On Thu, Aug 25, 2016 at 07:11:18AM +0000, Richard Wang wrote:
> We can post all 2015 issued SSL certificate to CT log server if necessary.

That doesn't provide any assurance, in the face of misleading notBefore
values in certificates.  Without strong assurances that whatever failure of
systems or processes allowed misleading notBefore values to end up in
certificates has been corrected, the only way to be sure that there are no
shenanigans going on is for *all* certificates issued by WoSign,
*regardless* of their purported issuance date, to carry SCTs from a
qualified log (or have them presented at TLS establishment), and have the
"effective date" for the purposes of compliance with relevant standards and
guidelines to be the date of the earliest SCT presented.  This is because
the notBefore value in the certificate, being produced by a flawed process
which allows misleading values to be used, is useless for the purposes of
determining when the certificate was *actually* issued.  Any TLS connection
using a WoSign-issued certificate which does not present SCTs would have to
be considered completely untrustworthy.

> For BR auditor, I think this issue is too technical that fewer auditor can
> find out this problem.

I believe Ryan has done an excellent job of outlining the concerns with this

> We will add the quality control system to PKI system before issuing the
> certificate, and will check the crt.sh or use the CABF lint and X590 Lint
> to check the certificate before and after the certificate is issued to
> prevent such case, if such case happen, we will notify all browsers
> instantly.

This neither addresses the question I posed, nor does it contain sufficient
specificity to be reassuring.  I asked:

> what changes, exactly, has WoSign implemented to its policies and
> procedures to ensure that all trust programs in which WoSign is a
> participant are notified of future incidents, in line with each program's
> requirements?

I'm after the specifics of the changes to WoSign's policies and procedures
regarding *notification*, not quality control.  What were WoSign's previous
policies and procedures regarding notification (obviously there was
something in place, since Google was notified), and what changes have been
made to improve those policies to ensure that all root programs are notified
in line with each program's requirements in the future?

- Matt

I told [my daughter] that if I see her digging a hole that she might not be
able to crawl out of, my job isn't to stand back and say "That's a *real*
nice hole you're digging there".
                -- Paul Tomblin, ASR

dev-security-policy mailing list

Reply via email to