On 26/02/2018 21:28, Ryan Sleevi wrote:
On Mon, Feb 26, 2018 at 3:05 PM, Wayne Thayer via dev-security-policy <
[email protected]> wrote:
On Mon, Feb 26, 2018 at 12:23 PM, Jakob Bohm via dev-security-policy <
[email protected]> wrote:
On 26/02/2018 10:27, Kurt Roeckx wrote:
I just came across this:
https://www.recordedfuture.com/code-signing-certificates/
I think the most important part of it is: "we confirmed with a high
degree of certainty that the certificates are created for a specific
buyer
per request only and are registered using stolen corporate identities"
I believe the claims there require investigation by the named CAs
(Comodo and Digicert (Symantec) brands) and an appropriate incident
report regarding the claimed misissuances.
While I agree in theory, I don't think sufficient information has been
provided to allow a CA to investigate.
These are (allegedly) genuine misissuances to entities other than
the identities named in the certificates, rather than technical
"misissuances" in violation of formal technical requirements.
These also appear to be systematic, as the alleged black market
vendors claim to obtain such misissued certificates on demand.
If the claims in that article are true, one or more vetting
procedures obviously fall short of their required effectiveness.
This may or may not be in accordance with BR and CPS minimum
procedures, but it is obviously an ongoing and true danger to the
relying parties at large.
These claims haven't been substantiated, but with multiple CAs allegedly
vulnerable, this appears to be a weakness in the EV Guidelines.
I'm not sure we have sufficient information to evaluate that. The article
apparently conflates EV SSL with EV CodeSigning, the latter of which is
vastly different in nature and requirements than the former (and with the
former being relevant to scope of the Forum's activities)
The original document (linked to in the OP) states that *both* were
being offered by these black market operators.
Further, it does not distinguish between the potential to obtain
correctly-validated certificates due to compromised infrastructure, or the
pre-existing set of certificates due to compromised keys or issuance
credentials.
The document emphasizes that the black market sellers made claims that
would be most consistent with getting new certificates on demand, but
the researcher did not buy a full certificate to be inspected, and
didn't publish the (public) part of the certificate he convinced the
seller to demonstrate control of.
It's these ambiguities that allow no reasonable conclusion to be made
Hence why an investigation is needed by the 3 CAs named in the paper
(Comodo, Digicert and Apple). They will probably have to do some deep
log inspection to figure out patterns, besides reaching out to the
researcher to see the raw data in confidence.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
