OISTE WISeKey Global Root GC CA Root Inclusion Request

162 views
Skip to first unread message

Wayne Thayer

unread,
May 1, 2018, 3:03:20 PM5/1/18
to mozilla-dev-security-policy
This request is for inclusion of the OISTE WISeKey Global Root GC CA as
documented in the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1403591

* BR Self Assessment is here:
https://bugzilla.mozilla.org/attachment.cgi?id=8912732

* Summary of Information Gathered and Verified:
https://bugzilla.mozilla.org/attachment.cgi?id=8955363

* Root Certificate Download URL:
https://bugzilla.mozilla.org/attachment.cgi?id=8912737

CP/CPS:
https://cdn.wisekey.com/uploads/images/WKPKI.DE001-OWGTM-PKI-CPS.v2.10-CLEAN.pdf

* This request is to turn on the Websites and Email trust bits. EV
treatment is not requested.

* EV Policy OIDs: Not EV

* Test Websites
https://gcvalidssl.hightrusted.com/
https://gcexpiredssl.hightrusted.com/
https://gcrevokedssl.hightrusted.com/

* CRL URL: http://public.wisekey.com/crl/wcidgcas1.crl

* OCSP URL: http://ocsp.wisekey.com/

* Audit: Annual audits are performed by AUREN according to the WebTrust for
CA and BR audit criteria.
WebTrust:
https://cdn.wisekey.com/uploads/images/Audit-Report-and-Management-Assertions-Webtrust-CA-GC.pdf
BR:
https://cdn.wisekey.com/uploads/images/Audit-Report-and-Management-Assertions-Webtrust-BR-GC.pdf
EV: Not EV

I’ve reviewed the CPS, BR Self Assessment, and related information for the
OISTE WISeKey Global Root GC CA inclusion request that are being tracked in
this bug and have the following comments:

==Good==
* This root was created in May of 2017 and the intermediate appears to have
only signed test certs since then.
* Problem reporting mechanism is clearly labeled as such in the CPS.

==Meh==
* The older OISTE WISeKey Global Root GA CA that is in our program has
issued a few certs containing linting errors (some are false positives for
OCSP signing certs):
https://crt.sh/?caid=15102&opt=cablint,zlint,x509lint&minNotBefore=2010-01-01
Two notable concerns are:
** Valid wildcard certificate for a public suffix:
https://crt.sh/?id=76535370&opt=cablint (BR 3.2.2.6 permits this only if
“the applicant proves its rightful control of the entire Domain Namespace“)
** Valid cert containing a non-printable string in the Subject :
https://crt.sh/?id=308365498&opt=x509lint,ocsp
* WISeKey was the subject of one misissuance bug for “invalid dnsNames” and
“CN not in SAN” errors to which they responded promptly:
https://bugzilla.mozilla.org/show_bug.cgi?id=1391089
** They also failed to respond to a problem report during this incident.
Domain validations procedures are listed in an appendix instead of section
3.2.2.4 of the CPS and they include the soon-to-be-banned 3.2.2.4.1 and
3.2.2.4.5 methods. A note indicates that 3.2.2.4.5 will be discontinued
after August 1st. The reference to 3.2.2.4.1 appears to be a documentation
error.
During my initial review, the CPS was missing CAA information and still
referenced 3-year validity periods. WISeKey quickly made the needed changes
but indicated that they update their CPS during an annual review rather
than regularly as new requirements come into effect.

==Bad==
Nothing to report

This begins the 3-week comment period for this request [1].

I will greatly appreciate your thoughtful and constructive feedback on the
acceptance of this root into the Mozilla CA program.

- Wayne

[1] https://wiki.mozilla.org/CA/Application_Process
Reply all
Reply to author
Forward
0 new messages