Public Discussion of OISTE CA Inclusion Request
Ben Wilson
All,
This email commences a six-week public discussion of OISTE’s request to include the following certificates as publicly trusted root certificates in one or more CCADB Root Store’s program. This discussion period is scheduled to close on August 11, 2025.
The purpose of this public discussion process is to promote openness and transparency. However, each Root Store makes its inclusion decisions independently, on its own timelines, and based on its own inclusion criteria. Successful completion of this public discussion process does not guarantee any favorable action by any root store.
Anyone with concerns or questions is urged to raise them on this CCADB Public list by replying directly in this discussion thread. Likewise, a representative of OISTE must promptly respond directly in the discussion thread to all questions that are posted.
CCADB Case Number: 00001946
Organization Background Information (listed in CCADB):
CA Owner Name: OISTE Foundation
Website: https://oiste.org
Address: Avenue Louis-Casai 58, 1216 Cointrin, Geneva, Switzerland
Problem Reporting Mechanisms: c...@wisekey.com
Organization Type: Private Corporation
Repository URL: https://www.oiste.org/repository
Certificates Requesting Inclusion:
OISTE Client Root ECC G1
Certificate links: CA Repository / crt.sh
SHA-256 Certificate Fingerprint: D9A32485A8CCA85539CEF12FFFFF711378A17851D73DA2732AB4302D763BD62B
Intended use cases served/EKUs: Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2
Reference Certificates:
OISTE Client Root RSA G1
Certificate links: CA Repository / crt.sh
SHA-256 Certificate Fingerprint: D02A0F994A868C66395F2E7A880DF509BD0C29C96DE16015A0FD501EDA4F96A9
Intended use cases served/EKUs: Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2
Reference Certificates:
OISTE Server Root ECC G1
Certificate links: CA Repository / crt.sh
SHA-256 Certificate Fingerprint: EEC997C0C30F216F7E3B8B307D2BAE42412D753FC8219DAFD1520B2572850F49
Intended use cases served/EKUs: Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;Client Authentication 1.3.6.1.5.5.7.3.2
Test websites:
DV Automation: https://eccg1dvvalidssl.hightrusted.com
OV Automation: https://eccg1ovvalidssl.hightrusted.com
EV Automation: https://eccg1evvalidssl.hightrusted.com
OISTE Server Root RSA G1
Certificate links: CA Repository / crt.sh
SHA-256 Certificate Fingerprint: 9AE36232A5189FFDDB353DFD26520C015395D22777DAC59DB57B98C089A651E6
Intended use cases served/EKUs: Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;Client Authentication 1.3.6.1.5.5.7.3.2
Test websites:
DV Automation: https://rsag1dvvalidssl.hightrusted.com
OV Automation: https://rsag1ovvalidssl.hightrusted.com
EV Automation: https://rsag1evvalidssl.hightrusted.com
Existing Publicly Trusted Root CAs from OISTE:
OISTE WISeKey Global Root GA CA:
Certificate links: (CA Repository / crt.sh)
SHA-256 Certificate Fingerprint: 41C923866AB4CAD6B7AD578081582E020797A6CBDF4FFF78CE8396B38937D7F5
Trust Bits/EKUs: Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2;Document Signing AATL 1.2.840.113583.1.1.5;Document Signing MS 1.3.6.1.4.1.311.10.3.12;Time Stamping 1.3.6.1.5.5.7.3.8
Included in: Apple, Microsoft, Mozilla
OISTE WISeKey Global Root GB CA:
Certificate links: (CA Repository / crt.sh)
SHA-256 Certificate Fingerprint: 6B9C08E86EB0F767CFAD65CD98B62149E5494A67F5845E7BD1ED019F27B86BD6
Trust Bits/EKUs: Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2;Document Signing AATL 1.2.840.113583.1.1.5;Document Signing MS 1.3.6.1.4.1.311.10.3.12;Time Stamping 1.3.6.1.5.5.7.3.8
Included in: Apple, Google Chrome, Microsoft, Mozilla
Certificate corpus: (legacy Censys Search login required) (new Censys Platform login required and free accounts may be limited)
OISTE WISeKey Global Root GC CA:
Certificate links: (CA Repository / crt.sh)
SHA-256 Certificate Fingerprint: 8560F91C3624DABA9570B5FEA0DBE36FF11A8323BE9486854FB3F34A5571198D
Trust Bits/EKUs: Server Authentication (TLS) 1.3.6.1.5.5.7.3.1;Secure Email (S/MIME) 1.3.6.1.5.5.7.3.4;Client Authentication 1.3.6.1.5.5.7.3.2;Document Signing AATL 1.2.840.113583.1.1.5;Document Signing MS 1.3.6.1.4.1.311.10.3.12;Time Stamping 1.3.6.1.5.5.7.3.8
Included in: Apple, Google Chrome, Microsoft, Mozilla
Certificate corpus: (legacy Censys Search login required) (new Censys Platform login required and free accounts may be limited)
Relevant Policy and Practices Documentation:
Most Recent Self-Assessment:
Audit Statements:
Auditor: Auren
Audit Criteria: WebTrust
Recent Audit Statement(s):
Root Key Generation (May 31, 2023)
Standard Audit (Period: May 9, 2023 - May 8, 2024)
TLS BR Audit (Period: May 9, 2023 - May 8, 2024)
TLS EVG Audit (Period: May 9, 2023 - May 8, 2024)
S/MIME BR Audit (Period: May 9, 2023 - May 8, 2024)
Incident Summary (Bugzilla incidents from previous 24 months):
1949755 S/MIME certificate issuance without proper validation
1903823 OCSP responding "Unauthorized" for a TLS certificate
Thank you
Ben, on behalf of the CCADB Steering Committee
Ben Wilson
Greetings all,
On June 30, 2025, we began a six-week, public discussion on the request from OISTE for inclusion of the following four root CA certificates:
OISTE Client Root ECC G1
OISTE Client Root RSA G1
OISTE Server Root ECC G1
OISTE Server Root RSA G1
The public discussion period ended on August 11.
We did not receive any objections or other questions or comments in opposition to OISTE’s request. We thank the community for its review and consideration during this period. Root Store Programs will make final inclusion decisions independently, on their own timelines, and based on each Root Store Member’s inclusion criteria. Further discussion may take place in the independently managed Root Store community forums (e.g., m-d-s-p).
Sincerely yours,
Ben Wilson,
on behalf of the CCADB Steering Committee