> It is clear to us, and appears to be clear to > other CAs based on their actions, that misissuances where domain control > checks have failed fall into the category of "serious security concern". > ... > * It seems clear from publicly available information that StartCom's > issuance systems are linked to WoSign's issuance systems in some way. > Nevertheless, it should not have been possible for an application for a > cert from StartCom to produce a cert signed by WoSign. > > * This misissuance incident was not reported to Mozilla by WoSign as it > should have been. > > > Taking into account all these incidents and the actions of this CA, > Mozilla is considering what action to take. Your input is welcomed. > I have read the details of this incident made public to date, and in my view, this comes down to two fairly simple questions: Did WoSign betray the public trust, and when mistakes were made were they proactive and transparent in resolving them?
The *only* currency for a public CA is trust, and WoSign broke that trust by attesting to control of (critical) TLDs when in fact, such control did not exist. There is no difference between issuing fraudulent certificates to a security researcher as there is to any bad actor. Worse, after being made aware of the issue (and related vulnerabilities in their system), WoSign acted in bad faith by failing to proactively revoke all fraudulent certificates, notify their auditor, or inform Google and Mozilla. The behavior with StartCom only punctuates that continued bad faith and unwillingness to conform with the most basic obligations of a CA. I probably don't need to remind most of you here how already tenuous is the confidence in the existing public key system generally, and TLS security specifically. In light of their continued actions, I strongly urge the community to remove WoSign from the respective root trust stores. Kenn White https://opencryptoaudit.org/people _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy