All, I have filed the following two bugs.
WoSign Action Items: https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 StartCom Action Items: https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 I will work on a security blog that will probably get posted early next week. It will point to these two bugs, and list the actions Mozilla plans to take. As we have been discussing, Mozilla plans to take the following actions: 1) Distrust certificates with a notBefore date after October 21, 2016 which chain up to the following affected roots. If additional back-dating is discovered (by any means) to circumvent this control, then Mozilla will immediately and permanently revoke trust in the affected roots. a) This change will go into the Firefox 51 release train. b) The code will use the following Subject Distinguished Names to identify the root certificates, so that the control will also apply to cross-certificates of these roots. i) CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN ii) CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN iii) CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN iv) CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN v) CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL vi) CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL 2) Add the previously identified backdated SHA-1 certificates chaining up to these affected roots to OneCRL. 3) No longer accept audits carried out by Ernst & Young Hong Kong. 4) Remove these affected root certificates from Mozilla’s root store at some point in the future. If the CA's new root certificates are accepted for inclusion, then Mozilla may coordinate the removal date with the CA’s plans to migrate their customers to the new root certificates. Otherwise, Mozilla may choose to remove them at any point after March 2017. 5) Mozilla reserves the right to take further or alternative action. This discussion is still open, and I will still continue to appreciate your input on this topic. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
