On Mon, Feb 26, 2018 at 12:23 PM, Jakob Bohm via dev-security-policy < [email protected]> wrote:
> On 26/02/2018 10:27, Kurt Roeckx wrote: > >> I just came across this: >> >> https://www.recordedfuture.com/code-signing-certificates/ >> >> I think the most important part of it is: "we confirmed with a high >> degree of certainty that the certificates are created for a specific buyer >> per request only and are registered using stolen corporate identities" >> >> > I believe the claims there require investigation by the named CAs > (Comodo and Digicert (Symantec) brands) and an appropriate incident > report regarding the claimed misissuances. > > While I agree in theory, I don't think sufficient information has been provided to allow a CA to investigate. These are (allegedly) genuine misissuances to entities other than > the identities named in the certificates, rather than technical > "misissuances" in violation of formal technical requirements. > > These also appear to be systematic, as the alleged black market > vendors claim to obtain such misissued certificates on demand. > > If the claims in that article are true, one or more vetting > procedures obviously fall short of their required effectiveness. > This may or may not be in accordance with BR and CPS minimum > procedures, but it is obviously an ongoing and true danger to the > relying parties at large. > > These claims haven't been substantiated, but with multiple CAs allegedly vulnerable, this appears to be a weakness in the EV Guidelines. While the Mozilla root store only cares about the EV SSL subset of > these misissuances, the EV codesign misissuances may involve failure > of procedures also used for Mozilla-trusted uses (SSL and S/MIME), > and thus should be included in incident reports. > > > The claims of misissuance for EV codesign certificates (only indirectly > relevant to Mozilla) are highly likely to be true, as EV codesign is > only available for SmartCard/HSM/USBToken stored private keys, making > theft of properly issued certificates near impossible. > > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
