On 11/13/13 4:48 AM, [email protected] wrote:
Very thanks to Mr Erwann Abalea’s comments.
I am very sorry that we don’t update the related document in Mozilla bugzilla
in time. My company changed the company name from “WoSign eCommerce Services
Limited” to “WoSign CA Limited” at Sept 10th, so we resigned CA1 and CA2 at
Sep.14th and setup the test website at Sept. 16th that have the reported
problem.
But our auditor advised us that they should be onsite as a witness for root
resigning. So we resigned two roots at Oct. 22 and reissued the EV test cert.
But many internal reason, we don’t update the new resigned root CA and test
cert to test site.
Now, we upload the new resigned two root CA cert file and the key resigning
ceremony document signed by Ernst & Young Auditor as witness. And update the
test site certificates.
CA1: https://bugzilla.mozilla.org/attachment.cgi?id=831452
CA2: https://bugzilla.mozilla.org/attachment.cgi?id=831454
Witness document: https://bugzilla.mozilla.org/attachment.cgi?id=831456
For summary to response Mr Erwann Abalea’s comments as following:
1. For EV Policy OID, we decided to use one EV OID for all roots:
1.3.6.1.4.1.36305.2;
2. For countryName element encoded as UTF8, we solved that all are
PrintableString now;
3. For SGC EKU, we removed;
4. For CRL/AIA MIME type, we corrected;
5. For OCSP responders certificate don't have the OcspNoCheck extension: we
added;
6. For WebTrust audit cover, we will change to apply the another covered root CA
“CA 沃通根证书” for inclusion instead of root CA2 -“CA WoSign”. So we appointed Ernst
& Young auditor to be onsite as a witness to resign this root CA to change
subject organization name at this week Thursday. After resigning, we will setup the
test site.
7. For CRL/AIA/OCSP URL: we will correct all in the update Bugzilla Summary
after resign the CA3 -- “CA 沃通根证书”.
8. We still need some time to solve other left problems, thanks for your
patient.
Given the changes at WoSign and the updated roots, I am closing this
discussion now with the action items listed above, and another action
item to get a full new audit covering the root certs WoSign now wishes
to include in NSS.
Tracking of these action items will be done in the bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=851435
I will start a second round of discussion after these have been completed.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
