On 13/10/16 17:49, Kathleen Wilson wrote: > Thanks again to all of you who have put in so much time and effort to > determine what happened with WoSign and StartCom and discuss what to > do about it.
You are welcome. As people will have read, the current decision at Mozilla is to treat the WoSign and StartCom roots the same, except that StartCom has an opportunity to be re-included faster than WoSign if they can meet the conditions in time. It is also the current position that we will require the companies to use new roots, although cross-signing of the new by the old is permissible. Some further comments for Kathleen: > Within this message, the term “Affected Roots” applies to the > following 7 root certificates. Yes; it appears my root list in the investigation document missed one. Sorry about that. > 1) Distrust certificates chaining up to Affected Roots with a > notBefore date after October 21, 2016. Others have noted the mismatch here with an October 1 date elsewhere in the document. I think we should pick a single date in the future, to allow the CAs concerned to wind down operations without leaving customers having just obtained certs which will stop working in a few months. So I would argue for October 21st in line with our principle of minimal disruption to cert owners. > 3) No longer > accept audits carried out by Ernst & Young Hong Kong. To be clear, this is a permanent ban, applicable worldwide, but only to the Hong Kong branch of E&Y. (If further issues are found with E&Y audits elsewhere, then we might consider something with wider scope.) > 4) Remove the > Affected Roots from NSS after the SSL certificates issued before > October 1, 2016, have expired or have been replaced. That should be in approximately 39 months time, as that's the max issuance length allowed by the BRs. > 4. Provide auditor attestation that a full performance audit has been > performed confirming compliance with the CA/Browser Forum's Baseline > Requirements[6]. This audit may be part of an annual WebTrust BR > audit. It must include a full security audit of the CA’s issuing > infrastructure. I would recommend that Mozilla retain the option to approve the security auditor, and that it be an external company. > 5. 100% embedded CT for all issued certificates, with embedded SCTs > from at least one Google and one non-Google log not controlled by the > CA. StartCom/WoSign have indicated ro me that they may have trouble complying with the non-Google log requirement because it's hard to find a non-Google log which can scale sufficiently. I suggest we allow them some leeway on this but they need to demonstrate evidence of efforts to meet the requirement. If anyone reading controls a CT log which could accept their volume, even for payment, please contact StartCom/WoSign and let Mozilla know you have done so. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
