Reminder: there is one week left in the discussion period for this inclusion request.
On Tue, May 1, 2018 at 12:02 PM Wayne Thayer <wtha...@mozilla.com> wrote: > This request is for inclusion of the OISTE WISeKey Global Root GC CA as > documented in the following bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1403591 > > * BR Self Assessment is here: > https://bugzilla.mozilla.org/attachment.cgi?id=8912732 > > * Summary of Information Gathered and Verified: > https://bugzilla.mozilla.org/attachment.cgi?id=8955363 > > * Root Certificate Download URL: > https://bugzilla.mozilla.org/attachment.cgi?id=8912737 > > CP/CPS: > https://cdn.wisekey.com/uploads/images/WKPKI.DE001-OWGTM-PKI-CPS.v2.10-CLEAN.pdf > > * This request is to turn on the Websites and Email trust bits. EV > treatment is not requested. > > * EV Policy OIDs: Not EV > > * Test Websites > https://gcvalidssl.hightrusted.com/ > https://gcexpiredssl.hightrusted.com/ > https://gcrevokedssl.hightrusted.com/ > > * CRL URL: http://public.wisekey.com/crl/wcidgcas1.crl > > * OCSP URL: http://ocsp.wisekey.com/ > > * Audit: Annual audits are performed by AUREN according to the WebTrust > for CA and BR audit criteria. > WebTrust: > https://cdn.wisekey.com/uploads/images/Audit-Report-and-Management-Assertions-Webtrust-CA-GC.pdf > BR: > https://cdn.wisekey.com/uploads/images/Audit-Report-and-Management-Assertions-Webtrust-BR-GC.pdf > EV: Not EV > > I’ve reviewed the CPS, BR Self Assessment, and related information for the > OISTE WISeKey Global Root GC CA inclusion request that are being tracked in > this bug and have the following comments: > > ==Good== > * This root was created in May of 2017 and the intermediate appears to > have only signed test certs since then. > * Problem reporting mechanism is clearly labeled as such in the CPS. > > ==Meh== > * The older OISTE WISeKey Global Root GA CA that is in our program has > issued a few certs containing linting errors (some are false positives for > OCSP signing certs): > https://crt.sh/?caid=15102&opt=cablint,zlint,x509lint&minNotBefore=2010-01-01 > Two notable concerns are: > ** Valid wildcard certificate for a public suffix: > https://crt.sh/?id=76535370&opt=cablint (BR 3.2.2.6 permits this only if > “the applicant proves its rightful control of the entire Domain Namespace“) > ** Valid cert containing a non-printable string in the Subject : > https://crt.sh/?id=308365498&opt=x509lint,ocsp > * WISeKey was the subject of one misissuance bug for “invalid dnsNames” > and “CN not in SAN” errors to which they responded promptly: > https://bugzilla.mozilla.org/show_bug.cgi?id=1391089 > ** They also failed to respond to a problem report during this > incident. > Domain validations procedures are listed in an appendix instead of section > 3.2.2.4 of the CPS and they include the soon-to-be-banned 3.2.2.4.1 and > 3.2.2.4.5 methods. A note indicates that 3.2.2.4.5 will be discontinued > after August 1st. The reference to 3.2.2.4.1 appears to be a documentation > error. > During my initial review, the CPS was missing CAA information and still > referenced 3-year validity periods. WISeKey quickly made the needed changes > but indicated that they update their CPS during an annual review rather > than regularly as new requirements come into effect. > > ==Bad== > Nothing to report > > This begins the 3-week comment period for this request [1]. > > I will greatly appreciate your thoughtful and constructive feedback on the > acceptance of this root into the Mozilla CA program. > > - Wayne > > [1] https://wiki.mozilla.org/CA/Application_Process > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
