Re: WoSign new system passed Cure 53 system security audit

Tue, 11 Jul 2017 08:36:36 -0700 

On Tue, Jul 11, 2017 at 11:16 AM, Jonathan Rudenberg via
dev-security-policy <[email protected]> wrote:

>
> > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via
> dev-security-policy <[email protected]> wrote:
> >
> > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang  wrote:
> >>
> >> Please note this email topic is just for releasing the news that WoSign
> new system passed the security audit, just for demonstration that we
> finished item 5:
> >> " 5. Provide auditor[3] attestation that a full security audit of the
> CA’s issuing infrastructure has been successfully completed. "
> >> " [3] The auditor must be an external company, and approved by Mozilla.
> "
> >
> > It also seems a bit strange to report item 5 "successfully completed"
> before we hear anything about the other items. How about starting with item
> 1? What are your plans voor fixing the problems?
>
> It’s worth noting that the problems have not stopped yet. There are a
> bunch of certificates issued over the past few months that do not comply
> with the Baseline Requirements issued from the new "StartCom BR SSL ICA”,
> for example:
>
> https://crt.sh/?opt=cablint&q=8BDFE4A526BFB35C8A417B10F4D0AB
> E9E1D60D28A412539D5BC71C19B46FEF21
> https://crt.sh/?opt=cablint&q=124AAD38DAAC6B694D65F45226AB51
> 52FC46D229CBC203E0814D175F39977FF3
> https://crt.sh/?opt=cablint&q=9B78C78B32F4AC717B3DEFDABDACC4
> FEFA61BFD17782B83F75ADD82241147721
> https://crt.sh/?opt=cablint&q=AAB0B5A08F106639A5C9D720CD37FD
> B30E7F337AEBAF9407FD854B5726303F7B
> https://crt.sh/?opt=cablint&q=9DCE6A924CE837328D379CE9B7CDF4
> A2BA8A0E8EC01018B9DE736EBC64442361
> https://crt.sh/?opt=cablint&q=62A9A9FDCDC04A043CF2CB1A5EAFE3
> 3CF9ED8796245DE4BD5250267ADEFF005A
> https://crt.sh/?opt=cablint&q=6A72FA5DCC253D2EE07921898B9A9B
> B263FD1D20FE61B1F52F939C0C1C0DCFEE
> https://crt.sh/?opt=cablint&q=238E2E96665748D2A05BAAEEC8BAE6
> AFE7B7EF4B1ADA4908354C855C385ECD81
> https://crt.sh/?opt=cablint&q=C11C00EB0E14EEB30567D749FFD304
> 45E0B490D1DCA7B7E082FD1CB0A40A71C0
> https://crt.sh/?opt=cablint&q=4DEF4CFD21A969E8349E4428FDEC73
> 767C01DE6127843312511B71029F4E3836


It's worth noting that, on the basis of the security audit report full
details shared by WoSign, the system that was security audited does not
comply with the Baseline Requirements, nor, as designed, can it. The system
would need to undergo non-trivial effort to comply with the Baseline
Requirements.
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
  • Re: WoSign new system pass... Itzhak Daniel via dev-security-policy
    • RE: WoSign new system... Richard Wang via dev-security-policy
      • Re: WoSign new sy... Eric Mill via dev-security-policy
        • RE: WoSign ne... Richard Wang via dev-security-policy
        • Re: WoSign ne... Percy via dev-security-policy
          • RE: WoSig... Richard Wang via dev-security-policy
          • Re: WoSig... Itzhak Daniel via dev-security-policy
            • RE: ... Richard Wang via dev-security-policy
            • Re: ... okaphone.elektronika--- via dev-security-policy
              • ... Jonathan Rudenberg via dev-security-policy
              • ... Ryan Sleevi via dev-security-policy
              • ... Alex Gaynor via dev-security-policy
              • ... Ryan Sleevi via dev-security-policy
              • ... Richard Wang via dev-security-policy
              • ... Ryan Sleevi via dev-security-policy
              • ... Richard Wang via dev-security-policy
              • ... Matt Palmer via dev-security-policy
              • ... Gervase Markham via dev-security-policy
              • ... Ryan Sleevi via dev-security-policy
              • ... Richard Wang via dev-security-policy
              • ... Ryan Sleevi via dev-security-policy

Reply via email to