CA/WoSign Issues: Difference between revisions

Jump to navigation Jump to search

CA/WoSign Issues (view source)

Revision as of 11:40, 27 September 2016

43 bytes added ,  27 September 2016
Fix CDN info
(Add issue O)
(Fix CDN info)
Line 208: Line 208:
WoSign has issued two pairs of intermediates with the same issuer duplicate serial numbers - [https://crt.sh/?serial=44807b207cf2052e8d3411770266d295&iCAID=1450 one pair] with a notBefore in May 2015, and [https://crt.sh/?serial=3adec402270bf4ee9e892cc65e0ada21&iCAID=1450 one pair] with a notBefore in July 2015. All four certificates were issued by WoSign's "CA 沃通根证书" root. This is a violation of RFC 5280.
WoSign has issued two pairs of intermediates with the same issuer duplicate serial numbers - [https://crt.sh/?serial=44807b207cf2052e8d3411770266d295&iCAID=1450 one pair] with a notBefore in May 2015, and [https://crt.sh/?serial=3adec402270bf4ee9e892cc65e0ada21&iCAID=1450 one pair] with a notBefore in July 2015. All four certificates were issued by WoSign's "CA 沃通根证书" root. This is a violation of RFC 5280.


One of each pair has CRL and OCSP URLs with domains such as cr.wscrl.cn, oc.wsocsp.cn and ai.wscrl.cn. These domains no longer exist. The other one of each pair has CRL and OCSP URLs at subdomains of wosign.cn; these subdomains do exist, and point to the Akamai CDN. In the case of one of the pairs, the first cert was logged in the 'pilot' CT log about a month before the second one. One possibility is that WoSign was planning to adopt one strategy for CRL and OCSP hosting, and then changed strategy, which necessitated re-issuing the intermediates with new URLs. If that is the case, it raises the question of why the notBefore date for both certificates is the same.
One of each pair has CRL and OCSP URLs with domains such as cr.wscrl.cn, oc.wsocsp.cn and ai.wscrl.cn. These domains no longer exist. The other one of each pair has CRL and OCSP URLs at subdomains of wosign.cn; these subdomains do exist, and point to either Akamai's CDN or what appears to be Qihoo 360's CDN. In the case of one of the pairs, the first cert was logged in the 'pilot' CT log about a month before the second one. One possibility is that WoSign was planning to adopt one strategy for CRL and OCSP hosting, and then changed strategy, which necessitated re-issuing the intermediates with new URLs. If that is the case, it raises the question of why the notBefore date for both certificates is the same.


Given that intermediates are issued manually rather than in an automated fashion, and should normally be surrounded by strong controls, reusing a serial number for two intermediates is disappointing.
Given that intermediates are issued manually rather than in an automated fashion, and should normally be surrounded by strong controls, reusing a serial number for two intermediates is disappointing.
Gerv
Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925

edits

Retrieved from "https://wiki.mozilla.org/Special:MobileDiff/1149380"

Navigation menu