I didn't understand the original below comment by StartCom very well about the cross-sign, but after Ryan's message I understand it better in retrospect:
> On Thu, Sep 14, 2017 at 11:05 AM, Inigo Barreira via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I´ve never said this. In fact, despite having that cross-signed which were provided to us in july we have never used and provided to any of our customers to build a trusted path. So none of those 50000, or the new ones, go with the Certinomis path because none have it. But all those 50000 certs are untrusted because we´re not in the Mozilla root, not the new one, and the old one was distrusted. > > In fact, recently, I asked for permission to use the Certinomis cross-signed certificates and have no response. I don´t know if this is an administrative silence which may allow me to use it but until having a clear direction we haven´t used it. So this appears to be saying that "all those 50000 certs are untrusted" because StartCom didn't provide the full chain to customers, even though such a chain could be constructed. The cross-signature wasn't published in CT until August 2nd, but that's not any sort of guarantee that the cross-signature wasn't discoverable by other means -- its availability until August 2nd is a function of actions by Certinomis that are not disclosed. The August 2nd date is also after StartCom's actions were being publicly questioned, so it suggests the possibility that the cross-signature would have been kept secret for longer, and was only submitted to CT once scrutiny had increased. Whether the cross-cert was issued before the audit report date is also a mystery, especially if it's possible that either Certinomis or StartCom was operating under the assumption that the cross-signature is irrelevant until "delivered" to customers. StartCom has remarked several times in this thread that they are being treated unfairly, but I can think of at least one comparison to a previous distrust event, which is that one of the more significant (in my opinion) issues with Symantec's now-deprecated PKI is that there existed chains that brought U.S. Federal PKI certificates into being trusted by Mozilla. Those chains were, as far as I know, never delivered proactively to customers, but could easily be constructed by any interested party with sufficient knowledge of the universe of cross-signatures. For example, Qualys' SSL Labs reports would automatically construct those chains for sites using FPKI certs, and let users download the full chain in one click. The threat model here is not what ordinary inexpert customers do, but what opportunities an adversary has available to them among the universe of trusted CAs to obtain certificates. In the Symantec/FPKI case, the problem was that an adversary could easily use an FPKI certificate to intercept connections made by Mozilla products, whether or not Symantec or the FPKI ever advertised or proactively enabled this use case. What made this such a big issue, in addition to the scope of the technical impact, is that the issue was not noticed or elevated for years, during which multiple "generations" of cross-signs had been issued and expired. It brought Symantec's ability to understand their own PKI into serious question. So I think the biggest issue here is not so much the technical impact, but that StartCom was communicating inaccurate information to Mozilla. The certs were publicly trusted by Certinomis, whether the cross-signature was delivered to StartCom or to customers or to no one. While presumably this inaccuracy was unintentional, it was enough to cause Gerv to express public confusion and doubt about whether the certificates were part of the cross-signed hierarchy. It also reflects a potentially dangerous difference of perspective between StartCom and root stores in how StartCom evaluates the trust and impact of the certificates they issue. For a CA that has been operating for as long as StartCom has, I think it's fair to describe this as concerning. I also think that Certinomis, whose cross-signing practices are now being scrutinized, should proactively post to this list with a timeline of its own actions during this process, so that their actions can be understood in the context of StartCom's. -- Eric _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy