Thanks Jeremy. The fact that CertCenter is just a reseller and not an RA was not obvious to me. To your point, building an insecure website on top of a CA's API does not strike me as something that we should be terribly worried about.
I would encourage DigiCert to ask CertCenter to discontinue the practice of generating private keys for their customers. - Wayne On Thu, Jan 10, 2019 at 11:00 AM Jeremy Rowley via dev-security-policy < [email protected]> wrote: > A couple of thoughts: > 1) CertCenter is not a CA or RA. They have a custom named ICA that is > hosted and operated by DigiCert. All validation, issuance, and linting is > performed by DigiCert prior to issuance. > 2) Lots of cert customers have insecure websites. This indicates CAs > should scan websites for vulnerabilities. If that's the case, there will be > lots of revocations and that needs to be built into the Mozilla policy if > required. > 3) The only way we know that CertCenter is a reseller is by > self-identification. They use the same issuance and validation system as > all other customers. If they didn't self-identify as a reseller, they could > do the same thing and look like an enterprise. > 4) I think they took their website down once the vulnerability was > reported. We've asked them to fix the site because it's high profile. > However, if the customer was something like Mozilla or Google, would we > demand revocation of their certificates? Granted, they wouldn't have the > same vulnerabilities, but I'm having a hard time differentiating from the > CA perspective. > 5) Generating private keys for third parties is definitely NOT encouraged > by DigiCert. > > Anyway, I'm not sure what do here as it seems like the main difference > between this and any other insecure website is how they self-identify. > > Jeremy > > -----Original Message----- > From: dev-security-policy <[email protected]> > On Behalf Of Alex Gaynor via dev-security-policy > Sent: Thursday, January 10, 2019 7:10 AM > To: Buschart, Rufus <[email protected]> > Cc: Alex Cohn <[email protected]>; > [email protected]; Hanno Böck <[email protected] > > > Subject: Re: AlwaysOnSSL web security issues > > The Mozilla policy does not prohibit backdating, except when it's used to > evade time-based policy controls. > > Backdating certs by a few hours is a relatively common practice to > minimize breakages for consumers with busted clocks. > > Alex > > On Thu, Jan 10, 2019 at 4:43 AM Buschart, Rufus via dev-security-policy < > [email protected]> wrote: > > > The certificate [1] seems also to be 'back-dated' by about 18 hours. > > What is Mozillas opinion about this in the light of > > https://wiki.mozilla.org/CA/Forbidden_or_Problematic_Practices#Backdat > > ing_the_notBefore_Date > > ? > > > > > It appears AlwaysOnSSL is not completely disabled - if we trust CT > > > as a > > timestamping service, [1] was issued after Hanno's email. > > [...] > > > [1] https://crt.sh/?id=1097197338 > > [...] > > > On Wed, Jan 9, 2019 at 8:59 AM Hanno Böck via dev-security-policy < > > [email protected]> wrote: > > > > > > > > Hi, > > > > > > > > AlwaysOnSSL was a free certificate authority operated by CertCenter. > > > > I recently noticed that their main webpage was gone, but pieces of > > > > the service were still online. > > > > I immediately found a few web security issues. I reported those to > > > > certcenter and digicert (which is the root CA their intermediate > > > > chains to). > > [...] > > > > In response to this the service was completely disabled. > > [...] > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
