See below inline, thanks.

Best Regards,


-----Original Message-----

From: Gervase Markham []

Sent: Thursday, August 25, 2016 12:31 AM

To: Jeremy Rowley <>;

Cc: Richard Wang <>

Subject: Re: Incidents involving the CA WoSign

Hi Jeremy,

On 24/08/16 17:12, Jeremy Rowley wrote:

> On incident 0, its unclear whether a cert was actually mis-issued.

> Although they used a higher level port, did the researcher

> successfully bypass WoSign's domain validation process? Is the only

> concern that WoSign permitted higher level ports?

The result of the incident was that a certificate was issued to someone who did 
not, in the normally understood sense of the word, have control of the domain 
in question. Mozilla feels that even without a specific injunction in the BRs, 
CAs should have known that ports > 1024 are not privileged and not done control 
checks using them.

The severity of the problem, of course, is a matter for discussion here.

R: We got report from Google, but don’t tell me if any mis-issued certificate 
happen, just tell us to forbidden this high level port.

We are searching our database to try to find if any mis-issued cert is issued. 
And will update to this mail list.

> On incident 2, it sounds like they are both using the same

> auto-generation script.

It seems like a bit more than that, doesn't it? Let's presume that WoSign did 
not ship a copy of their intermediate cert's private key to StartCom. 
Therefore, this cert must have been issued on the back end by some sort of 
WoSign system. So either WoSign's back-end issuing service has some form of 
authentication and the StartCom system had those credentials (why?), or the 
WoSign system does not have any form of authentication (concerning).

R: NOT this case you think. Due to root inclusion problem, WoSign root is cross 
signed by StartCom since 2011. And we shared some facility with StartCom like 
CRL and OCSP distribution etc. But not this case, as I declared in the previous 
email, this is a API parameter option that can post data to any server located 
in any place.

> Giving WoSign the benefit of the doubt, it sounds like maybe it was a

> bug in their software that permitted SHA1 certs not an intentional

> back-dating issue. Is there any clarity around how this worked?

Perhaps WoSign would like to provide some :-)

R: I think we said clearly in the related Bugzilla ☺


dev-security-policy mailing list

Reply via email to