Hello, Although HiCA is not a CA itself, the person own HiCA seems also owns (or at least works for) Quantum CA[1][2]. they also confirmed that Quantum CA is operated by both their team and SSL.com team[3].
I think this probably is not as simple as a white-label intermediate CA being abused, rather a CA that resells their own product to themselves to prevent being punished for bad behaviors. [1]: https://github.com/xiaohuilam (see "Pinned" section) [2]: https://github.com/quantumca (see "People" section) [3]: https://github.com/acmesh-official/acme.sh/issues/4659#issuecomment-1584546150 (note that this person never clearified their relationship with Quantum CA and only replied with "So this isn't the evidence to proof HiCA is a CA which managed PKI.") Regards, Zephyr Lykos On Friday, June 9, 2023 at 9:04:34 PM UTC+8 Andrew Ayer wrote: On Fri, 9 Jun 2023 05:42:22 -0700 (PDT) "John Han (hanyuwei70)" <[email protected]> wrote: > Here is the story. > https://github.com/acmesh-official/acme.sh/issues/4659 > > Seems like they exploited acme.sh and let user to evade certificate > issuing procedure. > > Do we need to discuss this? The party in question (HiCA/QuantumCA) is not a certificate authority, and I don't see any evidence that the actual CAs in question evaded any validation requirements. HiCA/QuantumCA is just acting as an intermediary between subscribers and the issuance APIs operated by actual CAs[1]. Literally anyone can do this and do monumentally stupid/insecure things; it's not productive to have a discussion every time this happens. Regards, Andrew [1] It's true they have a reseller relationship with ssl.com, who are operating a white-label intermediate CA with "QuantumCA" in the subject, but HiCA/QuantnumCA are also fronting other CAs, including GTS, which doesn't require a reseller agreement to access their free ACME API, so I don't see that aspect as being productive to discuss either. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/3bdaff6b-ad98-4a3d-9962-48cc274ba842n%40mozilla.org.
