Thanks for this message. Clarification: WISeKey, as verified during our last WebTrust audit for BR, since April 2015 is not issuing SHA-1 certificates with validity beyond 31-Dec-2105 and we're in the process to reissue or revoke any problematic certificate before the end of the year.
We also recently updated our RA solution to ensure consistency on the CN and SAN names, making mandatory the presence of the first SAN. So, although this warning message is justified, WISeKey already put the required controls to ensure that no problematic practices occur. Regards, Pedro Fuentes WISeKey SA El jueves, 10 de septiembre de 2015, 1:50:08 (UTC+2), David Keeler escribió: > On 08/05/2015 10:53 AM, Kathleen Wilson wrote: > > WISeKey has applied to include the "OISTE WISeKey Global Root GB CA" > > root certificate, turn all all three trust bits, and enable EV > > treatment. This SHA-256 root cert will eventually replace WISeKey's > > SHA-1 root cert that was included in NSS via Bugzilla Bug #371362. > > ... > > > * Potentially Problematic Practices -- None noted > > (http://wiki.mozilla.org/CA:Problematic_Practices) > > The following certificate with a validity period of Mar 06 2015 to Mar > 06 2016 was signed with sha-1. It also has the nsCertType extension, > which is deprecated. > > -----BEGIN CERTIFICATE----- > MIIFdzCCBF+gAwIBAgIKb8MVFQAAAAAfqjANBgkqhkiG9w0BAQUFADCBjjELMAkG > A1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxIjAgBgNVBAsTGUNvcHlyaWdodCAy > MDExIFdJU2VLZXkgU0ExFjAUBgNVBAsTDUludGVybmF0aW9uYWwxMTAvBgNVBAMT > KFdJU2VLZXkgQ2VydGlmeUlEIEFkdmFuY2VkIFNlcnZpY2VzIENBIDIwHhcNMTUw > MzA2MTAxNDU2WhcNMTYwMzA2MTAxNDU2WjCBjjELMAkGA1UEBhMCQ0gxDzANBgNV > BAgTBkdlbmV2ZTEPMA0GA1UEBxMGR2VuZXZlMRswGQYDVQQKExJBbmRyZSBDaGV2 > YWxsZXkgU0ExGzAZBgNVBAsTEkFuZHJlIENoZXZhbGxleSBTQTEjMCEGA1UEAxMa > YWNudDAyLmFuZHJlLWNoZXZhbGxleS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IB > DwAwggEKAoIBAQC5SXnzN/q9MkALKTZ1RnTt9prGXqeRCtT4+RLrvDPUaTdR5qXX > xwoMA0pkVDo5kSwPfXQehlTfhVc4rQ2WgfObTke1ImZ6MnbKDYCSzMc3RCzjUk1O > xhQQl/AhJQvX1587V+69SQRTXQ4eWYU2uIIpGhhZw15Cd003R3tMXvktAFgtVtM9 > SDfbeoE8YwLx1hBTO0xBWKEWrz5sFF7hJHuMv661sN3H7ZxMIVAdambKf09uWE7f > NI++45O7S9Y0r6Qj6ZjhTe5gYisuDs4YqdPTw0XuSPQy89FxKagtgE9hapatUyuO > Lel4lL+CKlKPWbwqZQOAngZCD19P6x+EJ6P7AgMBAAGjggHTMIIBzzAdBgNVHQ4E > FgQURzpp2xDxM92c5L2+Fv7s7Z1+XaYwDgYDVR0PAQH/BAQDAgSwMB8GA1UdIwQY > MBaAFNcvL/MJ8VYhUx3nTC5IRErahv2YMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6 > Ly9wdWJsaWMud2lzZWtleS5jb20vY3JsL3djaWRhc2NhMi5jcmwwbQYIKwYBBQUH > AQEEYTBfMDcGCCsGAQUFBzAChitodHRwOi8vcHVibGljLndpc2VrZXkuY29tL2Ny > dC93Y2lkYXNjYTIuY3J0MCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC53aXNla2V5 > LmNvbS8wHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcV > CgQaMBgwCgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwdQYDVR0RBG4wbIIXb3dhLmFu > ZHJlLWNoZXZhbGxleS5jb22CE0FuZHJlLUNoZXZhbGxleS5jb22CGmFjbnQwMi5h > bmRyZS1jaGV2YWxsZXkuY29tgiBhdXRvZGlzY292ZXIuQW5kcmUtQ2hldmFsbGV5 > LmNvbTARBglghkgBhvhCAQEEBAMCAMAwDQYJKoZIhvcNAQEFBQADggEBAEvUcTR1 > uBDGtgco3Zt1KW7eBi6E4/JfS63mK4gAUurAj/ItjJIaZqC/aY7VxdYZxEGIUcEX > OW3wrWsDpHkwKI1XkNFvJTKk+2IrgN9R6VDT9+d8hVxukQULWxBj61ge93jxY2kB > 0FuPD1VPx0+B+/UKcNT9fEYWEqudguA3tQ3CuquZj+i0T8r9YiAwVx0OmQnwX62O > FXjXVJlZrQrmhi9EGzSODItkUU7NopkM81dn1BmFkIuqacU31Wcjd4neCfJPNApk > zSabFuhF0lcPZwFn7PW/9/TAELP5K270Guaj1gaBmkJ+Dk6hHYVd44SlgOuNRQSC > rnNj+hNsDI/uwJc= > -----END CERTIFICATE----- > > The following certificate with a validity period of Nov 06 2014 to Nov > 05 2017 has similar problems. In addition, the common name is expressed > as a wildcard ("*.hightrusted.com"). This will not work as expected in > Firefox because the wildcard is not expressed as an entry in the subject > alternative name extension. > > -----BEGIN CERTIFICATE----- > MIIGvjCCBaagAwIBAgIKGXHdogAAAAAbcDANBgkqhkiG9w0BAQUFADCBjjELMAkG > A1UEBhMCQ0gxEDAOBgNVBAoTB1dJU2VLZXkxIjAgBgNVBAsTGUNvcHlyaWdodCAy > MDExIFdJU2VLZXkgU0ExFjAUBgNVBAsTDUludGVybmF0aW9uYWwxMTAvBgNVBAMT > KFdJU2VLZXkgQ2VydGlmeUlEIEFkdmFuY2VkIFNlcnZpY2VzIENBIDIwHhcNMTQx > MTA3MDMxNjMxWhcNMTcxMTA2MDMxNjMxWjBbMQswCQYDVQQGEwJDSDEPMA0GA1UE > CBMGR2VuZXZhMRAwDgYDVQQKEwdXSVNFS0VZMQ0wCwYDVQQLEwRURUNIMRowGAYD > VQQDDBEqLmhpZ2h0cnVzdGVkLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC > AQoCggEBAOVHrrzUPZnGJ2LqYuM46fBNB8AwaVGPYKMCb6vCtpU7L+AGFlgelh2X > cn0idCn/wXba66efVmwJeKoSQH8jCb49Rb96gCvdka843NKIFjjh+kP2d/uPEAo3 > DJkviPFsx4XwhFLWx4zsRJf9H8owvuFAb3St33YesI8T+t8s5jX/jL/ZFwvbbB9n > CsBHMGZ6ukhdP/hp8crUI8wILgD9He2db3CkpDUEbIDMWGtr97hav1A5gNW0+SmN > 2DC05UCvAIIfN6h2gGFrMOE2yqrPUxwvB9uh3g8Zi3lXqWT8V7ypkcyJxcwBxx8H > h86cOWxGrfDLO4bVcFt4Os2N850MsekCAwEAAaOCA04wggNKMB0GA1UdDgQWBBRn > T9vIuCquQep+9FzH3eTG1Pew1DAfBgNVHSMEGDAWgBTXLy/zCfFWIVMd50wuSERK > 2ob9mDA8BgNVHR8ENTAzMDGgL6AthitodHRwOi8vcHVibGljLndpc2VrZXkuY29t > L2NybC93Y2lkYXNjYTIuY3JsMG0GCCsGAQUFBwEBBGEwXzA3BggrBgEFBQcwAoYr > aHR0cDovL3B1YmxpYy53aXNla2V5LmNvbS9jcnQvd2NpZGFzY2EyLmNydDAkBggr > BgEFBQcwAYYYaHR0cDovL29jc3Aud2lzZWtleS5jb20vMAwGA1UdEwEB/wQCMAAw > HQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMCcGCSsGAQQBgjcVCgQaMBgw > CgYIKwYBBQUHAwIwCgYIKwYBBQUHAwEwggHgBgNVHREEggHXMIIB04IPaGlnaHRy > dXN0ZWQuY29tghZjYXJsb3MuaGlnaHRydXN0ZWQuY29tghVvaXN0ZS5oaWdodHJ1 > c3RlZC5jb22CF3dpc2VrZXkuaGlnaHRydXN0ZWQuY29tghx3aXNla2V5bGliZXIu > aGlnaHRydXN0ZWQuY29tghNzaXAuaGlnaHRydXN0ZWQuY29tghN3d3cuaGlnaHRy > dXN0ZWQuY29tghhiaWd0cnVzdC5oaWdodHJ1c3RlZC5jb22CFndpc2VpZC5oaWdo > dHJ1c3RlZC5jb22CF3dpc2ZhbnMuaGlnaHRydXN0ZWQuY29tghd3aXNlcGF5Lmhp > Z2h0cnVzdGVkLmNvbYITY2ExLmhpZ2h0cnVzdGVkLmNvbYISd3MuaGlnaHRydXN0 > ZWQuY29tghhzZXJ2aWNlcy5oaWdodHJ1c3RlZC5jb22CFG1haWwuaGlnaHRydXN0 > ZWQuY29tghJ3YS5oaWdodHJ1c3RlZC5jb22CE3Nzby5oaWdodHJ1c3RlZC5jb22C > FGF1dGguaGlnaHRydXN0ZWQuY29tghl3aXNlcGhvbmUuaGlnaHRydXN0ZWQuY29t > ghltZXNzZW5nZXIuaGlnaHRydXN0ZWQuY29tMA4GA1UdDwEB/wQEAwIEsDARBglg > hkgBhvhCAQEEBAMCAMAwDQYJKoZIhvcNAQEFBQADggEBAAWyChyBnIc/cQyXTF1i > tgSz3m1HRY+fEpiN+rva72IRD9UpAbgvdeZLA22NBYMoFkm3C2Fjk1V10WEPPKRz > QlGZjcBO695m7tO+sPZ6OYvj/f+UgSkrAqXNd/xGOJ0OxgbjM3062RueNZYRBAvA > uxqPkvxgRYoOzntyejFbWn4YQ+pmjHhk+TJAyi6mpk3SG3RV+J8/+k1ncqxcaqnd > 0KV9oENApdNDxfWLtEM8NaGjy9zpeO1Kp6fL9FB7MasDTroAVvm/5wV+xg3XuOm8 > q4CXdAKCZcP9SX5qY/KdEcjp/XvJ5CJyFZSARILniEdbJdRDvriHzkjNHLRO0ZdF > 3GM= > -----END CERTIFICATE----- > > Cheers, > David Keeler _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
