On Tue, Nov 22, 2016 at 10:56 PM, Tobias Sachs <[email protected]> wrote: > Am Dienstag, 22. November 2016 21:37:08 UTC+1 schrieb Lewis Resmond: >> Hello, >> >> I just noticed following announcement by WoSign: >> >> https://www.wosign.com/english/News/certificate_pre.htm >> >> If I understand correctly, they now have new root certificates which chain >> up to Certum, which is in the root storage. >> >> What does that mean in particular? Are the previously taken sanctions now >> useless? > > According to this comment [1] I think yes. But this means also that the new > ca is now the target. You can find the cert mentioned there here [2] and the > intermediate here [3] which is not in the CT logs...
The intermediate certificates were disclosed in Mozilla's CA database[1] and are currently filed under "CP/CPS Same As Parent" and "Audits Same As Parent". I assume that this means Certum holds the keys for these intermediates and WoSign is essentially acting as a reseller. I don't think that's something Mozilla can or should object to. I'm a bit unclear on whether WoSign could be acting as a Registration Authority for certificates issued under that intermediate and what the auditing and disclose requirements for that would be - maybe someone more familiar with the BRs can comment. WoSign acting as a RA prior to finishing the re-application process would be troubling given their previous failures in that area. [1]: https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
