CA/WoSign Issues: Difference between revisions

Jump to navigation Jump to search

CA/WoSign Issues (view source)

Revision as of 10:45, 7 September 2016

818 bytes removed ,  7 September 2016
no edit summary
(More Incident S, from Computest)
No edit summary
Line 201: Line 201:
==Incident R: Purchase of StartCom (Nov 2015)==
==Incident R: Purchase of StartCom (Nov 2015)==


WoSign purchased the CA "StartCom" and did not disclose the transaction as a change of ownership, in violation of section 5 of the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Mozilla CA Certificate Maintenance Policy]. More details to be provided.
WoSign purchased the CA "StartCom" and did not disclose the transaction as a change of ownership, which may violate section 5 of the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Mozilla CA Certificate Maintenance Policy]. More details to be provided.
 
===WoSign Response===
 
Among other comments:
 
2016-09-02: [https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/AXJoyh4KDQAJ Richard Wang]: "Please don't bind WoSign incident problem with StartCom, it is two independent company that one registered in China and one located in Israel."
 
===Further Comments===
 
As well as any issues there may be with the disclosure of the transfer of ownership, the relationship between WoSign and StartCom is also relevant when determining the scope of any sanctions.


==Incident S: Backdated SHA-1 Certs (January 2016)==
==Incident S: Backdated SHA-1 Certs (January 2016)==
Line 370: Line 360:
|Rob Stradling of Comodo writes: "These two cross-certificates are currently unexpired and unrevoked. However, the 'UTN-USERFirst-Object' root is only enabled for the Code Signing trust bit in NSS. There are 2 cross-certs (currently unconstrained and unrevoked) issued by 'AddTrust External CA Root' to 'UTN-USERFirst-Object'. However, the cross-certs issued to WoSign are EKU-constrained to Code Signing/Time Stamping."
|Rob Stradling of Comodo writes: "These two cross-certificates are currently unexpired and unrevoked. However, the 'UTN-USERFirst-Object' root is only enabled for the Code Signing trust bit in NSS. There are 2 cross-certs (currently unconstrained and unrevoked) issued by 'AddTrust External CA Root' to 'UTN-USERFirst-Object'. However, the cross-certs issued to WoSign are EKU-constrained to Code Signing/Time Stamping."
|}
|}
==Other Points of Note==
* While not a violation of any Mozilla policy, WoSign has promised to log all certs to CT after a certain date, and yet has not yet managed to comply with the Chrome CT policy of logging to at least one Google and one non-Google log. Arguably, this speaks to competence.
Gerv
Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1146974"

Navigation menu