Closed Bug 851435 Opened 11 years ago Closed 10 years ago

WoSign two root certificate inclusion application

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: richard, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: EV - Included in FF 32, EV enabled in F34)

Attachments

(18 files, 20 obsolete files)

WoSign 2012 - Opinion Letter - WebTrust Criteria.pdf
216.08 KB, application/pdf
Details
WoSign 2012- Opinion Letter - EV Readiness.pdf
125.90 KB, application/pdf
Details
Initial CA Information Document
92.64 KB, application/pdf
Details
Initial CA Information Document_20130918.pdf
457.34 KB, application/pdf
Details
wosign company name changedto WoSign CA Limited
62.99 KB, application/pdf
Details
Updated CA Information Document
87.70 KB, application/pdf
Details
Completed CA Information Document
89.35 KB, application/pdf
Details
WS_ca1.cer
1.91 KB, application/x-x509-ca-cert
Details
WS_ca2.cer
1.87 KB, application/x-x509-ca-cert
Details
EV_CA1_Minefield_GreenBar.png
13.71 KB, image/png
Details
EV_CA2_Minefield_GreenBar.png
13.57 KB, image/png
Details
mozilla_851435_update_20140117.pdf
125.10 KB, application/pdf
Details
851435_Page1
197.59 KB, image/jpeg
Details
851435_Page 3
158.82 KB, image/jpeg
Details
WoSign 2013 - WebTrust SSL Baseline Requirements Auditor report.pdf
1.08 MB, application/pdf
Details
WoSign 2014 - WebTrust EV audit report.pdf
481.59 KB, application/pdf
Details
WoSign 2014 - WebTrust CA2.0 audit report.pdf
982.92 KB, application/pdf
Details
WoSign 2014 - WebTrust BR audit report.pdf
1.11 MB, application/pdf
Details 
User Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MDDS; .NET4.0C)

Steps to reproduce:

WoSign is a private-owned CA in China to issue certificate to general public. We started CA business from 2006 as a SubCA of Comodo at 2006. And WoSign setup its own root CA at 2009 and start to issue certificates at 2011 under this root CA that cross signed with Startcom CA. 


Actual results:

We issued thousands certificates to China customers, WoSign SSL certificate is deployed in top 10 eCommerce websites in China, and bank, telecom, enterprise etc., and most software developers in China choose WoSign certificate since it support Chinese.
And we passed the WebTrust audit for 2012 by Ernst & Young.


Expected results:

WoSign two root CA should include in Mozilla, this will benefit all Mozilla users in China and worldwide.
I am accepting this bug, and will work on it as soon as possible, but I have a large backlog.
https://wiki.mozilla.org/CA:Schedule#Requests_in_the_Information_Gathering_and_Verification_Phase

I will update this bug when I begin the Information Verification phase.
https://wiki.mozilla.org/CA:How_to_apply#Information_Verification
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
please use this update one that we correct some error, thanks.
Attachment #725290 - Attachment is obsolete: true
Attachment #725297 - Attachment is obsolete: true
The attached document summarizes the information that has been verified.

The items highlighted in yellow indicate where further information or
clarification is needed. Please review the full document for accuracy and
completeness.
Whiteboard: EV - Information incomplete
Attached file WS_ca1.crt (obsolete) — 
pleaae help to produce an ASCII-encoded representation of the DER encoding of this root CA certificate issuer name and its serial number, thanks.
Attached file ws_ca2.crt (obsolete) — 
pleaae help to produce an ASCII-encoded representation of the DER encoding of this root CA certificate issuer name and its serial number, thanks.
Attached file WS_CA3.cer (obsolete) — 
pleaae help to produce an ASCII-encoded representation of the DER encoding of this root CA certificate issuer name and its serial number, thanks.
This is a transfered root CA.
I got my 3 root CA DER encodeing string by the help from Kai Engert and Eddy Nigg, thanks.
Attached file 851435_update.pdf (obsolete) — 
We update and completed the items highlighted in yellow(after or below it), or explained why it is not available now, please check it and update if it is OK.
Attachment #782587 - Attachment is obsolete: true
Attached image ev_test_greenbar.png (obsolete) — 
We complete the EV testing for WoSign CA1-"Certification Authority of WoSign", it can display green bar. this attached file is the screenshot for the test result.
Do you want to proceed with the inclusion process for the "Certification Authority of WoSign" root cert now, and do a separate request later for the"CA WoSign" root inclusion?
We like to include two root now, but the second root CA's test website only can be done at the end of this month, not now since we still don't use root CA2 to issue end user certificate, we need some time to setup it.
If you think you can't process the root CA2 without test side, then go on with root CA1 --"Certification Authority of WoSign" first, thanks.
(In reply to Richard Wang from comment #14)
We like to include two root now, but the second root CA's test website can be done at the end of this month, not now since we still don't use root CA2 to issue end user certificate, we need some time to setup it.
If you think you can't process the root CA2 without test site, then go on with root CA1 --"Certification Authority of WoSign" first, thanks.
(In reply to Richard Wang from comment #15)
Let's wait for the second root. A few weeks will not make any difference, because NSS changes are done as batches every 3 months or so, and the current batch is already in progress.

