Nevertheless, WoTrus is (presumably) a commercial operation. Whoever owns that organization bought or built it with an expectation of at least the possibility of commercial success (profit). The organization's long term success requires inclusion in major root programs.
For information, WoSign/WoTrus can already sells WoSign-branded EV certificates accepted by major trusts stores, Mozilla's included.
The intermediate certificate "WoSign EV SSL Pro CA" ( https://crt.sh/?id=146206939 ) is signed by "DigiCert High Assurance EV Root CA".
As stated by DigiCert, WoSign/WoTrus doesn't control the private key of "WoSign EV SSL Pro CA", DigiCert do: https://bugzilla.mozilla.org/show_bug.cgi?id=1418451#c4 )
And the fact that they are simply a reseller (as they doesn't control the private key nor do themselves the validation) is even well hidden by FireFox UI, which state "Certified by: WoSign CA limited".
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
