All, This email commences a six-week public discussion of OISTE’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store’s program. This discussion period is scheduled to close on August 11, 2025.
The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store. Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of OISTE must promptly respond directly in the discussion thread to all questions that are posted. CCADB Case Number: 00001946 <https://ccadb.my.salesforce-sites.com/mozilla/PrintViewForCase?CaseNumber=00001946> Organization Background Information (listed in CCADB): - CA Owner Name: OISTE Foundation - Website: https://oiste.org - Address: Avenue Louis-Casai 58, 1216 Cointrin, Geneva, Switzerland - Problem Reporting Mechanisms: [email protected] - Organization Type: Private Corporation - Repository URL: https://www.oiste.org/repository Certificates Requesting Inclusion: OISTE Client Root ECC G1 - Certificate links: CA Repository <http://public.wisekey.com/crt/ocreccg1.cer> / crt.sh <https://crt.sh/?q=D9A32485A8CCA85539CEF12FFFFF711378A17851D73DA2732AB4302D763BD62B> - SHA-256 Certificate Fingerprint: D9A32485A8CCA85539CEF12FFFFF711378A17851D73DA2732AB4302D763BD62B - Intended use cases served/EKUs: Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2 - Reference Certificates: OISTE Client Root RSA G1 - Certificate links: CA Repository <http://public.wisekey.com/crt/ocrrsag1.cer> / crt.sh <https://crt.sh/?q=D02A0F994A868C66395F2E7A880DF509BD0C29C96DE16015A0FD501EDA4F96A9> - SHA-256 Certificate Fingerprint: D02A0F994A868C66395F2E7A880DF509BD0C29C96DE16015A0FD501EDA4F96A9 - Intended use cases served/EKUs: Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2 - Reference Certificates: OISTE Server Root ECC G1 - Certificate links: CA Repository <http://public.wisekey.com/crt/osreccg1.cer> / crt.sh <https://crt.sh/?q=EEC997C0C30F216F7E3B8B307D2BAE42412D753FC8219DAFD1520B2572850F49> - SHA-256 Certificate Fingerprint: EEC997C0C30F216F7E3B8B307D2BAE42412D753FC8219DAFD1520B2572850F49 - Intended use cases served/EKUs: Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;Client Authentication 1.3.6.1.5.5.7.3.2 - Test websites: - Valid: https://eccg1validssl.hightrusted.com/ - Revoked: https://eccg1revokedssl.hightrusted.com/ - Expired: https://eccg1expiredssl.hightrusted.com/ - DV Automation: https://eccg1dvvalidssl.hightrusted.com - OV Automation: https://eccg1ovvalidssl.hightrusted.com - EV Automation: https://eccg1evvalidssl.hightrusted.com OISTE Server Root RSA G1 - Certificate links: CA Repository <http://public.wisekey.com/crt/osrrsag1.cer> / crt.sh <https://crt.sh/?q=9AE36232A5189FFDDB353DFD26520C015395D22777DAC59DB57B98C089A651E6> - SHA-256 Certificate Fingerprint: 9AE36232A5189FFDDB353DFD26520C015395D22777DAC59DB57B98C089A651E6 - Intended use cases served/EKUs: Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;Client Authentication 1.3.6.1.5.5.7.3.2 - Test websites: - Valid: https://rsag1validssl.hightrusted.com/ - Revoked: https://rsag1revokedssl.hightrusted.com/ - Expired: https://rsag1expiredssl.hightrusted.com/ - DV Automation: https://rsag1dvvalidssl.hightrusted.com - OV Automation: https://rsag1ovvalidssl.hightrusted.com - EV Automation: https://rsag1evvalidssl.hightrusted.com Existing Publicly Trusted Root CAs from OISTE: OISTE WISeKey Global Root GA CA: - Certificate links: (CA Repository <http://public.wisekey.com/crt/owgrgaca.crt> / crt.sh <https://crt.sh/?q=41C923866AB4CAD6B7AD578081582E020797A6CBDF4FFF78CE8396B38937D7F5> ) - SHA-256 Certificate Fingerprint: 41C923866AB4CAD6B7AD578081582E020797A6CBDF4FFF78CE8396B38937D7F5 - Trust Bits/EKUs: Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2;Document