Please update this bug with the remaining information for the second root when ready.

        Attachment #729388 -
        Attachment is obsolete: true

        Attachment #782581 -
        Attachment is obsolete: true

        Attachment #782582 -
        Attachment is obsolete: true

        Attachment #785723 -
        Attachment is obsolete: true

        Attachment #785724 -
        Attachment is obsolete: true

    
    

    
  


  

    
    

    
  


  

        Attachment #806638 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached file
          
        WS_CA1_new.cer (obsolete)
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached file
          
        WS_CA2_new.cer (obsolete)
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached image
          
        EV_CA1_Minefield_GreenBar.png (obsolete)
        — 
      

    


  

    
    

    
  

      
      
      
      

        Attached image
          
        EV_CA2_Minefield_GreenBar.png (obsolete)
        — 
      

    


  

    
  
Whiteboard: EV - Information incomplete → EV - Information complete

    
    

    
  
This time update included:
(1) Company name changed from "WoSign eCommerce Services Limited" to "WoSign CA Limited";
(2) Finished the setup ev test website for root CA2;
(3) Finished the EV greenbar test
Please check if it is OK, thanks for your help.

    
    

    
  


  
As per the attached document, there are two remaining things:

1) Please clarify the (current and planned) CA hierarchy for the "CA WoSign" root.

2) I think the audits were for one root. Will need audits that cover both roots. Also, it appears that perhaps the roots were re-generated, so maybe need to clarify in regards to EV readiness. Anyways, we can move forward with the approval process once the CA hierarchy information for the "CA WoSign" root is provided. If this request is approved, then actual inclusion will be dependent on audit statements covering both new root certs.

    
    

    
  

      
      
      
      

        Attached file
          
        851435-Updated CA Information.pdf (obsolete)
        — 
      

    


  

    
    

    
  


  

    
    

    
  
Thank you, Kathleen.
I update the CA hierarchy for "CA WoSign" root.
and I attached the EY auditor audited "CA WoSign" key generatuon ceremeny report in the "851435-Updated CA Information.pdf".
But one thing I need to clarify that we are NOT "roots were re-generated", we resigned the root certificate that change the company name in subject, no any root CA and sub CA new key generatated.
If you think the second CA "CA WoSign" that don't have EV readiness report that can't include as EV root, move forward for root CA1 - "Certification Authority of WoSign" that include CA1 for EV root, and include CA2 for normal root. 
Please advice if this solution is OK, thanks a lot.

    
    

    
  


  

    
    

    
  
I'll try to start the discussion soon.
https://wiki.mozilla.org/CA:Schedule#Queue_for_Public_Discussion
Whiteboard: EV - Information complete → EV - Information confirmed complete

    
  

        Attachment #808150 -
        Attachment is obsolete: true

    
    

    
  
I am now opening the first public discussion period for this request from WoSign to include the “Certification Authority of WoSign” and “CA WoSign” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “WoSign Root Inclusion Request”.

Please actively review, respond, and contribute to the discussion.

A representative of WoSign must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Information confirmed complete → EV - In public discussion

    
    

    
  

      
      
      
      

        Attached file
          
        WS_ca1.cer
      

    


  
New resigned CA1

        Attachment #806641 -
        Attachment is obsolete: true

        Attachment #806643 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached file
          
        WS_ca2.cer (obsolete)
        — 
      

    


  
New resigned CA2

    
    

    
  


  
resigning ceremony witnessed by Ernst & Young auditor

    
    

    
  
(In reply to Kathleen Wilson from comment #32)
> I am now opening the first public discussion period for this request from
> WoSign to include the “Certification Authority of WoSign” and “CA WoSign”
> root certificates, turn on all three trust bits for both root certs, and
> enable EV treatment for both root certs.
> 

I have closed the first public discussion.
https://groups.google.com/d/msg/mozilla.dev.security.policy/DYrrxCsD6CA/9y8a5NnshRgJ

Richard, Please resolve the issues that were raised in the discussion, and have a new full audit performed over the new root certificates. Note that the new audit must included the CA/Browser Forum's Baseline Requirements. Mozilla's audit requirements are listed in items #11 through #14 of http://www.mozilla.org/projects/security/certs/policy/InclusionPolicy.html.

