Closed
Bug 851435
Opened 11 years ago
Closed 10 years ago
WoSign two root certificate inclusion application
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: richard, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: EV - Included in FF 32, EV enabled in F34)
Attachments
(18 files, 20 obsolete files)
216.08 KB,
application/pdf
|
Details | |
125.90 KB,
application/pdf
|
Details | |
92.64 KB,
application/pdf
|
Details | |
457.34 KB,
application/pdf
|
Details | |
62.99 KB,
application/pdf
|
Details | |
87.70 KB,
application/pdf
|
Details | |
89.35 KB,
application/pdf
|
Details | |
1.91 KB,
application/x-x509-ca-cert
|
Details | |
1.87 KB,
application/x-x509-ca-cert
|
Details | |
13.71 KB,
image/png
|
Details | |
13.57 KB,
image/png
|
Details | |
125.10 KB,
application/pdf
|
Details | |
197.59 KB,
image/jpeg
|
Details | |
158.82 KB,
image/jpeg
|
Details | |
1.08 MB,
application/pdf
|
Details | |
481.59 KB,
application/pdf
|
Details | |
982.92 KB,
application/pdf
|
Details | |
1.11 MB,
application/pdf
|
Details |
User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MDDS; .NET4.0C) Steps to reproduce: WoSign is a private-owned CA in China to issue certificate to general public. We started CA business from 2006 as a SubCA of Comodo at 2006. And WoSign setup its own root CA at 2009 and start to issue certificates at 2011 under this root CA that cross signed with Startcom CA. Actual results: We issued thousands certificates to China customers, WoSign SSL certificate is deployed in top 10 eCommerce websites in China, and bank, telecom, enterprise etc., and most software developers in China choose WoSign certificate since it support Chinese. And we passed the WebTrust audit for 2012 by Ernst & Young. Expected results: WoSign two root CA should include in Mozilla, this will benefit all Mozilla users in China and worldwide.
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Reporter | ||
Comment 3•11 years ago
|
||
Assignee | ||
Comment 4•11 years ago
|
||
I am accepting this bug, and will work on it as soon as possible, but I have a large backlog. https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase I will update this bug when I begin the Information Verification phase. https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Reporter | ||
Comment 5•11 years ago
|
||
please use this update one that we correct some error, thanks.
Attachment #725290 -
Attachment is obsolete: true
Reporter | ||
Updated•11 years ago
|
Attachment #725297 -
Attachment is obsolete: true
Assignee | ||
Comment 6•11 years ago
|
||
The attached document summarizes the information that has been verified. The items highlighted in yellow indicate where further information or clarification is needed. Please review the full document for accuracy and completeness.
Assignee | ||
Updated•11 years ago
|
Whiteboard: EV - Information incomplete
Reporter | ||
Comment 7•11 years ago
|
||
pleaae help to produce an ASCII-encoded representation of the DER encoding of this root CA certificate issuer name and its serial number, thanks.
Reporter | ||
Comment 8•11 years ago
|
||
pleaae help to produce an ASCII-encoded representation of the DER encoding of this root CA certificate issuer name and its serial number, thanks.
Reporter | ||
Comment 9•11 years ago
|
||
pleaae help to produce an ASCII-encoded representation of the DER encoding of this root CA certificate issuer name and its serial number, thanks. This is a transfered root CA.
Reporter | ||
Comment 10•11 years ago
|
||
I got my 3 root CA DER encodeing string by the help from Kai Engert and Eddy Nigg, thanks.
Reporter | ||
Comment 11•11 years ago
|
||
We update and completed the items highlighted in yellow(after or below it), or explained why it is not available now, please check it and update if it is OK.
Attachment #782587 -
Attachment is obsolete: true
Reporter | ||
Comment 12•11 years ago
|
||
We complete the EV testing for WoSign CA1-"Certification Authority of WoSign", it can display green bar. this attached file is the screenshot for the test result.
Assignee | ||
Comment 13•11 years ago
|
||
Do you want to proceed with the inclusion process for the "Certification Authority of WoSign" root cert now, and do a separate request later for the"CA WoSign" root inclusion?
Reporter | ||
Comment 14•11 years ago
|
||
We like to include two root now, but the second root CA's test website only can be done at the end of this month, not now since we still don't use root CA2 to issue end user certificate, we need some time to setup it. If you think you can't process the root CA2 without test side, then go on with root CA1 --"Certification Authority of WoSign" first, thanks.
