136
edits
Changes
→Issue A: StartCom Cross-signing (2017): Added response Startcom Issues
=== Issue A: StartCom Cross-signing (2017) ===
In 2017, Certinomis made the decision to sign two new intermediate CA certificates that were controlled by StartCom. This was at a time when [https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 StartCom had been recently distrusted] and was [https://groups.google.com/d/msg/mozilla.dev.security.policy/hNOJJrN6WfE/5i46-wV5AAAJ misissuing test certificates from this new, replacement hierarchy]. These cross-certificates were not disclosed until 111 days after being issued (the [https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/#532-publicly-disclosed-and-audited current one-week rule] was not in force), and were issued prior to StartCom having completed new, successful audits that were required by their [https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 remediation plan] before they could request reinclusion. The Certinomis cross-certificates were ultimately [https://groups.google.com/d/msg/mozilla.dev.security.policy/RJHPWUd93xE/6yhrL4nXAAAJ added to OneCRL and revoked by Certinomis].
[UPDATE 9-May in reply to the [[CA/Certinomis_Issues#Certinomis_Response|Certinomis Response]]]
Certinomis asked Mozilla to approve their plan to help Startcom, but when the cross-certificates were discovered, [https://groups.google.com/d/msg/mozilla.dev.security.policy/RJHPWUd93xE/lyAX9Wz_AQAJ Gerv responded] "This seems to be very different to the plan you implemented." By cross-signing Startcom's old roots, Certinomis assisted Startcom in circumventing the remediation plan, and by proposing one plan then implementing a different one, Certinomis did so without Mozilla's consent.
Startcom misissued a number of certificates (e.g. [3]) under that cross-signing relationship that Certinomis is responsible for as the Mozilla program member.
By cross-signing Startcom's roots, Certinomis also took responsibility for Startcom's qualified audit.
=== Issue B: Lack of Responsiveness (2018 - Present) ===
