I’ve reviewed the CPS, BR Self Assessment, and related information for the
OISTE WISeKey Global Root GC CA inclusion request that are being tracked in
this bug and have the following comments:
* This root was created in May of 2017 and the intermediate appears to have
only signed test certs since then.
* Problem reporting mechanism is clearly labeled as such in the CPS.
* The older OISTE WISeKey Global Root GA CA that is in our program has
issued a few certs containing linting errors (some are false positives for
OCSP signing certs):
https://crt.sh/?caid=15102&opt=cablint,zlint,x509lint&minNotBefore=2010-01-01 Two notable concerns are:
** Valid wildcard certificate for a public suffix:
https://crt.sh/?id=76535370&opt=cablint (BR 18.104.22.168 permits this only if
“the applicant proves its rightful control of the entire Domain Namespace“)
** Valid cert containing a non-printable string in the Subject :
https://crt.sh/?id=308365498&opt=x509lint,ocsp * WISeKey was the subject of one misissuance bug for “invalid dnsNames” and
“CN not in SAN” errors to which they responded promptly:
https://bugzilla.mozilla.org/show_bug.cgi?id=1391089 ** They also failed to respond to a problem report during this incident.
Domain validations procedures are listed in an appendix instead of section
22.214.171.124 of the CPS and they include the soon-to-be-banned 126.96.36.199.1 and
188.8.131.52.5 methods. A note indicates that 184.108.40.206.5 will be discontinued
after August 1st. The reference to 220.127.116.11.1 appears to be a documentation
During my initial review, the CPS was missing CAA information and still
referenced 3-year validity periods. WISeKey quickly made the needed changes
but indicated that they update their CPS during an annual review rather
than regularly as new requirements come into effect.
Nothing to report
This begins the 3-week comment period for this request .
I will greatly appreciate your thoughtful and constructive feedback on the
acceptance of this root into the Mozilla CA program.