Re: StartCom remediation plan

Fri, 14 Oct 2016 08:13:51 -0700 

Dear Gerv,

We’ll rewrite all the code with different programing language or buy 3rd party 
components (for example: PKI), Wosign team using .Net, but my team never use 
.Net, they are good at C/C++ and PHP, Python.

Thanks,
Xiaosheng Tan



在 2016/10/14 下午11:01,“dev-security-policy 代表 Gervase 
Markham”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 
g...@mozilla.org> 写入:

    Hi Inigo,
    
    On 14/10/16 09:16, Inigo Barreira wrote:
    > In this link,
    > https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf,
    > you´ll find the detailed remediation plan for StartCom as was notified 
last
    > week. 
    
    Thanks for this. Is this a correct summary of the situation as regards
    the origin of the codebases?
    
    Website/Ordering System
    
    Before: WoSign-authored, but not the same as the one WoSign uses
    After:  Same WoSign-authored code, audited and improved by Qihoo R&D
    
    CMS
    
    Before: WoSign-authored, but not the same as the one WoSign uses
    After:  Same WoSign-authored code, audited and improved by Qihoo R&D
    
    PKI
    
    Before: WoSign-authored, same code that WoSign uses
    After:  StartCom-authored, improved by Qihoo R&D (short term)
            Third-party solution (medium term)
    
    OCSP/CRL
    
    Before: WoSign-authored, same code that WoSign uses
    After:  Same WoSign-authored code, audited and improved by Qihoo R&D
    
    
    From my perspective, the "technical separation" part is more than just
    "not using the same servers WoSign uses" or "not running the same code
    that WoSign runs". One of the things we have lost confidence in is the
    coding of the WoSign development team, and therefore any piece of code
    remaining which they wrote is suspect - no matter whether it is
    StartCom-specific or also run by WoSign.
    
    Given that, it is concerning that after your plan is executed, 3 of the
    4 key systems will still be running WoSign-authored codebases, even if
    they have been audited and improved to some degree by Qihoo R&D. For
    each system where that is true, I think that Mozilla may wish to require
    a full external security audit, which would both be expensive and
    time-consuming (and may lead to a great deal of remediation required).
    
    Was consideration given to switching back to the old StartCom codebase,
    or buying in a third party solution, for the website, the CMS or the
    OCSP/CRL function?
    
    Gerv
    _______________________________________________
    dev-security-policy mailing list
    dev-security-policy@lists.mozilla.org
    https://lists.mozilla.org/listinfo/dev-security-policy
    

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to