On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <g...@mozilla.org> wrote: > Several incidents have come to our attention involving the CA "WoSign". > Mozilla is considering what action it should take in response to these > incidents. This email sets out our understanding of the situation. > > Before we begin, we note that Section 1 of the Mozilla CA Certificate > Enforcement Policy[0] says: "When a serious security concern is noticed, > such as a major root compromise, it should be treated as a > security-sensitive bug, and the Mozilla Policy for Handling Security > Bugs should be followed." It is clear to us, and appears to be clear to > other CAs based on their actions, that misissuances where domain control > checks have failed fall into the category of "serious security concern".
Gerv and team, In addition to the direct impact, I note that WoSign is the subject of cross-signatures from a number of other CAs that chain back to roots in the Mozilla program (or were in the program). For example: Cross issued to /C=CN/O=WoSign CA Limited/CN=CA \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6 by /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority expiring 2019-12-31T23:59:59Z Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign by /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority expiring 2019-12-31T23:59:59Z Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2 by /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA expiring 2020-11-02T01:01:59Z Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign G2 by /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA expiring 2020-11-02T01:59:59Z Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC expiring 2019-06-24T19:06:30Z Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object expiring 2019-07-09T18:40:36Z I have two questions: 1) Should any action be taken against the operators of these CAs due to the incidents listed? My view is that the correct answer is "no, unless it is demonstrated that the CA operator had knowledge of undisclosed incidents", as I believe that the issuer should be able to rely upon the audit reports and continued inclusion in the Mozilla trust store as prima facie evidence of compliance with Mozilla policy. 2) If Mozilla decides to take action that results in WoSign no longer being directly trusted, do those CAs with unrevoked unexpired cross-signs bear responsibility for any future mis-issuance by WoSign? My view is the answer is yes, as WoSign would be a subordinate CA rather than a peer being cross-signed. The Mozilla policy makes it clear that "All certificates that are capable of being used to issue new certificates, and which directly or transitively chain to a certificate included in Mozilla’s CA Certificate Program, MUST be operated in accordance with Mozilla’s CA Certificate Policy". Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy