This request is for inclusion of the OISTE WISeKey Global Root GC CA as documented in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1403591
* BR Self Assessment is here: https://bugzilla.mozilla.org/attachment.cgi?id=8912732 * Summary of Information Gathered and Verified: https://bugzilla.mozilla.org/attachment.cgi?id=8955363 * Root Certificate Download URL: https://bugzilla.mozilla.org/attachment.cgi?id=8912737 CP/CPS: https://cdn.wisekey.com/uploads/images/WKPKI.DE001-OWGTM-PKI-CPS.v2.10-CLEAN.pdf * This request is to turn on the Websites and Email trust bits. EV treatment is not requested. * EV Policy OIDs: Not EV * Test Websites https://gcvalidssl.hightrusted.com/ https://gcexpiredssl.hightrusted.com/ https://gcrevokedssl.hightrusted.com/ * CRL URL: http://public.wisekey.com/crl/wcidgcas1.crl * OCSP URL: http://ocsp.wisekey.com/ * Audit: Annual audits are performed by AUREN according to the WebTrust for CA and BR audit criteria. WebTrust: https://cdn.wisekey.com/uploads/images/Audit-Report-and-Management-Assertions-Webtrust-CA-GC.pdf BR: https://cdn.wisekey.com/uploads/images/Audit-Report-and-Management-Assertions-Webtrust-BR-GC.pdf EV: Not EV I’ve reviewed the CPS, BR Self Assessment, and related information for the OISTE WISeKey Global Root GC CA inclusion request that are being tracked in this bug and have the following comments: ==Good== * This root was created in May of 2017 and the intermediate appears to have only signed test certs since then. * Problem reporting mechanism is clearly labeled as such in the CPS. ==Meh== * The older OISTE WISeKey Global Root GA CA that is in our program has issued a few certs containing linting errors (some are false positives for OCSP signing certs): https://crt.sh/?caid=15102&opt=cablint,zlint,x509lint&minNotBefore=2010-01-01 Two notable concerns are: ** Valid wildcard certificate for a public suffix: https://crt.sh/?id=76535370&opt=cablint (BR 3.2.2.6 permits this only if “the applicant proves its rightful control of the entire Domain Namespace“) ** Valid cert containing a non-printable string in the Subject : https://crt.sh/?id=308365498&opt=x509lint,ocsp * WISeKey was the subject of one misissuance bug for “invalid dnsNames” and “CN not in SAN” errors to which they responded promptly: https://bugzilla.mozilla.org/show_bug.cgi?id=1391089 ** They also failed to respond to a problem report during this incident. Domain validations procedures are listed in an appendix instead of section 3.2.2.4 of the CPS and they include the soon-to-be-banned 3.2.2.4.1 and 3.2.2.4.5 methods. A note indicates that 3.2.2.4.5 will be discontinued after August 1st. The reference to 3.2.2.4.1 appears to be a documentation error. During my initial review, the CPS was missing CAA information and still referenced 3-year validity periods. WISeKey quickly made the needed changes but indicated that they update their CPS during an annual review rather than regularly as new requirements come into effect. ==Bad== Nothing to report This begins the 3-week comment period for this request [1]. I will greatly appreciate your thoughtful and constructive feedback on the acceptance of this root into the Mozilla CA program. - Wayne [1] https://wiki.mozilla.org/CA/Application_Process _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy