Hi all, This is the OEM certificate from Certum, Certum own and control everything with its own validation, you can check the test site: https://ovpretest.wosign.com that its CPS/CRL/OCSP/OID all belong to Certum.
I don't think WoSign can't be a reseller of other CA. Thanks. Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:[email protected]] On Behalf Of Patrick Figel Sent: Wednesday, November 23, 2016 7:30 AM To: Tobias Sachs <[email protected]> Cc: [email protected] Subject: Re: WoSign has new roots? On Tue, Nov 22, 2016 at 10:56 PM, Tobias Sachs <[email protected]> wrote: > Am Dienstag, 22. November 2016 21:37:08 UTC+1 schrieb Lewis Resmond: >> Hello, >> >> I just noticed following announcement by WoSign: >> >> https://www.wosign.com/english/News/certificate_pre.htm >> >> If I understand correctly, they now have new root certificates which chain >> up to Certum, which is in the root storage. >> >> What does that mean in particular? Are the previously taken sanctions now >> useless? > > According to this comment [1] I think yes. But this means also that the new > ca is now the target. You can find the cert mentioned there here [2] and the > intermediate here [3] which is not in the CT logs... The intermediate certificates were disclosed in Mozilla's CA database[1] and are currently filed under "CP/CPS Same As Parent" and "Audits Same As Parent". I assume that this means Certum holds the keys for these intermediates and WoSign is essentially acting as a reseller. I don't think that's something Mozilla can or should object to. I'm a bit unclear on whether WoSign could be acting as a Registration Authority for certificates issued under that intermediate and what the auditing and disclose requirements for that would be - maybe someone more familiar with the BRs can comment. WoSign acting as a RA prior to finishing the re-application process would be troubling given their previous failures in that area. [1]: https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
