Hi Jeremy, On 24/08/16 17:12, Jeremy Rowley wrote: > On incident 0, its unclear whether a cert was actually mis-issued. > Although they used a higher level port, did the researcher > successfully bypass WoSign's domain validation process? Is the only > concern that WoSign permitted higher level ports?
The result of the incident was that a certificate was issued to someone who did not, in the normally understood sense of the word, have control of the domain in question. Mozilla feels that even without a specific injunction in the BRs, CAs should have known that ports > 1024 are not privileged and not done control checks using them. The severity of the problem, of course, is a matter for discussion here. > On incident 2, it sounds like they are both using the same > auto-generation script. It seems like a bit more than that, doesn't it? Let's presume that WoSign did not ship a copy of their intermediate cert's private key to StartCom. Therefore, this cert must have been issued on the back end by some sort of WoSign system. So either WoSign's back-end issuing service has some form of authentication and the StartCom system had those credentials (why?), or the WoSign system does not have any form of authentication (concerning). > Giving WoSign the benefit of the doubt, it > sounds like maybe it was a bug in their software that permitted SHA1 > certs not an intentional back-dating issue. Is there any clarity > around how this worked? Perhaps WoSign would like to provide some :-) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy