Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti
4,925
edits
CA/WoSign Issues: Difference between revisions
Update Issue O with WoSign response
(Fix CDN info) |
(Update Issue O with WoSign response) |
||
| Line 209: | Line 209: | ||
One of each pair has CRL and OCSP URLs with domains such as cr.wscrl.cn, oc.wsocsp.cn and ai.wscrl.cn. These domains no longer exist. The other one of each pair has CRL and OCSP URLs at subdomains of wosign.cn; these subdomains do exist, and point to either Akamai's CDN or what appears to be Qihoo 360's CDN. In the case of one of the pairs, the first cert was logged in the 'pilot' CT log about a month before the second one. One possibility is that WoSign was planning to adopt one strategy for CRL and OCSP hosting, and then changed strategy, which necessitated re-issuing the intermediates with new URLs. If that is the case, it raises the question of why the notBefore date for both certificates is the same. | One of each pair has CRL and OCSP URLs with domains such as cr.wscrl.cn, oc.wsocsp.cn and ai.wscrl.cn. These domains no longer exist. The other one of each pair has CRL and OCSP URLs at subdomains of wosign.cn; these subdomains do exist, and point to either Akamai's CDN or what appears to be Qihoo 360's CDN. In the case of one of the pairs, the first cert was logged in the 'pilot' CT log about a month before the second one. One possibility is that WoSign was planning to adopt one strategy for CRL and OCSP hosting, and then changed strategy, which necessitated re-issuing the intermediates with new URLs. If that is the case, it raises the question of why the notBefore date for both certificates is the same. | ||
Thanks to Kurt Roeckx and Rob Stradling for their help with this issue. | Thanks to Kurt Roeckx and Rob Stradling for their help with this issue. | ||
| Line 216: | Line 214: | ||
===WoSign Response=== | ===WoSign Response=== | ||
By private mail, Richard Wang of WoSign said that the plan was to use a CDN with a different domain, but in discussions with the CDN provider there was no need to change domain, so they changed the plan to use the existing domain and reissued the intermediate certificate. At that point, they "forgot to change the serial number". The old one issued only test certificates for two months. WoSign plan to revoke "this two intermediate CA and all issued certificates soon" (by which I assume he means the two certificates with the older domain names). | |||
===Further Comments and Conclusion=== | ===Further Comments and Conclusion=== | ||
Given that intermediates are issued manually rather than in an automated fashion, and should normally be surrounded by strong controls as they involve issuance directly from the root, reusing a serial number for two intermediates shows a disappointing lack of care and appropriate processes. | |||
==Issue P: Use of SM2 Algorithm (Nov 2015)== | ==Issue P: Use of SM2 Algorithm (Nov 2015)== | ||