On Tuesday, August 30, 2016 at 8:07:49 PM UTC-7, Richard Wang wrote:
> This case is in the BR report: 
> https://cert.webtrust.org/SealFile?seal=2019&file=pdf
> Thanks.
> Best Regards,
> Richard

Dear Richard,

It's clear WoSign has continuing compliance issues with CA/Browser forum rules, 
and has repeatedly failed to correct them. Furthermore there has been lots of 
questions about what it would take to improve CA practices given the degree of 
incompetence some have practiced, and it's clear penalties would go a long way.

Is there a reason we shouldn't permanently ban WoSign, and all CAs controlled 
by people involved with it, from the root program? It seems clear that WoSign 
has been misleading its auditors repeatedly and has insufficient tracking of 
which certificates are issued, has been aware of these problems for years, and 
has not been forthright in addressing them. Making an example would do a lot to 
encourage better CA behavior in general.

Watson Ladd

> -----Original Message-----
> From: Peter Bowen [mailto:pzbo...@gmail.com] 
> Sent: Wednesday, August 31, 2016 10:45 AM
> To: Gervase Markham <g...@mozilla.org>
> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang 
> <rich...@wosign.com>
> Subject: Re: Incidents involving the CA WoSign
> On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <g...@mozilla.org> wrote:
> > Dear m.d.s.policy,
> >
> > Several incidents have come to our attention involving the CA "WoSign".
> > Mozilla is considering what action it should take in response to these 
> > incidents. This email sets out our understanding of the situation.
> >
> > Before we begin, we note that Section 1 of the Mozilla CA Certificate 
> > Enforcement Policy[0] says: "When a serious security concern is 
> > noticed, such as a major root compromise, it should be treated as a 
> > security-sensitive bug, and the Mozilla Policy for Handling Security 
> > Bugs should be followed." It is clear to us, and appears to be clear 
> > to other CAs based on their actions, that misissuances where domain 
> > control checks have failed fall into the category of "serious security 
> > concern".
> I have run into another bug that appears to be fixed in WoSign's 
> infrastructure but is worth noting.
> In April 2015, two different WoSign CAs issued multiple certificates to 
> distinct subjects using the same serial number.  The CT logs have picked up 
> two instances of this occuring:
> https://crt.sh/?serial=0D3BBDC3A0175E38F9D0070CD050986A shows eight distinct 
> certificates with the same serial number, all with notBefore dates of 
> 2015-04-14.
> https://crt.sh/?serial=056D1570DA645BF6B44C0A7077CC6769 shows dozens of 
> distinct certificates with the same serial number, with notBefore dates 
> between 2015-04-10 and 2015-04-14.
> I have not examined their management assertions to see if this was documented 
> and I do not know if this was reported to Mozilla at the time.  These 
> certificates do not appear to meet RFC 5280's requirements, which say:
>    "The serial number MUST be a positive integer assigned by the CA to
>    each certificate.  It MUST be unique for each certificate issued by a
>    given CA (i.e., the issuer name and serial number identify a unique
>    certificate)"
> (https://tools.ietf.org/html/rfc5280#section-
> Was Mozilla advised of this issue?
> Thanks,
> Peter

dev-security-policy mailing list

Reply via email to