More details: https://twitter.com/aleksejspopovs/status/1666955050696966148
https://www.reddit.com/r/netsec/comments/144ygg7/acmesh_runs_arbitrary_commands_from_a_remote/ My one thought is this: Shouldn't the root CA(s) that ultimately empower this reseller have some process to ensure they only mint trusted authorities that only mint trusted authorities and so on? And if a rogue intermediate/reseller CA pops up shouldn't they deal with it? Because otherwise, I can stand up a root CA, and then sign intermediate CAs/resellers that do all the dirty/evil work and say "LOLZ. I'm a root CA. I didn't sign this. It's this bad intermediate/reseller CA, go punish them" And seeing as how you can stand up an intermediate/reseller in literal minutes if you have a captive root CA to sign off on it... I feel like the CCADB/Mozilla have abdicated responsibility in the sense of "well the root CA didn't do anything technically wrong..." rather than taking the approach of "shouldn't we encourage/force root CAs to be responsible for their downstream CAs and ensure a safe ecosystem for everyone?" On Fri, Jun 9, 2023 at 7:04 AM Andrew Ayer <[email protected]> wrote: > On Fri, 9 Jun 2023 05:42:22 -0700 (PDT) > "John Han (hanyuwei70)" <[email protected]> wrote: > > > Here is the story. > > https://github.com/acmesh-official/acme.sh/issues/4659 > > > > Seems like they exploited acme.sh and let user to evade certificate > > issuing procedure. > > > > Do we need to discuss this? > > The party in question (HiCA/QuantumCA) is not a certificate authority, > and I don't see any evidence that the actual CAs in question evaded any > validation requirements. > > HiCA/QuantumCA is just acting as an intermediary between subscribers > and the issuance APIs operated by actual CAs[1]. Literally anyone can > do this and do monumentally stupid/insecure things; it's not productive > to have a discussion every time this happens. > > Regards, > Andrew > > [1] It's true they have a reseller relationship with ssl.com, who are > operating a white-label intermediate CA with "QuantumCA" in the > subject, but HiCA/QuantnumCA are also fronting other CAs, including > GTS, which doesn't require a reseller agreement to access their free > ACME API, so I don't see that aspect as being productive to discuss > either. > > -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20230609090430.3a4e8396e6e0b856fc81c6ab%40andrewayer.name > . > -- Kurt Seifried (He/Him) [email protected] -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CABqVa3-vC4ow5mHDY%3DY%3Df0GAv1mtMqnT6apVrNQa7mZuG7ZfyA%40mail.gmail.com.