Upon completion of the audit, please update this bug with the new root cert information, test websites, and links to documentation and audit. Then I will update the CA Information document and start the second round of discussion.
Whiteboard: EV - In public discussion → EV - Information incomplete

    
    

    
  
Thanks.
My auditor said the WebTrust Reeport for 2012 only covered two roots "Certification Authority of WoSign" and "CA 沃通根证书", not covered root "CA WoSign". So we will apply inclusion for the covered two roots "Certification Authority of WoSign" and "CA 沃通根证书". We will setup the new test site and update the CA information soon, thanks.

    
  

        Attachment #831456 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached file
          
        WS_ca2.cer
      

    


  
root CA2 -- "CA 沃通根证书"

        Attachment #806644 -
        Attachment is obsolete: true

        Attachment #806645 -
        Attachment is obsolete: true

        Attachment #831454 -
        Attachment is obsolete: true

    
    

    
  


  
CA1 EV Minefield Green Bar Screenshot

    
    

    
  


  
CA2 EV Minefield Green Bar Screenshot

    
    

    
  
2012 WebTrust Report covered two roots "Certification Authority of WoSign" and "CA 沃通根证书", so we decided to apply this two root for inclusion. The two EV test site is up now: https://root1evtest.wosign.com and https://root1evtest.wosign.com, and we will update the CA information document soon.

    
    

    
  
sorry, the two new test site are: https://root1evtest.wosign.com  and https://root2evtest.wosign.com, you should doown the two root CA and install it to test.

    
    

    
  
(In reply to Richard Wang from comment #41)
> 2012 WebTrust Report covered two roots "Certification Authority of WoSign"
> and "CA 沃通根证书", so we decided to apply this two root for inclusion. 

If these two root certs are included, then the annual audits will have to continue covering them until they are removed. If you are planning to move to a new CA hierarchy, then you can have the 2013 audit cover the new roots and request inclusion of them instead.

When do you expect to have the next (2013) audit done?

Will it include the Baseline Requirements criteria?

Have the issues that were raised during the public discussion all been resolved?

    
    

    
  
Very thanks for your advice, Kathleen. 
Yes, we like to include the 2012 WebTrust audit covered two root CA and continute to cover it in 2013 audit.
Yes, we solved all issues in the public discussion that I will update the CA information document today.
Please move forward to second round of discussion, thanks a lot.

    
    

    
  

      
      
      
      

        Attached file
          
        mozilla_812771_update_20131120.pdf (obsolete)
        — 
      

    


  
This is the final update CA information for WebTrust audit covered two root CA: "Certification Authority of WoSign" and "CA 沃通根证书"

        Attachment #806639 -
        Attachment is obsolete: true

        Attachment #808151 -
        Attachment is obsolete: true

    
    

    
  
Yes, it will include the Baseline Requirements criteria that we are compliant now.

    
    

    
  

      
      
      
      

        Attached file
          
        mozilla_812771_update_20131230.pdf (obsolete)
        — 
      

    


  
correct a little mistake that change the CA2 CRL/OCSP/AIA url to wosign.cn domain, not wosign.com domain.

        Attachment #8335195 -
        Attachment is obsolete: true

    
    

    
  
Regarding starting the second discussion... I will wait until after the new audit statements are available (including the audit statement about compliance with the Baseline Requirements). Please update this bug when the links to those audit statements are available.


What is the status of inclusion in the other browsers?


(In reply to Richard Wang from comment #47)
> Created attachment 8352728 [details]
> mozilla_812771_update_20131230.pdf

I'm planning to use your document, because I don't have the correct character set on my system. 
However, I think the following statement needs to be removed from the "Audits" section:
"Note: the roots were resigned to change the company name in the subject."

    
    

    
  


  
Removed the word "Note: the roots were resigned to change the company name in the subject."
Our 2013 audit report will be ready before March 30th, we will update the new report that including the BR audit. the new report will use my new company name that same as the name in the root subject.