Reporter | ||
Comment 15•11 years ago
|
||
(In reply to Richard Wang from comment #14) We like to include two root now, but the second root CA's test website can be done at the end of this month, not now since we still don't use root CA2 to issue end user certificate, we need some time to setup it. If you think you can't process the root CA2 without test site, then go on with root CA1 --"Certification Authority of WoSign" first, thanks.
Assignee | ||
Comment 16•11 years ago
|
||
(In reply to Richard Wang from comment #15) Let's wait for the second root. A few weeks will not make any difference, because NSS changes are done as batches every 3 months or so, and the current batch is already in progress. Please update this bug with the remaining information for the second root when ready.
Reporter | ||
Comment 17•11 years ago
|
||
Attachment #729388 -
Attachment is obsolete: true
Attachment #782581 -
Attachment is obsolete: true
Attachment #782582 -
Attachment is obsolete: true
Attachment #785723 -
Attachment is obsolete: true
Attachment #785724 -
Attachment is obsolete: true
Reporter | ||
Comment 18•11 years ago
|
||
Reporter | ||
Comment 19•11 years ago
|
||
Attachment #806638 -
Attachment is obsolete: true
Reporter | ||
Comment 20•11 years ago
|
||
Reporter | ||
Comment 21•11 years ago
|
||
Reporter | ||
Comment 22•11 years ago
|
||
Reporter | ||
Comment 23•11 years ago
|
||
Reporter | ||
Comment 24•11 years ago
|
||
Reporter | ||
Updated•11 years ago
|
Whiteboard: EV - Information incomplete → EV - Information complete
Reporter | ||
Comment 25•11 years ago
|
||
This time update included: (1) Company name changed from "WoSign eCommerce Services Limited" to "WoSign CA Limited"; (2) Finished the setup ev test website for root CA2; (3) Finished the EV greenbar test Please check if it is OK, thanks for your help.
Assignee | ||
Comment 26•11 years ago
|
||
As per the attached document, there are two remaining things: 1) Please clarify the (current and planned) CA hierarchy for the "CA WoSign" root. 2) I think the audits were for one root. Will need audits that cover both roots. Also, it appears that perhaps the roots were re-generated, so maybe need to clarify in regards to EV readiness. Anyways, we can move forward with the approval process once the CA hierarchy information for the "CA WoSign" root is provided. If this request is approved, then actual inclusion will be dependent on audit statements covering both new root certs.
Reporter | ||
Comment 27•11 years ago
|
||
Reporter | ||
Comment 28•11 years ago
|
||
Reporter | ||
Comment 29•11 years ago
|
||
Thank you, Kathleen. I update the CA hierarchy for "CA WoSign" root. and I attached the EY auditor audited "CA WoSign" key generatuon ceremeny report in the "851435-Updated CA Information.pdf". But one thing I need to clarify that we are NOT "roots were re-generated", we resigned the root certificate that change the company name in subject, no any root CA and sub CA new key generatated. If you think the second CA "CA WoSign" that don't have EV readiness report that can't include as EV root, move forward for root CA1 - "Certification Authority of WoSign" that include CA1 for EV root, and include CA2 for normal root. Please advice if this solution is OK, thanks a lot.
Assignee | ||
Comment 30•11 years ago
|
||
Assignee | ||
Comment 31•11 years ago
|
||
I'll try to start the discussion soon. https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - Information complete → EV - Information confirmed complete
Reporter | ||
Updated•11 years ago
|
Attachment #808150 -
Attachment is obsolete: true
Assignee | ||
Comment 32•11 years ago
|
||
I am now opening the first public discussion period for this request from WoSign to include the “Certification Authority of WoSign” and “CA WoSign” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. The discussion thread is called “WoSign Root Inclusion Request”. Please actively review, respond, and contribute to the discussion. A representative of WoSign must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion
Reporter | ||
Comment 33•11 years ago
|
||
New resigned CA1
Attachment #806641 -
Attachment is obsolete: true
Attachment #806643 -
Attachment is obsolete: true
Reporter | ||
Comment 34•11 years ago
|
||
New resigned CA2
Reporter | ||
Comment 35•11 years ago
|
||
resigning ceremony witnessed by Ernst & Young auditor
Assignee | ||
Comment 36•11 years ago
|
||
(In reply to Kathleen Wilson from comment #32) > I am now opening the first public discussion period for this request from > WoSign to include the “Certification Authority of WoSign” and “CA WoSign” > root certificates, turn on all three trust bits for both root certs, and > enable EV treatment for both root certs. > I have closed the first public discussion. https://groups.google.com/d/msg/mozilla.dev.security.policy/DYrrxCsD6CA/9y8a5NnshRgJ Richard, Please resolve the issues that were raised in the discussion, and have a new full audit performed over the new root certificates. Note that the new audit must included the CA/Browser Forum's Baseline Requirements. Mozilla's audit requirements are listed in items #11 through #14 of http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html. Upon completion of the audit, please update this bug with the new root cert information, test websites, and links to documentation and audit. Then I will update the CA Information document and start the second round of discussion.
Whiteboard: EV - In public discussion → EV - Information incomplete
Reporter | ||
Comment 37•11 years ago
|
||
Thanks. My auditor said the WebTrust Reeport for 2012 only covered two roots "Certification Authority of WoSign" and "CA 沃通根证书", not covered root "CA WoSign". So we will apply inclusion for the covered two roots "Certification Authority of WoSign" and "CA 沃通根证书". We will setup the new test site and update the CA information soon, thanks.
Assignee | ||
Updated•11 years ago
|
Attachment #831456 -
Attachment is obsolete: true
Reporter | ||
Comment 38•11 years ago
|
||
root CA2 -- "CA 沃通根证书"
Attachment #806644 -
Attachment is obsolete: true
Attachment #806645 -
Attachment is obsolete: true
Attachment #831454 -
Attachment is obsolete: true
Reporter | ||
Comment 39•11 years ago
|
||
CA1 EV Minefield Green Bar Screenshot
Reporter | ||
Comment 40•11 years ago
|
||
CA2 EV Minefield Green Bar Screenshot
Reporter | ||
Comment 41•11 years ago
|
||
2012 WebTrust Report covered two roots "Certification Authority of WoSign" and "CA 沃通根证书", so we decided to apply this two root for inclusion. The two EV test site is up now: https://root1evtest.wosign.com and https://root1evtest.wosign.com, and we will update the CA information document soon.
Reporter | ||
Comment 42•11 years ago
|
||
sorry, the two new test site are: https://root1evtest.wosign.com and https://root2evtest.wosign.com, you should doown the two root CA and install it to test.
Assignee | ||
Comment 43•11 years ago
|
||
(In reply to Richard Wang from comment #41) > 2012 WebTrust Report covered two roots "Certification Authority of WoSign" > and "CA 沃通根证书", so we decided to apply this two root for inclusion. If these two root certs are included, then the annual audits will have to continue covering them until they are removed. If you are planning to move to a new CA hierarchy, then you can have the 2013 audit cover the new roots and request inclusion of them instead. When do you expect to have the next (2013) audit done? Will it include the Baseline Requirements criteria? Have the issues that were raised during the public discussion all been resolved?
Reporter | ||
Comment 44•11 years ago
|
||
Very thanks for your advice, Kathleen. Yes, we like to include the 2012 WebTrust audit covered two root CA and continute to cover it in 2013 audit. Yes, we solved all issues in the public discussion that I will update the CA information document today. Please move forward to second round of discussion, thanks a lot.
Reporter | ||
Comment 45•11 years ago
|
||
This is the final update CA information for WebTrust audit covered two root CA: "Certification Authority of WoSign" and "CA 沃通根证书"
Attachment #806639 -
Attachment is obsolete: true
Attachment #808151 -
Attachment is obsolete: true
Reporter | ||
Comment 46•11 years ago
|
||
Yes, it will include the Baseline Requirements criteria that we are compliant now.
Reporter | ||
Comment 47•10 years ago
|
||
correct a little mistake that change the CA2 CRL/OCSP/AIA url to wosign.cn domain, not wosign.com domain.
Attachment #8335195 -
Attachment is obsolete: true
Assignee | ||
Comment 48•10 years ago
|
||
Regarding starting the second discussion... I will wait until after the new audit statements are available (including the audit statement about compliance with the Baseline Requirements). Please update this bug when the links to those audit statements are available. What is the status of inclusion in the other browsers? (In reply to Richard Wang from comment #47) > Created attachment 8352728 [details] > mozilla_812771_update_20131230.pdf I'm planning to use your document, because I don't have the correct character set on my system. However, I think the following statement needs to be removed from the "Audits" section: "Note: the roots were resigned to change the company name in the subject."
Reporter | ||
Comment 49•10 years ago
|
||
Removed the word "Note: the roots were resigned to change the company name in the subject." Our 2013 audit report will be ready before March 30th, we will update the new report that including the BR audit. the new report will use my new company name that same as the name in the root subject.
Attachment #8352728 -
Attachment is obsolete: true
Reporter | ||
Comment 50•10 years ago
|
||
In case you and any person can't read the Chinese well, I attached the screenshot for page 1 and page 3 that display the root name and subCA name in Chinese. The second root name means "CA WoSign Root Certificate" in English.
Reporter | ||
Comment 51•10 years ago
|
||
Assignee | ||
Updated•10 years ago
|
Whiteboard: EV - Information incomplete → EV - Pending updated audit statements, then second round of discussion
Reporter | ||
Comment 52•10 years ago
|
||
We got the WebTrust Seal, EV seal and BR auditor report(attached)at Mar.29: WebTrust seal: https://cert.webtrust.org/ViewSeal?id=1654 WebTrust EV Seal: https://cert.webtrust.org/ViewSeal?id=1653 So please move on, thanks.
Assignee | ||
Comment 53•10 years ago
|
||
I am now opening the second public discussion period for this request from WoSign to include the “Certification Authority of WoSign” and “CA 沃通根证书” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs. For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list. The discussion thread is called “Second Discussion of WoSign Root Inclusion Request”. Please actively review, respond, and contribute to the discussion. A representative of WoSign must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Pending updated audit statements, then second round of discussion → EV - In second round of discussion
Assignee | ||
Comment 54•10 years ago
|
||
Please update this bug with your responses to the recent CA Communication, https://wiki.mozilla.org/CA:Communications#May_13.2C_2014
Assignee | ||
Comment 55•10 years ago
|
||
The public comment period for this request is now over. This request has been evaluated as per Mozilla’s CA Certificate Policy at http://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/ Here follows a summary of the assessment. If anyone sees any factual errors, please point them out. To summarize, this assessment is for the request to include the “Certification Authority of WoSign” and “CA 沃通根证书” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs. Section 4 [Technical]. I am not aware of instances where WoSign has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug. Section 6 [Relevancy and Policy]. WoSign appears to provide a service relevant to Mozilla users: It is a privately-owned CA in China which issues certificates to the general public. WoSign started their CA business in 2006 as a SubCA of Comodo. WoSign setup its own root CA in 2009 and started to issue certificates in 2011 under this root CA that cross-signed with a Startcom CA. WoSign has issued thousands of certificates to customers in China. WoSign SSL certificates are deployed in top 10 eCommerce websites in China; for bank, telecom, enterprise etc., and most software developers in China choose WoSign certificate since it supports Chinese. Policies are documented in the documents published on their website and listed in the entry on the pending applications list. The main document of interest is the CPS, which is provided in English. Document Repository: http://www.wosign.com/policy/cps_e.htm CPS: http://www.wosign.com/policy/wosign-policy-1-2-4.pdf Section 7 [Validation]. WoSign appears to meet the minimum requirements for subscriber verification, as follows: * SSL: As per section 3.2.2 of the CPS, for Class 1 (DV) SSL certificates WoSign validates that the certificate subscriber owns/controls the domain name to be included in the certificate by sending an electronic mail message with a verification code to one of the following administrative electronic mail accounts: webmaster@domain.com, hostmaster@domain.com, postmaster@domain.com. The subscriber has to return and submit the verification code as proof of ownership of the domain name within a limited period sufficient enough to receive an electronic mail message. Additionally the existence of the domain name is verified by checking the WHOIS records provided by the domain name registrar. If the WHOIS data contain additional email addresses, they may be offered as additional choices to the above mentioned electronic mail accounts. WoSign also provides Class 2, Class 3 (OV) and Class 4 (EV) SSL certificates as described in section 3.2.2 of the CPS, which states that domain control validation is still performed as in Class 1, but there are additional checks to validate the subscriber and organization. WoSign also provides trial SSL certificates that are domain validated (Class 1). * Email: According to section 3.2.2 of the CPS, WoSign verifies the email address to be included in a certificate by sending an electronic mail message with a verification code to the requested email account. The subscriber has to return and submit the verification code as prove of ownership of the email account within a limited period sufficient enough to receive an electronic mail message. * Code: According to section 3.1.1 of the CPS, the validation levels allowed for Code Signing certs are Class 2, Class 3, or Class 4. Steps taken to verify the identity of the certificate subscriber and verify the organization are described in section 3.2.2 of the CPS, and steps taken to verify the authority of the certificate subscriber to act on behalf of the organization are described in section 3.2.4. Section 18 [Certificate Hierarchy]. * Each root has 7 internally-operated subordinate CAs according to certificate usages and subscriber verification: EV Server CA, OV Server CA, DV Server CA, Class 3 Code Signing CA, Class 1 Client CA, Class 2 Client CA, Class 3 Client CA. * Root Cert URL Certification Authority of WoSign: http://www.wosign.com/Root/WS_CA1_NEW.crt CA 沃通根证书: http://www.wosign.com/Root/ws_ca2_new.crt * EV Policy OID: 1.3.6.1.4.1.36305.2 * Test Websites: Certification Authority of WoSign: https://root1evtest.wosign.com CA 沃通根证书: https://root2evtest.wosign.com * OCSP Certification Authority of WoSign: http://ocsp1.wosign.com/ca1 http://ocsp1.wosign.com/class4/server/ca1 http://ocsp1.wosign.com/class3/server/ca1 http://ocsp1.wosign.com/class1/server/ca1 http://ocsp1.wosign.com/class2/client/ca1 http://ocsp1.wosign.com/class3/client/ca1 http://ocsp1.wosign.com/class3/code/ca1 CA 沃通根证书: http://ocsp2.wosign.com/ca2 http://ocsp2.wosign.com/class4/server/ca2 http://ocsp2.wosign.com/class3/server/ca2 http://ocsp2.wosign.com/class1/server/ca2 http://ocsp2.wosign.com/class1/client/ca2 http://ocsp2.wosign.com/class2/client/ca2 http://ocsp2.wosign.com/class3/client/ca2 http://ocsp2.wosign.com/class3/code/ca2 CPS section 4.9.9, OCSP: The current CRLs are reloaded at least every 60 minutes. Sections 11-14 [Audit]. * Annual audits are performed by Ernst & Young according to the WebTrust criteria. Audit Report: https://cert.webtrust.org/SealFile?seal=1654&file=pdf BR Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8399189 EV Audit Report: https://cert.webtrust.org/SealFile?seal=1653&file=pdf Based on this assessment I intend to approve this request to include the “Certification Authority of WoSign” and “CA 沃通根证书” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs. Note: Need WoSign to respond to the recent CA Communication before approval.
Whiteboard: EV - In second round of discussion → EV - Pending approval
Reporter | ||
Comment 56•10 years ago
|
||
(In reply to Kathleen Wilson from comment #54) 1. A -- Pending list has current audits and correct date 2. A -- Pending list has current BR audit 3. A) We have tested certificates in our CA hierarchy with Mozilla's new Certificate Verification library, and found that the certificates in our CA hierarchies are not impacted by the changes introduced in mozilla::pkix. 4. B -- We have previously issued certificates with the following problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page: (1) Default values in a SEQUENCE must not be explicitly encoded. We will not issue new certificates with the problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page from the date: May 30, 2014. (2) OCSP responders should not include a responseExtensions consisting of an empty SEQUENCE. We will update our OCSP system and solve this problem before May 30, 2014. 5. A – Please visit: http://www.wosign.com/english/root.htm that lists all of publicly disclosed subordinate CA certificates that chain up to certificates in Mozilla's CA program.
Reporter | ||
Comment 57•10 years ago
|
||
(In reply to Kathleen Wilson from comment #55) > Section 18 [Certificate Hierarchy]. > * Each root has 7 internally-operated subordinate CAs according to certificate usages and subscriber verification: EV Server CA, OV Server CA, DV Server CA, Class 3 Code Signing CA, Class 1 Client CA, Class 2 Client CA, Class 3 Client CA. We launched two sub CA for CA1 from Jan. 1st, 2014, so now the hierarchy is: * Each root has 9 internally-operated subordinate CAs according to certificate usages and subscriber verification: EV Server CA, OV Server CA, IV Server CA, DV Server CA, Class 3 Code Signing CA, Class 2 Code Signing CA, Class 1 Client CA, Class 2 Client CA, Class 3 Client CA. > * OCSP Here's the current list. (1) Certification Authority of WoSign: http://ocsp1.wosign.com/ca1 http://ocsp1.wosign.com/class4/server/ca1 http://ocsp1.wosign.com/class3/server/ca1 http://ocsp1.wosign.com/class1/server/ca1 http://ocsp1.wosign.com/class1/client/ca1 http://ocsp1.wosign.com/class2/client/ca1 http://ocsp1.wosign.com/class3/client/ca1 http://ocsp1.wosign.com/class3/code/ca1 http://ocsp1.wosign.com/class2/server/ca1 http://ocsp1.wosign.com/class2/code/ca1 (2) CA 沃通根证书: http://ocsp2.wosign.cn/ca2 http://ocsp2.wosign.cn/class4/server/ca2 http://ocsp2.wosign.cn/class3/server/ca2 http://ocsp2.wosign.cn/class1/server/ca2 http://ocsp2.wosign.cn/class1/client/ca2 http://ocsp2.wosign.cn/class2/client/ca2 http://ocsp2.wosign.cn/class3/client/ca2 http://ocsp2.wosign.cn/class3/code/ca2 http://ocsp1.wosign.cn/class2/server/ca1 http://ocsp1.wosign.cn/class2/code/ca1
Assignee | ||
Comment 58•10 years ago
|
||
As per the summary in Comment #55, and on behalf of Mozilla I approve this request from WoSign to include the following root certificates: ** “Certification Authority of WoSign” (websites, email, code signing), enable EV ** “CA 沃通根证书” (websites, email, code signing), enable EV I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending approval → EV - Approved - awaiting NSS and PSM changes
Assignee | ||
Comment 59•10 years ago
|
||
I have filed bug #1017295 against NSS and bug #1017299 against PSM for the actual changes.
Reporter | ||
Comment 60•10 years ago
|
||
We updated our PKI/CA system and OCSP system that we solved the related two problems. Please check the two test website to check if all solved, thanks a lot.
Reporter | ||
Comment 61•10 years ago
|
||
Mozilla released new NSS at July 3 that included WoSign two roots. But I installed new FireFox 31 released at July 22 that I can't find my two root builtin, what's the problem? is it a bug? I tested English version and Chinese version. Please help, thanks.
Comment 62•10 years ago
|
||
Re comment #61: It appears that NSS 3.16.3 -- where the WoSign roots were added -- will not be included in Firefox until Firefox 32.0 or possibly later. See <https://wiki.mozilla.org/NSS:Release_Versions>.
Assignee | ||
Updated•10 years ago
|
Whiteboard: EV - Approved - awaiting NSS and PSM changes → EV - Approved - Included in FF 32, awaiting PSM changes
Assignee | ||
Updated•10 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - Included in FF 32, awaiting PSM changes → EV - Included in FF 32, EV enabled in F34
Comment 63•9 years ago
|
||
WoSign has issued a certificate not complying to the Baseline Requirements v1.2.1, in particular, a SHA-1 validity period greater than January 1, 2017, issued after January 16, 2015. This would appear to be inconsistent with https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ / https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates The certificate is available at https://code.google.com/p/chromium/issues/detail?id=381562#c10
Reporter | ||
Comment 64•9 years ago
|
||
We know this is NOT compliant with BR, but we should consider that there are more than 3 Million Internet users in China that don't support SHA2. So we issue SHA1 certificate first, and we will replace the SAH1 certificate at Dec 2016 to SHA2 to meet the request. Thanks for your comment.
Reporter | ||
Comment 65•9 years ago
|
||
I declared this problem in 2014 September CABF F2F meeting in Beijing that we should consider those 3M Internet user need. So our solution is a good solution for both side.
Reporter | ||
Comment 66•9 years ago
|
||
I just notice that it is after January 16, 2015, I think very few cert is issued that greater than Jan.1,2017
Assignee | ||
Comment 67•9 years ago
|
||
Assignee | ||
Comment 68•9 years ago
|
||
Comment 69•9 years ago
|
||
The 2014 WebTrust Seal link is: WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843 WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842
Reporter | ||
Comment 70•9 years ago
|
||
Yes,The 2014 WebTrust Seal link for WoSign is: WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843 WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842
Reporter | ||
Comment 71•9 years ago
|
||
WoSign 2014 WebTrust BR audit report
Reporter | ||
Comment 72•9 years ago
|
||
The WebTrust BR seal link is https://cert.webtrust.org/ViewSeal?id=1860
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•