Yeah, it's almost impossible to distrust all WoSign authority manually from keychain access. WoSign has 28 root certs or intermediate certs signed by other CAs, listed below. (List from https://github.com/chengr28/RevokeChinaCerts/wiki/ReadMe_Online#about-certificates )
Certification Authority of WoSign <https://root1evtest.wosign.com/> WoSign CA Limited <https://www.wosign.com/> B94294BF91EA8FB64BE61097C7FB001359B676CB CA 沃通根证书 <https://root2evtest.wosign.com/> WoSign CA Limited <https://www.wosign.com/> 1632478D89F9213A92008563F5A4A7D312408AD6 Class 1 Primary CA WoSign CA Limited <https://www.wosign.com/> 6A174570A916FBE84453EED3D070A1D8DA442829 Certification Authority of WoSign WoSign CA Limited <https://www.wosign.com/> 33A4D8BC38608EF52EF0E28A35091E9250907FB9 Certification Authority of WoSign G2 <https://root4evtest.wosign.com/> WoSign CA Limited <https://www.wosign.com/> FBEDDC9065B7272037BC550C9C56DEBBF27894E1 CA WoSign ECC Root <https://root5evtest.wosign.com/> WoSign CA Limited <https://www.wosign.com/> D27AD2BEED94C0A13CC72521EA5D71BE8119F32B Certification Authority of WoSign StartCom Certification Authority <https://www.startcom.org/> 868241C8B85AF79E2DAC79EDADB723E82A36AFC3 Certification Authority of WoSign StartCom Certification Authority <https://www.startcom.org/> 692790DA5189529CC5CE1E16E984277A03023E99 Certification Authority of WoSign StartCom Certification Authority <https://www.startcom.org/> 804E5FB7DE84F5F5B28347233EAF07846B6070D3 Certification Authority of WoSign StartCom Certification Authority <https://www.startcom.org/> B0B68AE97CFE2AFACD0DC2010B9D70ACE593E8A6 Certification Authority of WoSign StartCom Certification Authority <https://www.startcom.org/> 27D5BBE04301E1604839708D172CF09296ED9033 Certification Authority of WoSign UTN-USERFirst-Object <https://www.comodo.com/> 7C1913D189C46577D7513F980A2CFD7EDCBA0EC9 Certification Authority of WoSign UTN-USERFirst-Object <https://www.comodo.com/> 1C1ECDCCF764E6168177C5711F33EC9229A29F88 Certification Authority of WoSign G2 Certum CA <https://www.certum.eu/> B39191CFF08EB6FD8B447C21CAAEF6FC33F1D5AE Certification Authority of WoSign G2 Certum CA <https://www.certum.eu/> 73FFCA3F815B7A77717FE91912A4DC7B6BFB79CA CA 沃通根证书 StartCom Certification Authority <https://www.startcom.org/> D8EFF6C28BB508E4702565F42748454A872BD412 CA 沃通根证书 StartCom Certification Authority <https://www.startcom.org/> CE335662F0EA6764B95C7F50A995A514ACE8C815 CA 沃通根证书 StartCom Certification Authority <https://www.startcom.org/> B2FBDA222493A93C38F77C90D4BE6DA17F15F0B0 Certification Authority of WoSign UTN – DATACorp SGC <https://www.comodo.com/> 56FAADDC596DCF78D585D83A35BC04B690D12736 WoSign Premium Server Authority AddTrust External CA Root/UTN-USERFirst-Hardware <https://www.comodo.com/> E3D569137E603E7BACB6BCC66AE943850C8ADF38 WoSign Server Authority AddTrust External CA Root/UTN-USERFirst-Hardware <https://www.comodo.com/> 3E14B8BD6C568657D852D95D387249AE857B4A39 WoSign SGC Server Authority UTN – DATACorp SGC <https://www.comodo.com/> 6D5A18050D56BFDE525CBE89E8C45DD1B53D12E9 WoSign Client Authority UTN-USERFirst-Client Authentication and Email <https://www.comodo.com/> FAD4319D4E173FF3853E51C98D21919BF3DA1A1E WoTrust Premium Server Authority AddTrust External CA Root/UTN-USERFirst-Hardware <https://www.comodo.com/> 381CBC5048AFD9A02D3E5882D5F22D962B1A5F72 WoTrust Premium Server Authority AddTrust External CA Root/UTN-USERFirst-Hardware <https://www.comodo.com/> CF37A5B5C9166BD6B57A56BF67165A584B057241 WoTrust Server Authority AddTrust External CA Root/UTN-USERFirst-Hardware <https://www.comodo.com/> 337DF96418F08A9355870513AFCEBDC68BCED767 WoTrust SGC Server Authority UTN – DATACorp SGC <https://www.comodo.com/> 46A762F3C3CF3732DE22A8BA1EBBA3BC048F9B8C WoTrust Client Authority UTN-USERFirst-Client Authentication and Email <https://www.comodo.com/> 38CFE78D9F1F0B0637AFCAAA3D5549D87C0AA1D0 Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7FE124AE>) On Tue, Sep 6, 2016 at 8:19 AM, Peter Gutmann <[email protected]> wrote: > Nick Lamb <[email protected]> writes: > > >On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote: > >> Why would a public CA even need cross-certification from other CAs? > > > >Maybe this question has some subtlety to it that I'm missing? > > OK, I really meant "that many other CAs". To take one example, the cross- > certifying CA known as Usertrust that eventually became part of Comodo has > been around since the late 1990s, so it's presumably trusted by everything > under the sun, and then Comodo owns (at least) AddTrust AB, eBiz Networks, > Positive Software, RegisterFly, Registry Pro, The Code Project, The > USERTRUST > Network, WebSpace-Forum e.K., and Wotone Communications. Getting a whole > pile > of other cross-certifications from additional CAs seems a bit redundant, > and > has the flipside that once you've got a sufficiently complex mesh of cross- > certifications you've established such a level of fault-tolerance that it's > difficult to untrust a CA because there'll always be another cross- > certification somewhere leading to a trusted root. > > Peter. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
