilla.org/CA:Communications#May_13.2C_2014
Assignee

Comment 55

5 years ago
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to include the “Certification Authority of WoSign” and “CA 沃通根证书” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs. 

Section 4 [Technical]. I am not aware of instances where WoSign has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Section 6 [Relevancy and Policy]. WoSign appears to provide a service relevant to Mozilla users: It is a privately-owned CA in China which issues certificates to the general public. WoSign started their CA business in 2006 as a SubCA of Comodo. WoSign setup its own root CA in 2009 and started to issue certificates in 2011 under this root CA that cross-signed with a Startcom CA. WoSign has issued thousands of certificates to customers in China. WoSign SSL certificates are deployed in top 10 eCommerce websites in China; for bank, telecom, enterprise etc., and most software developers in China choose WoSign certificate since it supports Chinese.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list. The main document of interest is the CPS, which is provided in English.

Document Repository: http://www.wosign.com/policy/cps_e.htm
CPS: http://www.wosign.com/policy/wosign-policy-1-2-4.pdf
 
Section 7 [Validation]. WoSign appears to meet the minimum requirements for subscriber verification, as follows:

* SSL: As per section 3.2.2 of the CPS, for Class 1 (DV) SSL certificates WoSign validates that the certificate subscriber owns/controls the domain name to be included in the certificate by sending an electronic mail message with a verification code to one of the following administrative electronic mail accounts: webmaster@domain.com, hostmaster@domain.com, postmaster@domain.com. The subscriber has to return and submit the verification code as proof of ownership of the domain name within a limited period sufficient enough to receive an electronic mail message. Additionally the existence of the domain name is verified by checking the WHOIS records provided by the domain name registrar. If the WHOIS data contain additional email addresses, they may be offered as additional choices to the above mentioned electronic mail accounts.
WoSign also provides Class 2, Class 3 (OV) and Class 4 (EV) SSL certificates as described in section 3.2.2 of the CPS, which states that domain control validation is still performed as in Class 1, but there are additional checks to validate the subscriber and organization.
WoSign also provides trial SSL certificates that are domain validated (Class 1).

* Email: According to section 3.2.2 of the CPS, WoSign verifies the email address to be included in a certificate by sending an electronic mail message with a verification code to the requested email account. The subscriber has to return and submit the verification code as prove of ownership of the email account within a limited period sufficient enough to receive an electronic mail message. 

* Code: According to section 3.1.1 of the CPS, the validation levels allowed for Code Signing certs are Class 2, Class 3, or Class 4.  Steps taken to verify the identity of the certificate subscriber and verify the organization are described in section 3.2.2 of the CPS, and steps taken to verify the authority of the certificate subscriber to act on behalf of the organization are described in section 3.2.4.

Section 18 [Certificate Hierarchy]. 
* Each root has 7 internally-operated subordinate CAs according to certificate usages and subscriber verification: EV Server CA, OV Server CA, DV Server CA, Class 3 Code Signing CA, Class 1 Client CA, Class 2 Client CA, Class 3 Client CA.

* Root Cert URL 
Certification Authority of WoSign: http://www.wosign.com/Root/WS_CA1_NEW.crt 
CA 沃通根证书: http://www.wosign.com/Root/ws_ca2_new.crt

* EV Policy OID: 1.3.6.1.4.1.36305.2

* Test Websites:
Certification Authority of WoSign: https://root1evtest.wosign.com
CA 沃通根证书: https://root2evtest.wosign.com

* OCSP
Certification Authority of WoSign:
http://ocsp1.wosign.com/ca1
http://ocsp1.wosign.com/class4/server/ca1
http://ocsp1.wosign.com/class3/server/ca1
http://ocsp1.wosign.com/class1/server/ca1
http://ocsp1.wosign.com/class2/client/ca1
http://ocsp1.wosign.com/class3/client/ca1
http://ocsp1.wosign.com/class3/code/ca1
CA 沃通根证书:
http://ocsp2.wosign.com/ca2
http://ocsp2.wosign.com/class4/server/ca2
http://ocsp2.wosign.com/class3/server/ca2
http://ocsp2.wosign.com/class1/server/ca2
http://ocsp2.wosign.com/class1/client/ca2
http://ocsp2.wosign.com/class2/client/ca2
http://ocsp2.wosign.com/class3/client/ca2
http://ocsp2.wosign.com/class3/code/ca2
CPS section 4.9.9, OCSP: The current CRLs are reloaded at least every 60 minutes.

Sections 11-14 [Audit].  
* Annual audits are performed by Ernst & Young according to the WebTrust criteria.
Audit Report: https://cert.webtrust.org/SealFile?seal=1654&file=pdf
BR Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8399189
EV Audit Report: https://cert.webtrust.org/SealFile?seal=1653&file=pdf

Based on this assessment I intend to approve this request to include the “Certification Authority of WoSign” and “CA 沃通根证书” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs.

Note: Need WoSign to respond to the recent CA Communication before approval.
Whiteboard: EV - In second round of discussion → EV - Pending approval
Reporter

Comment 56

5 years ago
(In reply to Kathleen Wilson from comment #54)
1. A -- Pending list has current audits and correct date

2. A -- Pending list has current BR audit

3. A) We have tested certificates in our CA hierarchy with Mozilla's new Certificate Verification library, and found that the certificates in our CA hierarchies are not impacted by the changes introduced in mozilla::pkix.

4. B -- We have previously issued certificates with the following problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page:  
(1) Default values in a SEQUENCE must not be explicitly encoded.
We will not issue new certificates with the problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page from the date: May 30, 2014.

