See below inline, thanks.
Best Regards, Richard -----Original Message----- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Thursday, August 25, 2016 12:31 AM To: Jeremy Rowley <jeremy.row...@digicert.com>; mozilla-dev-security-pol...@lists.mozilla.org Cc: Richard Wang <rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign Hi Jeremy, On 24/08/16 17:12, Jeremy Rowley wrote: > On incident 0, its unclear whether a cert was actually mis-issued. > Although they used a higher level port, did the researcher > successfully bypass WoSign's domain validation process? Is the only > concern that WoSign permitted higher level ports? The result of the incident was that a certificate was issued to someone who did not, in the normally understood sense of the word, have control of the domain in question. Mozilla feels that even without a specific injunction in the BRs, CAs should have known that ports > 1024 are not privileged and not done control checks using them. The severity of the problem, of course, is a matter for discussion here. R: We got report from Google, but don’t tell me if any mis-issued certificate happen, just tell us to forbidden this high level port. We are searching our database to try to find if any mis-issued cert is issued. And will update to this mail list. > On incident 2, it sounds like they are both using the same > auto-generation script. It seems like a bit more than that, doesn't it? Let's presume that WoSign did not ship a copy of their intermediate cert's private key to StartCom. Therefore, this cert must have been issued on the back end by some sort of WoSign system. So either WoSign's back-end issuing service has some form of authentication and the StartCom system had those credentials (why?), or the WoSign system does not have any form of authentication (concerning). R: NOT this case you think. Due to root inclusion problem, WoSign root is cross signed by StartCom since 2011. And we shared some facility with StartCom like CRL and OCSP distribution etc. But not this case, as I declared in the previous email, this is a API parameter option that can post data to any server located in any place. > Giving WoSign the benefit of the doubt, it sounds like maybe it was a > bug in their software that permitted SHA1 certs not an intentional > back-dating issue. Is there any clarity around how this worked? Perhaps WoSign would like to provide some :-) R: I think we said clearly in the related Bugzilla ☺ Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy