A couple of thoughts: 1) CertCenter is not a CA or RA. They have a custom named ICA that is hosted and operated by DigiCert. All validation, issuance, and linting is performed by DigiCert prior to issuance. 2) Lots of cert customers have insecure websites. This indicates CAs should scan websites for vulnerabilities. If that's the case, there will be lots of revocations and that needs to be built into the Mozilla policy if required. 3) The only way we know that CertCenter is a reseller is by self-identification. They use the same issuance and validation system as all other customers. If they didn't self-identify as a reseller, they could do the same thing and look like an enterprise. 4) I think they took their website down once the vulnerability was reported. We've asked them to fix the site because it's high profile. However, if the customer was something like Mozilla or Google, would we demand revocation of their certificates? Granted, they wouldn't have the same vulnerabilities, but I'm having a hard time differentiating from the CA perspective. 5) Generating private keys for third parties is definitely NOT encouraged by DigiCert.
Anyway, I'm not sure what do here as it seems like the main difference between this and any other insecure website is how they self-identify. Jeremy -----Original Message----- From: dev-security-policy <dev-security-policy-boun...@lists.mozilla.org> On Behalf Of Alex Gaynor via dev-security-policy Sent: Thursday, January 10, 2019 7:10 AM To: Buschart, Rufus <rufus.busch...@siemens.com> Cc: Alex Cohn <a...@alexcohn.com>; mozilla-dev-security-pol...@lists.mozilla.org; Hanno Böck <ha...@hboeck.de> Subject: Re: AlwaysOnSSL web security issues The Mozilla policy does not prohibit backdating, except when it's used to evade time-based policy controls. Backdating certs by a few hours is a relatively common practice to minimize breakages for consumers with busted clocks. Alex On Thu, Jan 10, 2019 at 4:43 AM Buschart, Rufus via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > The certificate [1] seems also to be 'back-dated' by about 18 hours. > What is Mozillas opinion about this in the light of > https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdat > ing_the_notBefore_Date > ? > > > It appears AlwaysOnSSL is not completely disabled - if we trust CT > > as a > timestamping service, [1] was issued after Hanno's email. > [...] > > [1] https://crt.sh/?id=1097197338 > [...] > > On Wed, Jan 9, 2019 at 8:59 AM Hanno Böck via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > > > > Hi, > > > > > > AlwaysOnSSL was a free certificate authority operated by CertCenter. > > > I recently noticed that their main webpage was gone, but pieces of > > > the service were still online. > > > I immediately found a few web security issues. I reported those to > > > certcenter and digicert (which is the root CA their intermediate > > > chains to). > [...] > > > In response to this the service was completely disabled. > [...] > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
