WoSign has applied to include the "Certification Authority of WoSign G2"
and "CA WoSign ECC Root" root certificates, turn on all three trust bits
for both roots, and enable EV treatment for both roots. WoSign's
previous root certificates were included via Bugzilla Bug #851435.
WoSign issues certificates to the general public in China. Their SSL
certificates are deployed in top 10 eCommerce websites in China; for
bank, telecom, enterprise etc.
The request is documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1156175
And in the pending certificates list:
https://wiki.mozilla.org/CA:PendingCAs
Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8606022
Noteworthy points:
* Documents are provided in Chinese, and the CPS has been translated
into English.
Document Repository (Chinese):
http://www.wosign.com/policy/cps.htm
CPS (English):
http://www.wosign.com/policy/cps_e.htm
* CA Hierarchy for the "Certification Authority of WoSign G2" root:
The plan is to have 10 internally-operated subCAs for 3 types of
certificates: SSL Certificate, Code Signing Certificate and Client
Certificate.
1. WoSign Class 4/3/2/1 EV/OV/IV/DV SSL CA G2
2. WoSign Class 4/3/2 EV/OV/IV Code Signing CA G2
3. WoSign Class 3/2/1 Client CA G2
Currently, one of the subCAs has been issued: WoSign Class 4 EV SSL CA G2
* CA Hierarchy for the " CA WoSign ECC Root" root:
The plan is to have 10 internally-operated subCAs for 3 types of
certificates: SSL Certificate, Code Signing Certificate and Client
Certificate.
1. WoSign Class 4/3/2/1 EV/OV/IV/DV ECC SSL CA
2. WoSign Class 4/3/2 EV/OV/IV ECC Code Signing CA
3. WoSign Class 3/2/1 ECC Client CA
Currently, one of the subCAs has been issued: WoSign Class 4 EV ECC SSL CA
* This request is to turn on all three trust bits for both roots, and to
enable EV treatment for both roots.
** CPS section 3.2.2.1 -- Class 1
*** Email accounts are validated by sending an electronic mail message
with a verification code to the requested email account. The subscriber
has to return and submit the verification code as prove of ownership of
the email account within a limited period sufficient enough to receive
an electronic mail message.
*** Fully qualified domain names, typically “
www.domain.com” or
“
domain.com” are validated by sending an electronic mail message with a
verification code to one of the following administrative electronic mail
accounts:
webm...@domain.com,
hostm...@domain.com,
postm...@domain.com,
ad...@domain.com,
admini...@domain.com
The subscriber has to return and submit the verification code as prove
of ownership of the domain name within a limited period sufficient
enough to receive an electronic mail message. Additionally the existence
of the domain name is verified by checking the WHOIS records provided by
the domain name registrar. If the WHOIS data contain
an administrative email addresses, they may be offered as additional
choices to the above mentioned electronic mail accounts.
If subscriber can’t receive email from the above 6 email account, he/she
can choose to do the website control validation that the subscriber must
upload a website control validation code file to the
website root directory to finish the website control validation.
WoSign performs additional sanity and fraud prevention checks as
outlined in section 3.1.6. Wild card domain names like “*.
domain.com”
are not issued in the Class 1 level.
WoSign SSL certificate support IDN domain in Chinese and other
languages, so Wosign makes a reasonable check for similar sounding and
looking names to prevent possible abuse which is applied also to non-IDN
names such as
PAYPA1.COM,
MICR0S0FT.COM etc. and all IDN domain
also need the domain ownership verification by system same as normal
non-IDN domains
** CPS section 3.2.2.2 - Class 2
The verification process of personal identities of subscribers are
performed manually. The WoSign CA validates without any reasonable
doubt that the following details are correct: First and last name;
Residence, Address; State or Region; Country
.... Email control validation is performed as in Class 1.
** CPS section 3.2.2.3 - Class 3
The verification process of organizations implies same level identity
validation of the subscriber (responsible person) and are performed
manually. WoSign validates without any reasonable doubt that the
following details are correct: Registered organization name; Address;
State or Region; Country
.... Domain and email control validation is performed as in Class 1.
Domain control may also be established through verification of the WHOIS
records and matching subscriber information.
** CPS section 3.2.2.4 - Class 4
for EV SSL Certificate and EV Code Signing Certificate for organizations
are performed according to the validation procedures and requirements of
the for EV SSL Certificate Guidelines and EV Code Signing Certificate
Guidelines, as published by the CA/Browser Forum.
** CPS section 3.2.4: Validation of authority: WoSign confirms and
verifies that the subscriber is duly authorized to represent the
organization and obtain the certificate on their behalf by obtaining an
authorization statement and by contacting the authorizer.
* EV Policy OID: 1.3.6.1.4.1.36305.2
* Root Cert URLs
http://www.wosign.com/root/WS_CA1_G2.crt
http://www.wosign.com/root/ws_ecc.crt
* Test Websites
https://root4evtest.wosign.com/
https://root5evtest.wosign.com/
* CRL
http://crls6.wosign.com/ca6.crl
http://crls6.wosign.com/ca6-ssl4.crl
http://crls8.wosign.com/ca8.crl
http://crls8.wosign.com/ca8-ssl4.crl
CPS 7.8: CRL Next Update: 5 days
* OCSP
http://ocsp6.wosign.com/ca6
http://ocsp6.wosign.com/ca6/ssl4
http://ocsp8.wosign.com/ca8
http://ocsp8.wosign.com/ca8/ssl4
* Audit: WoSign is audited annually by Ernst&Young (EY) according to the
WebTrust audit criteria.
WebTrust CA:
https://cert.webtrust.org/SealFile?seal=1843&file=pdf
WebTrust BR:
https://cert.webtrust.org/SealFile?seal=1860&file=pdf
WebTrust EV:
https://cert.webtrust.org/SealFile?seal=1842&file=pdf
* Potentially Problematic Practices -- None noted
(
http://wiki.mozilla.org/CA:Problematic_Practices)
This begins the discussion of the request from WoSign to include the
"Certification Authority of WoSign G2" and "CA WoSign ECC Root" root
certificates, turn on all three trust bits for both roots, and enable EV
treatment for both roots.
At the conclusion of this discussion I will provide a summary of issues
noted and action items. If there are outstanding issues, then an
additional discussion may be needed as follow-up. If there are no
outstanding issues, then I will recommend approval of this request in
the bug.
Kathleen