(2) OCSP responders should not include a responseExtensions consisting of an empty SEQUENCE.
We will update our OCSP system and solve this problem before May 30, 2014.

5. A – Please visit: http://www.wosign.com/english/root.htm that lists all of publicly disclosed subordinate CA certificates that chain up to certificates in Mozilla's CA program.
Reporter

Comment 57

5 years ago
(In reply to Kathleen Wilson from comment #55)
 > Section 18 [Certificate Hierarchy].
 > * Each root has 7 internally-operated subordinate CAs according to certificate usages and subscriber verification: EV Server CA, OV Server CA, DV Server CA, Class 3 Code Signing CA, Class 1 Client CA, Class 2 Client CA, Class 3 Client CA.

We launched two sub CA for CA1 from Jan. 1st, 2014, so now the hierarchy is:
* Each root has 9 internally-operated subordinate CAs according to certificate usages and subscriber verification: EV Server CA, OV Server CA, IV Server CA, DV Server CA, Class 3 Code Signing CA, Class 2 Code Signing CA, Class 1 Client CA, Class 2 Client CA, Class 3 Client CA.

 > * OCSP
Here's the current list.

(1) Certification Authority of WoSign:
http://ocsp1.wosign.com/ca1
http://ocsp1.wosign.com/class4/server/ca1
http://ocsp1.wosign.com/class3/server/ca1
http://ocsp1.wosign.com/class1/server/ca1
http://ocsp1.wosign.com/class1/client/ca1 
http://ocsp1.wosign.com/class2/client/ca1
http://ocsp1.wosign.com/class3/client/ca1
http://ocsp1.wosign.com/class3/code/ca1
http://ocsp1.wosign.com/class2/server/ca1
http://ocsp1.wosign.com/class2/code/ca1

(2) CA 沃通根证书:
http://ocsp2.wosign.cn/ca2
http://ocsp2.wosign.cn/class4/server/ca2
http://ocsp2.wosign.cn/class3/server/ca2
http://ocsp2.wosign.cn/class1/server/ca2
http://ocsp2.wosign.cn/class1/client/ca2
http://ocsp2.wosign.cn/class2/client/ca2
http://ocsp2.wosign.cn/class3/client/ca2
http://ocsp2.wosign.cn/class3/code/ca2
http://ocsp1.wosign.cn/class2/server/ca1
http://ocsp1.wosign.cn/class2/code/ca1
Assignee

Comment 58

5 years ago
As per the summary in Comment #55, and on behalf of Mozilla I approve this request from WoSign to include the following root certificates:

** “Certification Authority of WoSign” (websites, email, code signing), enable EV
** “CA 沃通根证书” (websites, email, code signing), enable EV

I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending approval → EV - Approved - awaiting NSS and PSM changes
Assignee

Updated

5 years ago
Depends on: 1017295
Assignee

Updated

5 years ago
Depends on: 1017299
Assignee

Comment 59

5 years ago
I have filed bug #1017295 against NSS and bug #1017299 against PSM for the actual changes.
Reporter

Comment 60

5 years ago
We updated our PKI/CA system and OCSP system that we solved the related two problems. Please check the two test website to check if all solved, thanks a lot.
Reporter

Comment 61

5 years ago
Mozilla released new NSS at July 3 that included WoSign two roots. But I installed new FireFox 31 released at July 22 that I can't find my two root builtin, what's the problem? is it a bug? I tested English version and Chinese version. Please help, thanks.

Comment 62

5 years ago
Re comment #61:  

It appears that NSS 3.16.3 -- where the WoSign roots were added -- will not be included in Firefox until Firefox 32.0 or possibly later.  See <https://wiki.mozilla.org/NSS:Release_Versions>.
Assignee

Updated

5 years ago
Whiteboard: EV - Approved - awaiting NSS and PSM changes → EV - Approved - Included in FF 32, awaiting PSM changes
Assignee

Updated

5 years ago
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - Included in FF 32, awaiting PSM changes → EV - Included in FF 32, EV enabled in F34

Comment 63

4 years ago
WoSign has issued a certificate not complying to the Baseline Requirements v1.2.1, in particular, a SHA-1 validity period greater than January 1, 2017, issued after January 16, 2015.

This would appear to be inconsistent with https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ / https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates

The certificate is available at https://code.google.com/p/chromium/issues/detail?id=381562#c10
Reporter

Comment 64

4 years ago
We know this is NOT compliant with BR, but we should consider that there are more than 3 Million Internet users in China that don't support SHA2. So we issue SHA1 certificate first, and we will replace the SAH1 certificate at Dec 2016 to SHA2 to meet the request. 
Thanks for your comment.
Reporter

Comment 65

4 years ago
I declared this problem in 2014 September CABF F2F meeting in Beijing that we should consider those 3M Internet user need. So our solution is a good solution for both side.
Reporter

Comment 66

4 years ago
I just notice that it is after January 16, 2015, I think very few cert is issued that greater than Jan.1,2017

Comment 69

4 years ago
The 2014 WebTrust Seal link is:
WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843
WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842
Reporter

Comment 70

4 years ago
Yes,The 2014 WebTrust Seal link for WoSign is:
WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843
WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842
Reporter

Comment 71

4 years ago
WoSign 2014 WebTrust BR audit report
Reporter

Comment 72

4 years ago
The WebTrust BR seal link is https://cert.webtrust.org/ViewSeal?id=1860

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.