Signing AATL 1.2.840.113583.1.1.5;Document Signing MS 1.3.6.1.4.1.311.10.3.12;Time Stamping 1.3.6.1.5.5.7.3.8 - Included in: Apple, Microsoft, Mozilla OISTE WISeKey Global Root GB CA: - Certificate links: (CA Repository <http://public.wisekey.com/crt/owgrgbca.crt> / crt.sh <https://crt.sh/?q=6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6> ) - SHA-256 Certificate Fingerprint: 6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6 - Trust Bits/EKUs: Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2;Document Signing AATL 1.2.840.113583.1.1.5;Document Signing MS 1.3.6.1.4.1.311.10.3.12;Time Stamping 1.3.6.1.5.5.7.3.8 - Included in: Apple, Google Chrome, Microsoft, Mozilla - Certificate corpus: (legacy Censys Search <https://search.censys.io/search?resource=certificates&q=6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6+and+labels%3Dever-trusted> login required) (new Censys Platform <https://platform.censys.io/search?q=web.cert.validation.nss.chains.sha256fp%3A+6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6> login required and free accounts may be limited) OISTE WISeKey Global Root GC CA: - Certificate links: (CA Repository <http://public.wisekey.com/crt/owgrgc.crt> / crt.sh <https://crt.sh/?q=8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D> ) - SHA-256 Certificate Fingerprint: 8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D - Trust Bits/EKUs: Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2;Document Signing AATL 1.2.840.113583.1.1.5;Document Signing MS 1.3.6.1.4.1.311.10.3.12;Time Stamping 1.3.6.1.5.5.7.3.8 - Included in: Apple, Google Chrome, Microsoft, Mozilla - Certificate corpus: (legacy Censys Search <https://search.censys.io/search?resource=certificates&q=8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D+and+labels%3Dever-trusted> login required) (new Censys Platform <https://platform.censys.io/search?q=web.cert.validation.nss.chains.sha256fp%3A+8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D> login required and free accounts may be limited) Relevant Policy and Practices Documentation: - CP/CPS: https://raw.githubusercontent.com/OISTE/repository/refs/heads/main/OWGTMCPS.md Most Recent Self-Assessment: - https://filevault.wisekey.com/f/de19dfbc00/?dl=1 Audit Statements: - Auditor: Auren - Audit Criteria: WebTrust - Recent Audit Statement(s): - Root Key Generation <https://filevault.wisekey.com/f/eb5a6c3e5a/?dl=1> (May 31, 2023) - Standard Audit <https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=8f73e908-07a7-44ad-b7e3-e2d7965347a7> (Period: May 9, 2023 - May 8, 2024) - TLS BR Audit <https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=97bdb7b2-4e58-4795-9ab7-7f3cbf315e8b> (Period: May 9, 2023 - May 8, 2024) - TLS EVG Audit <https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=07d0ac64-d6a2-480f-98d8-2a9c8c698dd1> (Period: May 9, 2023 - May 8, 2024) - S/MIME BR Audit <https://www.cpacanada.ca/api/getPDFWebTrust?attachmentId=72b8fddb-2249-4316-bc47-5245a1d8dc3c> (Period: May 9, 2023 - May 8, 2024) Incident Summary (Bugzilla incidents from previous 24 months): 1949755 <https://bugzilla.mozilla.org/show_bug.cgi?id=1949755> S/MIME certificate issuance without proper validation 1903823 <https://bugzilla.mozilla.org/show_bug.cgi?id=1903823> OCSP responding "Unauthorized" for a TLS certificate Thank you Ben, on behalf of the CCADB Steering Committee -- You received this message because you are subscribed to the Google Groups "CCADB Public" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/ccadb.org/d/msgid/public/CA%2B1gtab7wTSmHEnDxutgnxX8Ve4K%2BPPDiYhBxA7W-DtGosnRHA%40mail.gmail.com.
