Public Discussion of OISTE CA Inclusion Request

192 views
Skip to first unread message

Ben Wilson

unread,
Jun 30, 2025, 2:00:59 PMJun 30
to public

All,


This email commences a six-week public discussion of OISTE’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store’s program. This discussion period is scheduled to close on August 11, 2025.


The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.  


Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of OISTE must promptly respond directly in the discussion thread to all questions that are posted.

CCADB Case Number: 00001946

Organization Background Information (listed in CCADB):

Certificates Requesting Inclusion:


OISTE Client Root ECC G1

  • Certificate links: CA Repository / crt.sh

  • SHA-256 Certificate Fingerprint: D9A32485A8CCA85539CEF12FFFFF711378A17851D73DA2732AB4302D763BD62B

  • Intended use cases served/EKUs: Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2

  • Reference Certificates:

OISTE Client Root RSA G1

  • Certificate links: CA Repository / crt.sh

  • SHA-256 Certificate Fingerprint: D02A0F994A868C66395F2E7A880DF509BD0C29C96DE16015A0FD501EDA4F96A9

  • Intended use cases served/EKUs: Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2

  • Reference Certificates:

OISTE Server Root ECC G1

OISTE Server Root RSA G1

Existing Publicly Trusted Root CAs from OISTE:

OISTE WISeKey Global Root GA CA:

  • Certificate links: (CA Repository / crt.sh)

  • SHA-256 Certificate Fingerprint: 41C923866AB4CAD6B7AD578081582E020797A6CBDF4FFF78CE8396B38937D7F5

  • Trust Bits/EKUs: Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2;Document Signing AATL 1.2.840.113583.1.1.5;Document Signing MS 1.3.6.1.4.1.311.10.3.12;Time Stamping 1.3.6.1.5.5.7.3.8

  • Included in: Apple, Microsoft, Mozilla

OISTE WISeKey Global Root GB CA:

  • Certificate links: (CA Repository / crt.sh)

  • SHA-256 Certificate Fingerprint: 6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6

  • Trust Bits/EKUs: Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2;Document Signing AATL 1.2.840.113583.1.1.5;Document Signing MS 1.3.6.1.4.1.311.10.3.12;Time Stamping 1.3.6.1.5.5.7.3.8

  • Included in: Apple, Google Chrome, Microsoft, Mozilla

  • Certificate corpus: (legacy Censys Search login required) (new Censys Platform login required and free accounts may be limited)


OISTE WISeKey Global Root GC CA:

  • Certificate links: (CA Repository / crt.sh)

  • SHA-256 Certificate Fingerprint: 8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D

  • Trust Bits/EKUs: Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2;Document Signing AATL 1.2.840.113583.1.1.5;Document Signing MS 1.3.6.1.4.1.311.10.3.12;Time Stamping 1.3.6.1.5.5.7.3.8

  • Included in: Apple, Google Chrome, Microsoft, Mozilla

  • Certificate corpus: (legacy Censys Search login required) (new Censys Platform login required and free accounts may be limited)

Relevant Policy and Practices Documentation:

Most Recent Self-Assessment:

Audit Statements:

Incident Summary (Bugzilla incidents from previous 24 months):

1949755  S/MIME certificate issuance without proper validation

1903823  OCSP responding "Unauthorized" for a TLS certificate


Thank you


Ben, on behalf of the CCADB Steering Committee


Ben Wilson

unread,
Aug 22, 2025, 12:06:33 PMAug 22
to CCADB Public

Greetings all,

On June 30, 2025, we began a six-week, public discussion on the request from OISTE for inclusion of the following four root CA certificates:

OISTE Client Root ECC G1

OISTE Client Root RSA G1

OISTE Server Root ECC G1

OISTE Server Root RSA G1

The public discussion period ended on August 11.

We did not receive any objections or other questions or comments in opposition to OISTE’s request. We thank the community for its review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (e.g., m-d-s-p).

Sincerely yours,

Ben Wilson,

on behalf of the CCADB Steering Committee

Reply all
Reply to author
Forward
0 new messages