        Attachment #8352728 -
        Attachment is obsolete: true

    
    

    
  

      
      
      
      

        Attached image
          
        851435_Page1
      

    


  
In case you and any person can't read the Chinese well, I attached the screenshot for page 1 and page 3 that display the root name and subCA name in Chinese.
The second root name means "CA WoSign Root Certificate" in English.

    
    

    
  

      
      
      
      

        Attached image
          
        851435_Page 3
      

    


  

    
  
Whiteboard: EV - Information incomplete → EV - Pending updated audit statements, then second round of discussion

    
    

    
  


  
We got the WebTrust Seal, EV seal and BR auditor report(attached)at Mar.29:
WebTrust seal:  https://cert.webtrust.org/ViewSeal?id=1654
WebTrust EV Seal:  https://cert.webtrust.org/ViewSeal?id=1653
So please move on, thanks.

    
    

    
  
I am now opening the second public discussion period for this request from WoSign to include the “Certification Authority of WoSign” and “CA 沃通根证书” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs.

For a description of the public discussion phase, see https://wiki.mozilla.org/CA:How_to_apply#Public_discussion

Public discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

The discussion thread is called “Second Discussion of WoSign Root Inclusion Request”.

Please actively review, respond, and contribute to the discussion.

A representative of WoSign must promptly respond directly in the discussion thread to all questions that are posted.
Whiteboard: EV - Pending updated audit statements, then second round of discussion → EV - In second round of discussion

    
    

    
  
Please update this bug with your responses to the recent CA Communication,
https://wiki.mozilla.org/CA:Communications#May_13.2C_2014

    
    

    
  
The public comment period for this request is now over. 

This request has been evaluated as per Mozilla’s CA Certificate Policy at

 http://www.mozilla.org/about/governance/policies/security-group/certs/policy/inclusion/

Here follows a summary of the assessment. If anyone sees any factual errors, please point them out.

To summarize, this assessment is for the request to include the “Certification Authority of WoSign” and “CA 沃通根证书” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs. 

Section 4 [Technical]. I am not aware of instances where WoSign has knowingly issued certificates for fraudulent use. If anyone knows of any such issues or instances, please note them in this bug.

Section 6 [Relevancy and Policy]. WoSign appears to provide a service relevant to Mozilla users: It is a privately-owned CA in China which issues certificates to the general public. WoSign started their CA business in 2006 as a SubCA of Comodo. WoSign setup its own root CA in 2009 and started to issue certificates in 2011 under this root CA that cross-signed with a Startcom CA. WoSign has issued thousands of certificates to customers in China. WoSign SSL certificates are deployed in top 10 eCommerce websites in China; for bank, telecom, enterprise etc., and most software developers in China choose WoSign certificate since it supports Chinese.

Policies are documented in the documents published on their website and listed in the entry on the pending applications list. The main document of interest is the CPS, which is provided in English.

Document Repository: http://www.wosign.com/policy/cps_e.htm
CPS: http://www.wosign.com/policy/wosign-policy-1-2-4.pdf
 
Section 7 [Validation]. WoSign appears to meet the minimum requirements for subscriber verification, as follows:

* SSL: As per section 3.2.2 of the CPS, for Class 1 (DV) SSL certificates WoSign validates that the certificate subscriber owns/controls the domain name to be included in the certificate by sending an electronic mail message with a verification code to one of the following administrative electronic mail accounts: webmaster@domain.com, hostmaster@domain.com, postmaster@domain.com. The subscriber has to return and submit the verification code as proof of ownership of the domain name within a limited period sufficient enough to receive an electronic mail message. Additionally the existence of the domain name is verified by checking the WHOIS records provided by the domain name registrar. If the WHOIS data contain additional email addresses, they may be offered as additional choices to the above mentioned electronic mail accounts.
WoSign also provides Class 2, Class 3 (OV) and Class 4 (EV) SSL certificates as described in section 3.2.2 of the CPS, which states that domain control validation is still performed as in Class 1, but there are additional checks to validate the subscriber and organization.
WoSign also provides trial SSL certificates that are domain validated (Class 1).

* Email: According to section 3.2.2 of the CPS, WoSign verifies the email address to be included in a certificate by sending an electronic mail message with a verification code to the requested email account. The subscriber has to return and submit the verification code as prove of ownership of the email account within a limited period sufficient enough to receive an electronic mail message. 

* Code: According to section 3.1.1 of the CPS, the validation levels allowed for Code Signing certs are Class 2, Class 3, or Class 4.  Steps taken to verify the identity of the certificate subscriber and verify the organization are described in section 3.2.2 of the CPS, and steps taken to verify the authority of the certificate subscriber to act on behalf of the organization are described in section 3.2.4.

Section 18 [Certificate Hierarchy]. 
* Each root has 7 internally-operated subordinate CAs according to certificate usages and subscriber verification: EV Server CA, OV Server CA, DV Server CA, Class 3 Code Signing CA, Class 1 Client CA, Class 2 Client CA, Class 3 Client CA.

* Root Cert URL 
Certification Authority of WoSign: http://www.wosign.com/Root/WS_CA1_NEW.crt 
CA 沃通根证书: http://www.wosign.com/Root/ws_ca2_new.crt

* EV Policy OID: 1.3.6.1.4.1.36305.2

* Test Websites:
Certification Authority of WoSign: https://root1evtest.wosign.com
CA 沃通根证书: https://root2evtest.wosign.com

* OCSP
Certification Authority of WoSign:
http://ocsp1.wosign.com/ca1
http://ocsp1.wosign.com/class4/server/ca1
http://ocsp1.wosign.com/class3/server/ca1
http://ocsp1.wosign.com/class1/server/ca1
http://ocsp1.wosign.com/class2/client/ca1
http://ocsp1.wosign.com/class3/client/ca1
http://ocsp1.wosign.com/class3/code/ca1
CA 沃通根证书:
http://ocsp2.wosign.com/ca2
http://ocsp2.wosign.com/class4/server/ca2
http://ocsp2.wosign.com/class3/server/ca2
http://ocsp2.wosign.com/class1/server/ca2
http://ocsp2.wosign.com/class1/client/ca2
http://ocsp2.wosign.com/class2/client/ca2
http://ocsp2.wosign.com/class3/client/ca2
http://ocsp2.wosign.com/class3/code/ca2
CPS section 4.9.9, OCSP: The current CRLs are reloaded at least every 60 minutes.

Sections 11-14 [Audit].  
* Annual audits are performed by Ernst & Young according to the WebTrust criteria.
Audit Report: https://cert.webtrust.org/SealFile?seal=1654&file=pdf
BR Audit Statement: https://bugzilla.mozilla.org/attachment.cgi?id=8399189
EV Audit Report: https://cert.webtrust.org/SealFile?seal=1653&file=pdf

Based on this assessment I intend to approve this request to include the “Certification Authority of WoSign” and “CA 沃通根证书” root certificates, turn on all three trust bits for both root certs, and enable EV treatment for both root certs.

Note: Need WoSign to respond to the recent CA Communication before approval.
Whiteboard: EV - In second round of discussion → EV - Pending approval

    
    

    
  
(In reply to Kathleen Wilson from comment #54)
1. A -- Pending list has current audits and correct date

2. A -- Pending list has current BR audit

3. A) We have tested certificates in our CA hierarchy with Mozilla's new Certificate Verification library, and found that the certificates in our CA hierarchies are not impacted by the changes introduced in mozilla::pkix.

4. B -- We have previously issued certificates with the following problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page:  
(1) Default values in a SEQUENCE must not be explicitly encoded.
We will not issue new certificates with the problems listed in the mozpkix-testing#Things_for_CAs_to_Fix wiki page from the date: May 30, 2014.

(2) OCSP responders should not include a responseExtensions consisting of an empty SEQUENCE.
We will update our OCSP system and solve this problem before May 30, 2014.

5. A – Please visit: http://www.wosign.com/english/root.htm that lists all of publicly disclosed subordinate CA certificates that chain up to certificates in Mozilla's CA program.

    
    

    
  
(In reply to Kathleen Wilson from comment #55)
 > Section 18 [Certificate Hierarchy].
 > * Each root has 7 internally-operated subordinate CAs according to certificate usages and subscriber verification: EV Server CA, OV Server CA, DV Server CA, Class 3 Code Signing CA, Class 1 Client CA, Class 2 Client CA, Class 3 Client CA.

We launched two sub CA for CA1 from Jan. 1st, 2014, so now the hierarchy is:
* Each root has 9 internally-operated subordinate CAs according to certificate usages and subscriber verification: EV Server CA, OV Server CA, IV Server CA, DV Server CA, Class 3 Code Signing CA, Class 2 Code Signing CA, Class 1 Client CA, Class 2 Client CA, Class 3 Client CA.

 > * OCSP
Here's the current list.

(1) Certification Authority of WoSign:
http://ocsp1.wosign.com/ca1
http://ocsp1.wosign.com/class4/server/ca1
http://ocsp1.wosign.com/class3/server/ca1
http://ocsp1.wosign.com/class1/server/ca1
http://ocsp1.wosign.com/class1/client/ca1 
http://ocsp1.wosign.com/class2/client/ca1
http://ocsp1.wosign.com/class3/client/ca1
http://ocsp1.wosign.com/class3/code/ca1
http://ocsp1.wosign.com/class2/server/ca1
http://ocsp1.wosign.com/class2/code/ca1

(2) CA 沃通根证书:
http://ocsp2.wosign.cn/ca2
http://ocsp2.wosign.cn/class4/server/ca2
http://ocsp2.wosign.cn/class3/server/ca2
http://ocsp2.wosign.cn/class1/server/ca2
http://ocsp2.wosign.cn/class1/client/ca2
http://ocsp2.wosign.cn/class2/client/ca2
http://ocsp2.wosign.cn/class3/client/ca2
http://ocsp2.wosign.cn/class3/code/ca2
http://ocsp1.wosign.cn/class2/server/ca1
http://ocsp1.wosign.cn/class2/code/ca1

    
    

    
  
As per the summary in Comment #55, and on behalf of Mozilla I approve this request from WoSign to include the following root certificates:

** “Certification Authority of WoSign” (websites, email, code signing), enable EV
** “CA 沃通根证书” (websites, email, code signing), enable EV

I will file the NSS and PSM bugs for the approved changes.
Whiteboard: EV - Pending approval → EV - Approved - awaiting NSS and PSM changes

    
  
Depends on: 1017295

    
  
Depends on: 1017299

    
    

    
  
I have filed bug #1017295 against NSS and bug #1017299 against PSM for the actual changes.

    
    

    
  
We updated our PKI/CA system and OCSP system that we solved the related two problems. Please check the two test website to check if all solved, thanks a lot.

    
    

    
  
Mozilla released new NSS at July 3 that included WoSign two roots. But I installed new FireFox 31 released at July 22 that I can't find my two root builtin, what's the problem? is it a bug? I tested English version and Chinese version. Please help, thanks.

    
    

    
  
Re comment #61:  

It appears that NSS 3.16.3 -- where the WoSign roots were added -- will not be included in Firefox until Firefox 32.0 or possibly later.  See <https://wiki.mozilla.org/NSS:Release_Versions>.

    
  
Whiteboard: EV - Approved - awaiting NSS and PSM changes → EV - Approved - Included in FF 32, awaiting PSM changes

    
  
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: EV - Approved - Included in FF 32, awaiting PSM changes → EV - Included in FF 32, EV enabled in F34

    
    

    
  
WoSign has issued a certificate not complying to the Baseline Requirements v1.2.1, in particular, a SHA-1 validity period greater than January 1, 2017, issued after January 16, 2015.

This would appear to be inconsistent with https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/ / https://wiki.mozilla.org/CA:Problematic_Practices#SHA-1_Certificates

The certificate is available at https://code.google.com/p/chromium/issues/detail?id=381562#c10

    
    

    
  
We know this is NOT compliant with BR, but we should consider that there are more than 3 Million Internet users in China that don't support SHA2. So we issue SHA1 certificate first, and we will replace the SAH1 certificate at Dec 2016 to SHA2 to meet the request. 
Thanks for your comment.

    
    

    
  
I declared this problem in 2014 September CABF F2F meeting in Beijing that we should consider those 3M Internet user need. So our solution is a good solution for both side.

    
    

    
  
I just notice that it is after January 16, 2015, I think very few cert is issued that greater than Jan.1,2017

    
    

    
  
The 2014 WebTrust Seal link is:
WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843
WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842

    
    

    
  
Yes,The 2014 WebTrust Seal link for WoSign is:
WebTrust CA: https://cert.webtrust.org/ViewSeal?id=1843
WebTrust EV: https://cert.webtrust.org/ViewSeal?id=1842

    
    

    
  


  
WoSign 2014 WebTrust BR audit report

    
    

    
  
The WebTrust BR seal link is https://cert.webtrust.org/ViewSeal?id=1860

    
  
Product: mozilla.org → NSS
Product: NSS → CA Program

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: