On Thu, Aug 25, 2016 at 07:11:18AM +0000, Richard Wang wrote: > We can post all 2015 issued SSL certificate to CT log server if necessary.
That doesn't provide any assurance, in the face of misleading notBefore values in certificates. Without strong assurances that whatever failure of systems or processes allowed misleading notBefore values to end up in certificates has been corrected, the only way to be sure that there are no shenanigans going on is for *all* certificates issued by WoSign, *regardless* of their purported issuance date, to carry SCTs from a qualified log (or have them presented at TLS establishment), and have the "effective date" for the purposes of compliance with relevant standards and guidelines to be the date of the earliest SCT presented. This is because the notBefore value in the certificate, being produced by a flawed process which allows misleading values to be used, is useless for the purposes of determining when the certificate was *actually* issued. Any TLS connection using a WoSign-issued certificate which does not present SCTs would have to be considered completely untrustworthy. > For BR auditor, I think this issue is too technical that fewer auditor can > find out this problem. I believe Ryan has done an excellent job of outlining the concerns with this statement. > We will add the quality control system to PKI system before issuing the > certificate, and will check the crt.sh or use the CABF lint and X590 Lint > to check the certificate before and after the certificate is issued to > prevent such case, if such case happen, we will notify all browsers > instantly. This neither addresses the question I posed, nor does it contain sufficient specificity to be reassuring. I asked: > what changes, exactly, has WoSign implemented to its policies and > procedures to ensure that all trust programs in which WoSign is a > participant are notified of future incidents, in line with each program's > requirements? I'm after the specifics of the changes to WoSign's policies and procedures regarding *notification*, not quality control. What were WoSign's previous policies and procedures regarding notification (obviously there was something in place, since Google was notified), and what changes have been made to improve those policies to ensure that all root programs are notified in line with each program's requirements in the future? - Matt -- I told [my daughter] that if I see her digging a hole that she might not be able to crawl out of, my job isn't to stand back and say "That's a *real* nice hole you're digging there". -- Paul Tomblin, ASR _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy