Very thanks to Mr Erwann Abalea’s comments. I am very sorry that we don’t update the related document in Mozilla bugzilla in time. My company changed the company name from “WoSign eCommerce Services Limited” to “WoSign CA Limited” at Sept 10th, so we resigned CA1 and CA2 at Sep.14th and setup the test website at Sept. 16th that have the reported problem. But our auditor advised us that they should be onsite as a witness for root resigning. So we resigned two roots at Oct. 22 and reissued the EV test cert. But many internal reason, we don’t update the new resigned root CA and test cert to test site. Now, we upload the new resigned two root CA cert file and the key resigning ceremony document signed by Ernst & Young Auditor as witness. And update the test site certificates. CA1: https://bugzilla.mozilla.org/attachment.cgi?id=831452 CA2: https://bugzilla.mozilla.org/attachment.cgi?id=831454 Witness document: https://bugzilla.mozilla.org/attachment.cgi?id=831456
For summary to response Mr Erwann Abalea’s comments as following: 1. For EV Policy OID, we decided to use one EV OID for all roots: 1.3.6.1.4.1.36305.2; 2. For countryName element encoded as UTF8, we solved that all are PrintableString now; 3. For SGC EKU, we removed; 4. For CRL/AIA MIME type, we corrected; 5. For OCSP responders certificate don't have the OcspNoCheck extension: we added; 6. For WebTrust audit cover, we will change to apply the another covered root CA “CA 沃通根证书” for inclusion instead of root CA2 -“CA WoSign”. So we appointed Ernst & Young auditor to be onsite as a witness to resign this root CA to change subject organization name at this week Thursday. After resigning, we will setup the test site. 7. For CRL/AIA/OCSP URL: we will correct all in the update Bugzilla Summary after resign the CA3 -- “CA 沃通根证书”. 8. We still need some time to solve other left problems, thanks for your patient. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
