Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Percy]

On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote:
> The security blog about Distrusting New WoSign and StartCom Certificates has 
> been published:
> 
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
> 
> Chinese translations of it will be posted soon.
> 
> Thanks,
> Kathleen

StartCom finally posted an announcement publicly on Nov. 3 
https://startssl.com/NewsDetails?date=20161103
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Ryan Sleevi]

On Monday, October 31, 2016 at 4:40:49 PM UTC-7, Percy wrote:
> Ryan,
> It's great Chrome will distrust WoSign and StartCom. Google's blog post
> stated that "Due to a number of technical limitations and concerns, Google
> Chrome is unable to trust all pre-existing certificates while ensuring our
> users are sufficiently protected from further misissuance.". Could you
> elaborate what whitelist method will Google adopt?

You should star this bug - 
https://bugs.chromium.org/p/chromium/issues/detail?id=661003 - for additional 
details.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Ryan Sleevi]

On Monday, October 31, 2016 at 5:07:06 PM UTC-7, nessun...@gmail.com wrote:
> I see that Google's response (and Apple's) is harsher than Mozilla, by 
> caterogically distrusts WoSign and StartCom without granting the option, as 
> Mozilla does, to resubmit a new CA application after a set period of time 
> through which they work to correct their flawed procedures.

(Wearing a Google hat)

Though omitted from the post, which focused on impact and options for users and 
site operators, it's not correct to conclude that it's impossible to 
re-establish trust.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[nessuno . acasa]

I see that Google's response (and Apple's) is harsher than Mozilla, by 
caterogically distrusts WoSign and StartCom without granting the option, as 
Mozilla does, to resubmit a new CA application after a set period of time 
through which they work to correct their flawed procedures. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Percy]

Ryan,
It's great Chrome will distrust WoSign and StartCom. Google's blog post
stated that "Due to a number of technical limitations and concerns, Google
Chrome is unable to trust all pre-existing certificates while ensuring our
users are sufficiently protected from further misissuance.". Could you
elaborate what whitelist method will Google adopt?

Furthermore, even though Google is completely blocked in China, news about
Google are mostly not censored. Is it possible for Google to have a Chinese
translation as well, especially regarding WoSign? Such translation can
accelerate the early removal process.


Percy Alpha(PGP
)


On Mon, Oct 31, 2016 at 4:18 PM, Ryan Sleevi  wrote:

> On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote:
> > The security blog about Distrusting New WoSign and StartCom Certificates
> has been published:
> >
> > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-
> startcom-certificates/
> >
> > Chinese translations of it will be posted soon.
> >
> > Thanks,
> > Kathleen
>
> Google has now posted its response, in light of the findings and
> discussion helpfully driven by Mozilla, at https://security.googleblog.
> com/2016/10/distrusting-wosign-and-startcom.html
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Ryan Sleevi]

On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote:
> The security blog about Distrusting New WoSign and StartCom Certificates has 
> been published:
> 
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
> 
> Chinese translations of it will be posted soon.
> 
> Thanks,
> Kathleen

Google has now posted its response, in light of the findings and discussion 
helpfully driven by Mozilla, at 
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Percy]

Kathleen,
This coverage is very encouraging! Among the sites you included, huanqiu, which 
is a newspaper operated by the central government is notable. So far, no 
censorship has been observed, contrary to the blanket censorship of the 
previous CNNIC case. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Percy]

Kathleen,
This coverage is very encouraging! Among the sites you included, huanqiu, which 
is a newspaper operated by the central government is notable. So far, no 
censorship has been observed, contrary to the blanket censorship of the 
previous CNNIC case. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Kathleen Wilson]

More links in simplified Chinese:
Weibo: http://weibo.com/1663337394/EeutZ447K?type=comment#_rnd1477447436655
Toutiao: http://www.toutiao.com/i6345313124182131201/


Below is some coverage from China, all coverage contained message pull-through 
from Mozilla's blog post and mentioned WoSign's response:

https://linux.cn/article-7898-1.html
https://www.sslchina.com/news20161025-mozilla-distrusted-new-wosign-and-startcom-certificates/
http://www.pcpop.com/doc/3/3522/3522780.shtml
http://www.solidot.org/story?sid=50116
http://www.cnbeta.com/articles/551603.htm
http://digi.163.com/16/1025/13/C47QM5EU001687H3.html
http://mobile.163.com/16/1025/13/C47QJPD300118023.html
http://tech.huanqiu.com/diginews/2016-10/9598056.html
http://www.d1net.com/security/vendor/438705.html
http://www.chinaz.com/free/2016/1025/600531.shtml



___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Nigel Kukard]

On Tuesday, 25 October 2016 4:30:39 PM UTC Percy wrote:
> StartCom on the other hand, issued no announcement
> (https://startssl.com/News) even under multiple explicit inquires from
> multiple users
> (https://forum.startcomca.com/viewforum.php?f=16=549011a08d3a081898f1e1
> 542d3ecc10).

There is an announcement when you log in which I've attached:
"Mozilla decided to distrust all StartCom root certificates as of 21st of 
October, this situation will have an impact in the upcoming release of Firefox 
in January. StartCom will provide an interim solution soon and will replace 
all the issued certificates from that date in case of requested. Meanwhile 
StartCom is updating all their systems and will generate new root CAs as 
requested by Mozilla."

-N
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Percy]

That you have to ask WoSign. 

