On Sun, Sep 04, 2016 at 09:49:25AM +0000, Richard Wang wrote: > Hi all, > > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf > > This report has 20 pages, please let me if you still have any questions, > thanks.
Hi Richard, About incident 0 in the report, it says: We investigated each certificates to think it is no necessary to revoke these certificates. Can you please explain how you investigated those and why you think it's not needed to revoke them? I also don't understand what you're trying to explain in 2.2. I think what it says is that the procedure used to be: - Someone requests a certificates - You do validation tests on an initial list of hostnames - Before he actually submits his request he can modify the list of hostnames - You don't do any validation tests anymore - You issue the certificate - Someone manually checks it because github is on the list of domains that needs manual review - The manual review notices that only part of it is validated - The manual review then asks for revocation - The revocation process needs an other person to review it - It informs that subscriber that it's been revoked - The real revocation happens later by a 3rd person Is that an accurate description of the problem? I see 2 problems with this: - There was a bug that the list of hostnames could be modified without revalidating them, and this was fixed on August 10, 2015. - The manual review only happens after the certificate is already issued, instead of before issuing it. In 2.3 you describe that if you sign up for "wosogn.com" (I guess you mean wosign.com) you get "www.wosign.com" for free and don't validate it. But the screenshot of the misissued domains are all without the "www" prefix. That is, "www.wosign.com" would be validated but "wosign.com" wasn't validated. My understanding is that if you sign up for "foo.example.com" you get "example.com" too without validating it, and it's not related to "www". You indicate that this was also fixed on August 10, 2015, but then still changed something on August 27, 2016, and it's not clear to me what you changed. In 3.2 you describe something about StartCom and WoSign using the same script but use a different ID. You describe that there was a bug you that you deleted. I assume that this is that the POST doesn't allow to set the caID anymore. But the document does not describe why that results in backdated SHA-1 certificates at all. I see several issues with this: - It allowed to use a different CA than it should - Software that was supposed to be stopped using was still able to issue certificates - The software for some reason uses the date it was supposed to be stopped from using, instead of the current date. Was this software modified for some reason? And from what I understand, only the first of those is fixed. You also describe that it's going to be replaced by ACME, but I don't see how this relevant or would prevent any of this. (There is also a SAH1 instead of SHA1 typo.) PS: I'm unsure why you cross out all those Mozilla, Google and WoSign address. I can perfectly recoginize the person in all those cases. If you really want to cross them out, please do it properly. Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
