On 10/11/2016 11:57 AM, Gervase Markham wrote:
There is also the case of StartEncrypt. While no known
cert-to-wrong-person misissuance occurred because the researchers in
question used domains they already controlled to prove their point, but
there seemed to be multiple holes by which this might be possible.
I haven't forgotten it and mentioned that Inigo has several tasks at hand:
"/... he'll have to review also other areas and implement controls in
case they were lacking or insufficient, something he's doing as we speak/"
This includes obviously development cycles and other areas, even if no
issues have been detected or reported.
Of course, people can reasonably disagree on the seriousness of the
issue (standalone, and by comparison with e.g. WoSign issue N), and it
is true that StartCom took this codebase wholesale from WoSign, but it
seems incomplete to leave this out entirely.
It wasn't my intention to ignore it, but I understand that this issue
has been quickly contained at that time.
Eddy: does StartCom currently have any fully-automated certificate
issuance mechanisms, or does every certificate request pass by human
eyes before issuance?
Generally speaking it's semi-automated with a flagging system that
forces about 20% of all lower level certificates for a manual review and
approval by the verification team. Of course EV and code signing
certificates are issued only manually. The rest is issued automatically.
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: start...@startcom.org <xmpp:start...@startcom.org>
dev-security-policy mailing list