The exact wording is 
"将增加一个产品选项，用户可以选购从新的沃通（WoSign）中级根证书下签发的支持所有浏览器（包括火狐浏览器）的SSL证书，在过渡期八折优惠。此中级根证书将由全球信任的其他CA根证书签发，支持所有浏览器和所有新老终端设备。此项产品升级计划一个月内完成并为广大用户提供证书服务；"

My translation: [WoSign] will add a new product selection. Users can choose SSL 
certs signed by the new WoSign intermediate cert. The SSL certs will be trusted 
by all browsers(including firefox). The certs will be 20% off in this 
transition period. The certs will be signed by a publicly trusted CA which 
supports all browsers and all OS, older or new. This product upgrade is 
expected to be completed within a month and will serve our users the 
certificate service they need. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Patrick Figel]

On 26/10/16 01:27, Percy wrote:
> WoSign will roll out a globally trusted intermediate cert to sign new
> certs with the existing WoSign system that had so many control
> failures.
> 
> Does Mozilla and this community accept such a work-around for WoSign?
> If we do, then what's the point of distrust those WoSign root certs?
> If not, then what's an appropriate response for WoSign's
> announcement?

Has WoSign publicly stated that this will be an intermediate certificate
for which they hold the private key, or could this simply mean they'll
act as a (kind of) white-label reseller for some other CA until they've
completed the (re-)application process?

I don't think Mozilla should allow WoSign to use a new cross-signed
intermediate under their control until they've completed the application
process, but I don't see the problem if they plan to act as a reseller
for now to keep their business operational. If this is indeed Mozilla's
policy on this issue (and not just my opinion), it might be worth
thinking about communicating this to CAs to avoid trouble down the line.

Hopefully WoSign will be able to comment on this and clarify their plans.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Percy]

StartCom on the other hand, issued no announcement (https://startssl.com/News) 
even under multiple explicit inquires from multiple users 
(https://forum.startcomca.com/viewforum.php?f=16=549011a08d3a081898f1e1542d3ecc10).
   
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Percy]

WoSign has posted an announcement regarding Mozilla's decision. In the 
announcement, WoSign stated 

WoSign actively cooperated with the investigation and has always fix all the 
issues immediately after the discovery and called Mozilla's decision 
"exceptionally severe".

Certs issued by existing WoSign roots will be 90% off from Oct 22nd.

WoSign will launch a new WoSign intermediate cert to continue to sell certs 
trusted by all browsers including Firefox. The intermediate cert will be signed 
by another trusted root CA. This is scheduled to launch within a month. 

-
The full announcement is translated below.
https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm

Announcements about the Mozilla Incident
Release Date: 2016-10-24
Mozilla on August 24 launched an investigation against WoSign CA, and published 
a list of questions ( Wiki ), lists all the issues from March 2015 to July 2016 
period. WoSign addressed these issues with a careful investigation and released 
the investigation report , some issues have been clarified and all issues have 
been fixed immediately after their discovery. WoSign actively cooperated with 
the investigation and argued for the best interests of users, to ensure that 
the certificate issued previously will not be affected.
Mozilla has released on the October 21, the final response to WoSign. WoSign 
has the following statement regarding this incident 
1.the results of the incident
Very sorry to see Mozilla decided from October 22 onwards no longer trust the 
four WoSign root certificate;
After June 1, 2017, after satisfying Mozilla's 6-point operational 
requirements, WoSign CA can re-apply for the Mozilla root certification 
process, re-apply for a new root certificate inclusion.
2. the impact of the incident on the user
All SSL certificates October 21 (including 21), before issuing are not 
affected, can normally be trusted by Mozilla Firefox browser ; after October 21 
SSL certs from WoSign (WoSign) 4 root certificate will not be trusted by 
Firefox.
All code-signing certificates, client certificates, and signature platforms 
(WoSignDoc) issued from the four WoSign roots are unaffected.
3. WoSign’s response measures after the incident
Will update the digital certificate Store Buy website. From October 22, all SSL 
certificates from WoSign four root certificate will be 90% off; free SSL 
certificate service continue to be closed;
Will add a product option, the user can choose to support all browsers SSL 
Certificates (including Firefox) under the new WoSign (WoSign) intermediate 
root certificates issued during the transitional period 20% Off! This 
intermediate root certificate will be issued by other CA root certificates that 
are trusted globally, supporting all browsers and all new and existing terminal 
devices. The product upgrade plan is scheduled to completed within one month 
and provide a certificate for the majority of users;
Will be actively in accordance with the requirements of Mozilla-made 6 points 
for operation, for after June 1, 2017, as soon as possible to complete the new 
root certificate in the various browser system preset work;
Has been and continue to conduct a comprehensive security audit of all systems 
and strengthen the upgrading, while improving the various internal control 
management system, the formation of international standards research team and 
internal audit team to ensure that all systems 100% meet international 
standards, all business operations in strict accordance with international 
standards. Require operation, strengthen the staff in strict accordance with 
the standard operation of the enforcement efforts, offenders will be severely 
punished.
Mozilla's sanctions are exceptionally severe, but we will sincerely accept and 
carry out profound reflection and improvement, continue to improve system 
reliability, security and compliance, strict compliance with various 
international standards and various browser vendors designated security 
management strategy.
We know that: as a Chinese CA's international road is still very long, but 
WoSign’s plan to build world-class PKI certificate service at the beginning 
will stay the same! We will continue to contribute to building a safe and 
trusted global Internet environment, and actively promote the PKI / CA-related 
Chinese standards and international standards system integration.
Thank you very much for your continued trust in the majority of users and 
partners! It is with your support and companionship, WoSign has gone through 
ten years of wind and rain, and achieved SSL certificate in China market share 
of nearly 50% and the global market ranked sixth in the good results, we hope 
to continue with your towards the next more brilliant decade!


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy