Hi Inigo,

On 14/10/16 09:16, Inigo Barreira wrote:
> In this link,
> https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf,
> you´ll find the detailed remediation plan for StartCom as was notified last
> week. 

Thanks for this. Is this a correct summary of the situation as regards
the origin of the codebases?

Website/Ordering System

Before: WoSign-authored, but not the same as the one WoSign uses
After:  Same WoSign-authored code, audited and improved by Qihoo R&D

CMS

Before: WoSign-authored, but not the same as the one WoSign uses
After:  Same WoSign-authored code, audited and improved by Qihoo R&D

PKI

Before: WoSign-authored, same code that WoSign uses
After:  StartCom-authored, improved by Qihoo R&D (short term)
        Third-party solution (medium term)

OCSP/CRL

Before: WoSign-authored, same code that WoSign uses
After:  Same WoSign-authored code, audited and improved by Qihoo R&D


From my perspective, the "technical separation" part is more than just
"not using the same servers WoSign uses" or "not running the same code
that WoSign runs". One of the things we have lost confidence in is the
coding of the WoSign development team, and therefore any piece of code
remaining which they wrote is suspect - no matter whether it is
StartCom-specific or also run by WoSign.

Given that, it is concerning that after your plan is executed, 3 of the
4 key systems will still be running WoSign-authored codebases, even if
they have been audited and improved to some degree by Qihoo R&D. For
each system where that is true, I think that Mozilla may wish to require
a full external security audit, which would both be expensive and
time-consuming (and may lead to a great deal of remediation required).

Was consideration given to switching back to the old StartCom codebase,
or buying in a third party solution, for the website, the CMS or the
OCSP/CRL function?

Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to