Re: WoSign and StartCom: next steps

[Eddy Nigg]

On 10/07/2016 12:38 PM, Gervase Markham wrote:

I am a little surprised it hasn't appeared by now. We did not agree a
specific deadline, but my impression was that it would appear in a few
days, which I mentally interpreted as "by the end of the week". Today is
Friday, so there is still time for my vague expectations to be met :-)

I'm sure Edward, Tan and Inigo are working on it furiously. Perhaps they
can give a status update and an estimated time of publication?


Hi Gerv,

I'm sorry for the somewhat late reply due to holidays/weekends and 
flight connections of the participants of the meeting. First thanks for 
hosting the meeting and I'm sorry that I personally couldn't attend.


WoSign already provided its incident report which includes basically 
most information regarding the various issues and failures. There were 
parts of the proposed steps mentioned already, hereby I'm trying to 
summarize it. Next week we'll add sub sections and dates to it:



1)  Legal Structure - Separation of StartCom and Wosign's legal 
structure - StartCom reports directly to Qihoo 360.


2)  Management / Board - Mr. Tan is appointed Chairman of StartCom, 
Inigo Barreira appointed CEO/Director of StartCom.


3)  Team / Operations - Tan and Inigo work to separate StartCom and 
Wosign verification, development and management teams. Basically any 
previously shared functions (where they existed) will be separated.


4)  System / Software - Any shared infrastructure will be separated 
from WoSign, current code base will be reviewed by Qihoo 360 and audited 
internally. StartCom makes the systems available for an external 
security audit as necessary.


5)  All certificates past, present and future will be logged with CT 
compliant log servers.


6)  Public Documentation - StartCom will present its near-term plan 
and update as it progresses.



Item 6 is currently the outlined steps above, plus most specifications, 
sub steps, specific dates in particular for items 3 and 4. I assume that 
steps and promises StartCom commits to will be audible and/or easy to be 
confirmed.


I assume that Inigo will report to the mailing list sometimes directly 
too in order to update on the progress.


--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. 
XMPP:   start...@startcom.org 

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Nick Lamb]

On Friday, 7 October 2016 21:11:01 UTC+1, Han Yuwei  wrote:
> About the auditor Ernst & Young (Hong Kong), I don't understand how did it(?) 
> involved this. Can someone explain that?

Management of a public CA are oblige to state periodically that they understand 
and obey various rules for operating a public CA. But how can we trust they do 
so? The management hire an independent _auditor_ usually from a professional 
services company like EY to verify that the statements from management are 
true. The auditor should undertake reasonable steps to satisfy themselves of 
the veracity of these statements, e.g. if the management says the CA is in a 
second floor steel and concrete building in Manhattan, the auditor can visit 
and see whether it seems to instead be a wooden barn in New Jersey. If the 
management says all issuances are authorised by two employees working together, 
the auditor can watch this being done one day and see if in fact only one 
employee does all the work.

Mozilla believes that WoSign mis-behaved in ways that a competent auditor 
should have detected. This leaves open two possibilities, neither good for the 
local EY

1. They were not competent, their examination of the facts at WoSign fell short 
of what they should have done, it did not find the misbehaviour at WoSign 
because it was not sufficiently thorough.

OR
2. They were dishonest, they knew or suspected that WoSign had misbehaved but 
chose to conceal this fact from readers of the audit report.

In either case, this auditor cannot be trusted with other audit work, as it may 
do exactly the same thing again, which makes the audit pointless. Competent, 
honest auditors must be used for all audits.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Han Yuwei]

在 2016年9月26日星期一 UTC+8下午10:21:13，Gervase Markham写道：
> Today, Mozilla is publishing an additional document containing further
> research into the back-dating of SHA-1 certificates, in violation of the
> CAB Forum Baseline Requirements, to avoid browser blocks. It also
> contains some conclusions we have drawn from the recent investigations,
> and a proposal for discussion regarding the action that Mozilla's root
> program should take in response.
> 
> Because this document is extensive and contains embedded images, links
> and formatting, I have published it on Google Docs instead of as an
> email message here:
> 
> https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit
> 
> However, this forum is the appropriate place for discussing it. Please
> feel free to cut and paste any parts you wish to quote and comment on.
> 
> Gerv

About the auditor Ernst & Young (Hong Kong), I don't understand how did it(?) 
involved this. Can someone explain that?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: WoSign and StartCom: next steps

[Richard Wang]

Hi Gerv,

This is the updated incident report: 
https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf .


Thanks. 


Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Gervase Markham
Sent: Wednesday, October 5, 2016 12:25 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign and StartCom: next steps

On 29/09/16 16:40, Gervase Markham wrote:
> Following the publication of the recent investigative report, 
> representatives of Qihoo 360 and StartCom have requested a 
> face-to-face meeting with Mozilla. We have accepted, and that meeting 
> will take place next Tuesday in London.

This meeting happened today; thank you to representatives of Qihoo 360, 
StartCom and WoSign who travelled great distances to come. I'm happy that 
Mozilla was able to successfully communicate what we hoped to see from these 
companies, and expect to see a proposed plan from them very shortly.

Once that plan is published, we will be able to discuss whether the steps 
contained in it should lead to Mozilla changing our proposal for the measures 
we intend to take.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Gervase Markham]

On 06/10/16 20:38, Ryan Sleevi wrote:
> Do you have any further updates regarding this plan? This seems to
> have stalled any further discussions about next steps.

I am a little surprised it hasn't appeared by now. We did not agree a
specific deadline, but my impression was that it would appear in a few
days, which I mentally interpreted as "by the end of the week". Today is
Friday, so there is still time for my vague expectations to be met :-)

I'm sure Edward, Tan and Inigo are working on it furiously. Perhaps they
can give a status update and an estimated time of publication?

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Ryan Sleevi]

On Tuesday, October 4, 2016 at 9:25:16 AM UTC-7, Gervase Markham wrote:
> On 29/09/16 16:40, Gervase Markham wrote:
> > Following the publication of the recent investigative report,
> > representatives of Qihoo 360 and StartCom have requested a face-to-face
> > meeting with Mozilla. We have accepted, and that meeting will take place
> > next Tuesday in London.
> 
> This meeting happened today; thank you to representatives of Qihoo 360,
> StartCom and WoSign who travelled great distances to come. I'm happy
> that Mozilla was able to successfully communicate what we hoped to see
> from these companies, and expect to see a proposed plan from them very
> shortly.
> 
> Once that plan is published, we will be able to discuss whether the
> steps contained in it should lead to Mozilla changing our proposal for
> the measures we intend to take.
> 
> Gerv

Hi Gerv,

Do you have any further updates regarding this plan? This seems to have stalled 
any further discussions about next steps.

Best,
Ryan
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Percy]

"anyone issuing certificates for .cn, .hk or .mo domain *MUST* submit those 
certificate to the CT server set (with similar constraints as you require for 
WoSign/StartCom) "

This means you're rather ill-informed about the Chinese Internet. Most Chinese 
sites still use .com domains. But this is not what users are worried about as 
.cn domains are already under Chinese jurisdiction. They're more worried about 
attack against .com domains such as MITM against Github Outlook, Yahoo,Google 
and iCloud.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[jultus]

On Tuesday, September 27, 2016 at 7:31:30 AM UTC+2, Han Yuwei wrote:
> 在 2016年9月26日星期一 UTC+8下午10:21:13，Gervase Markham写道：
> > Today, Mozilla is publishing an additional document containing further
> > research into the back-dating of SHA-1 certificates, in violation of the
> > CAB Forum Baseline Requirements, to avoid browser blocks. It also
> > contains some conclusions we have drawn from the recent investigations,
> > and a proposal for discussion regarding the action that Mozilla's root
> > program should take in response.
> > 
> > Because this document is extensive and contains embedded images, links
> > and formatting, I have published it on Google Docs instead of as an
> > email message here:
> > 
> > https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit
> > 
> > However, this forum is the appropriate place for discussing it. Please
> > feel free to cut and paste any parts you wish to quote and comment on.
> > 
> > Gerv
> 
> Seems like we are not able to get a free 1-year certificate. I am very 
> disappointed about that.

You do realize there's a really good CA called LetsEncrypt? Which easily lets 
you automate renewal, and is proven VERY trustworthy thus far. I already moved 
away from startcom just because letsencrypt is way easier to maintain..
https://letsencrypt.org/docs/client-options/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Gervase Markham]

On 05/10/16 05:18, Anand Kumria wrote:
> I think that punishing the auditor here but geographically
> constraining it is the wrong message to send.
> 
> Why not simply distrust all audits carried out by Ernst & Young?

As I understand it, global branded auditors are, in fact, made up of a
number of local firms. We think that this is the correct scope for this
ban at the present time. However, if future problems arise with E
audits done by other countries' E teams, that might be the time to
consider a ban of wider scope.

> - anyone issuing certificates for .cn, .hk or .mo domain *MUST*
> submit those certificate to the CT server set (with similar
> constraints as you require for WoSign/StartCom)
> 
> - constrain certificates issued to .cn, .hk, .mo domains to be valid
> for (at most) 2 years.
> 
> The rationale for those additional suggestions is that this might
> preclude any organisation from being pressured into issuing
> certificates with fraudulent information within them and, even if
> that were to occur - and not be detected for a while - you have also
> constrained the maximum exposure window.

"The maximum exposure is 2 years" is not much of a constraint.
Additionally, although you don't say who you are talking about, there is
not necessarily an overlap between the sort of certs such pressure may
relate to, and the TLDs you mention. Many important sites use .com, for
example. And the risk of a compelled certificate creation attack is
nothing to do with the issues at WoSign.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Anand Kumria]

Hi,

Thanks for the extensive document and information, it has been a throughly 
interesting read.

On Tuesday, 27 September 2016 00:21:13 UTC+10, Gervase Markham  wrote:
> 
> Because this document is extensive and contains embedded images, links
> and formatting, I have published it on Google Docs instead of as an
> email message here:
> 
> https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit
> 
> However, this forum is the appropriate place for discussing it. Please
> feel free to cut and paste any parts you wish to quote and comment on.

Thoughts:

> no longer accept audits carried out by Ernst & Young (Hong Kong).

I think that punishing the auditor here but geographically constraining it is 
the wrong message to send.

Why not simply distrust all audits carried out by Ernst & Young?

Either someone at Ernst & Young HQ (london) signed-off of this kind deception 
(if it was known), or they signed-off on an audit when it was improperly 
conducted, or they signed-off on an audit when the sub-ordinate company was 
unable to obtain all the infomration required.

Or, worse, they have no control at all over their sub-ordinate company.

> How much lead time does the ecosystem need before we take this action?

I think that this should be a standard security update

> Should StartCom/WoSign be permitted to re-apply using the same roots, or 
> would they need new roots?

They should be required to use new roots.

I think another set of sanctions you (Mozilla) could also apply are:

 - anyone issuing certificates for .cn, .hk or .mo domain *MUST* submit those 
certificate to the CT server set (with similar constraints as you require for 
WoSign/StartCom)

 - constrain certificates issued to .cn, .hk, .mo domains to be valid for (at 
most) 2 years. 

The rationale for those additional suggestions is that this might preclude any 
organisation from being pressured into issuing certificates with fraudulent 
information within them and, even if that were to occur - and not be detected 
for a while - you have also constrained the maximum exposure window.

Regards,
Anand

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Gervase Markham]

On 29/09/16 16:40, Gervase Markham wrote:
> Following the publication of the recent investigative report,
> representatives of Qihoo 360 and StartCom have requested a face-to-face
> meeting with Mozilla. We have accepted, and that meeting will take place
> next Tuesday in London.

This meeting happened today; thank you to representatives of Qihoo 360,
StartCom and WoSign who travelled great distances to come. I'm happy
that Mozilla was able to successfully communicate what we hoped to see
from these companies, and expect to see a proposed plan from them very
shortly.

Once that plan is published, we will be able to discuss whether the
steps contained in it should lead to Mozilla changing our proposal for
the measures we intend to take.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Gervase Markham]

On 04/10/16 01:00, Ángel González wrote:
> Not really. Their old roots could sign their new roots, which would
> be enough to make them work on the older devices where it worked. The
> cost of untrusting the old roots is probably similar to that of 
> adding new roots, so that the effort of chaining to a different CA
> is not worthwhile.

This is true as long as there is no gap between when you dis-trust the
old roots and when you add the new ones to your store. But that's
unlikely because dis-trusts normally happen fairly quickly, spinning up
new roots takes time, and you may want it to be done under a reformed
regime rather than under the old one.

Gerv


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Gervase Markham]

On 30/09/16 12:23, Gervase Markham wrote:
> We don't plan to make a video or release a transcript, but Mozilla will
> also not be finalising any plans for action at the meeting either. From
> our perspective, the aim is to discuss whatever plans
> Qihoo/StartCom/WoSign have to improve the situation and help them
> understand what is most likely to be acceptable to us and to the community.

It is probably also useful to point out that Mozilla can have such
discussions only on our own behalf; we do not speak for or coordinate
decisions with the other root programs, who may decide to take action or
impose requirements different from that Mozilla decides to take or impose.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Gervase Markham]

Hi Stefan,

On 01/10/16 00:35, Stefan Paletta wrote:
> I have one question about the proposal: what is the rationale and
> justification for the one-year minimum distrust?

The determination of the action to take in any particular case takes
account of precedent (e.g. CNNIC) and our understanding of
proportionality, and what would be best in order to see a proper
remediation. This time period is part of the proposal (and note that it
is still a proposal) was chosen because I currently believe that WoSign
would need to make significant technical changes (and perhaps other
sorts of changes) in order to pass a full security audit from a code
auditor. If the time period before the possibility of re-enablement was
too short, there might be a temptation to rush this process, which would
be in nobody's interest.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Gervase Markham]

On 30/09/16 13:40, Jakob Bohm wrote:
> Well, at least the intermediaries involved would be SHA-1 and be
> checked against the SHA-1-distrust policy?

Yes. But issuing SHA-1 from a currently-publicly-trusted root is a BR
violation, whether clients enforce distrust or not. One solution often
adopted for old clients is to issue from a root which is no longer
currently-publicly-trusted.

Gerv


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Percy]

On Monday, September 26, 2016 at 7:21:13 AM UTC-7, Gervase Markham wrote:
> Today, Mozilla is publishing an additional document containing further
> research into the back-dating of SHA-1 certificates, in violation of the
> CAB Forum Baseline Requirements, to avoid browser blocks. It also
> contains some conclusions we have drawn from the recent investigations,
> and a proposal for discussion regarding the action that Mozilla's root
> program should take in response.
> 
> Because this document is extensive and contains embedded images, links
> and formatting, I have published it on Google Docs instead of as an
> email message here:
> 
> https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit
> 
> However, this forum is the appropriate place for discussing it. Please
> feel free to cut and paste any parts you wish to quote and comment on.
> 
> Gerv

FYI, WoSign has stopped issuing new DV certs. 
"Sorry, due to some security consideration, 
WoSign decide to close the free SSL certificate application temporarily. Sept. 
29th 2016."
https://buy.wosign.com/free/?lan=en
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Erwann Abalea]

Bonjour,

Le samedi 1 octobre 2016 11:02:21 UTC+2, Stefan Paletta a écrit :
[...]
> I have one question about the proposal: what is the rationale and 
> justification for the one-year minimum distrust? While this seems quite 
> reasonable at first glance, my thinking is this: clearly, the proposed 
> extensive audit must be deemed sufficient to allow for re-qualification a 
> year from now (because otherwise you would not be proposing it). Then why 
> would such an extensive audit not be sufficient when executed right now? In 
> other words: what does the addition of simply waiting for a year change about 
> admissibility to the Mozilla roots?

The auditor doesn't predict the future. The auditor can only audit what was 
made in the past.
I consider the Mozilla investigation to be an audit, and the findings are 
really bad. Another extensive audit performed right now can't possibly give a 
different result.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Jakob Bohm]

On 30/09/2016 13:21, Gervase Markham wrote:

On 30/09/16 07:50, Jakob Bohm wrote:

SHA-1 certs until the hardware dies.  On a trust policy/BR level, the
key detail here is that the issuing root cert is a SHA-1 cert itself
and would thus be distrusted by SHA-1-distrusting systems anyway.


That's not so; I believe most (all?) systems don't check the signatures
on their own embedded root certificates, because they are implicitly
trusted. There are many roots in the Mozilla program with SHA-1
signatures; see the Signature Hash Algorithm column in:
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport

In fact, there are two with MD5 signatures, although as it happens they
are only trusted for email.

Gerv



Well, at least the intermediaries involved would be SHA-1 and be
checked against the SHA-1-distrust policy?

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Florian Weimer]

* Hanno Böck:

> Minor sidenote: there have been some concerns about TLS security
> vulnerabilities of the qihoo 360 browser [1] [2]. While this is not
> directly related to the operation of a CA, it surely would increase the
> community's trust of qihoo 360 if these issues get resolved quickly.
>
>
> [1] https://cabforum.org/pipermail/public/2015-April/005441.html
> [2] https://twitter.com/ryancdotorg/status/780470538686697472

It is certainly possible to implement access to servers using
untrusted X.509 certificates in such a way that security is
compromised only after further user action (e.g. supplying login
credentials, despite the browser warning).  A reasonable approximation
of such a secure implementation is to visit the site with a fresh
Firefox profile, and override the certificate warning.

More care is needed to check the origin of the cookie which, according
to Tom Ritter's post, the browser transmitted without further user
interaction.  It might be the case that the cookie is not marked as
secure (restricting it to HTTPS), or it may have been created as a
secure cookie over an untrusted HTTPS connection.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Hanno Böck]

Hi,

I just want to throw out some thoughts and I hope the people involved
find it noteworthy. Please note that I am in no way in a position to
decide anything here, I'm just someone who happens to have an opinion
on the stuff going on.

This seems to be some last minute attempt to rescue wosign/startcom as
a CA. Despite all the stuff that happend I kinda sympathize with it,
for two reasons:
* I think wosign and startcom did a lot of good for the web by providing
  free certificate options and I think it'd be problematic to have a
  Let's Encrypt monopoly for free certificates.
* I fear that if wosign gets removed that this might lead to a further
  separation of the chinese web. I don't want to see a situation where
  chinese webpages use a chinese certificate that the browsers from the
  rest of the world don't accept. I don't think this is in anyone's
  interest, as it would harm the Internet as a whole.

I guess the community could agree to let wosign stay in the browsers,
but it must be clear that there is a sincere will to handle things
differently in the future. My advice to the representatives of
wosign/startcom/quihoo would be to be as transparent as possible.
I think the major reason people find this mozilla research so damning
is because it looks a lot like you were trying to hide things. This was
further fuelled by multiple statements in the form "we don't have to
talk about this".
If you want to regain trust from the community you'll have to talk
about it. This isn't about any legal requirements, it's about trust
from the community. Be open about who owns which company, who's in
charge and also tell us exactly why these things happened in the past
and how you want to prevent them from happening again.


Minor sidenote: there have been some concerns about TLS security
vulnerabilities of the qihoo 360 browser [1] [2]. While this is not
directly related to the operation of a CA, it surely would increase the
community's trust of qihoo 360 if these issues get resolved quickly.


[1] https://cabforum.org/pipermail/public/2015-April/005441.html
[2] https://twitter.com/ryancdotorg/status/780470538686697472

-- 
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42


pgppRcHcrXVwf.pgp
Description: OpenPGP digital signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Gervase Markham]

On 29/09/16 18:12, Han Yuwei wrote:
> Could you disclosure what would you talk about or would be determined
> on the meeting? And would there be a video or transcript about your
> meeting?

We don't plan to make a video or release a transcript, but Mozilla will
also not be finalising any plans for action at the meeting either. From
our perspective, the aim is to discuss whatever plans
Qihoo/StartCom/WoSign have to improve the situation and help them
understand what is most likely to be acceptable to us and to the community.

Then they will go away and, hopefully fairly soon afterwards, make a
public proposal for what they are going to do. That will be discussed
here, and after the discussion, the Mozilla module owner (who takes the
final decision) will decide whether we will continue to execute our
proposed plan exactly as it stands, or modify it in the light of any new
information or undertakings provided.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Gervase Markham]

On 30/09/16 07:50, Jakob Bohm wrote:
> SHA-1 certs until the hardware dies.  On a trust policy/BR level, the
> key detail here is that the issuing root cert is a SHA-1 cert itself
> and would thus be distrusted by SHA-1-distrusting systems anyway.

That's not so; I believe most (all?) systems don't check the signatures
on their own embedded root certificates, because they are implicitly
trusted. There are many roots in the Mozilla program with SHA-1
signatures; see the Signature Hash Algorithm column in:
https://mozillacaprogram.secure.force.com/CA/IncludedCACertificateReport

In fact, there are two with MD5 signatures, although as it happens they
are only trusted for email.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Gervase Markham]

On 30/09/16 03:14, 谭晓生 wrote:
> So far 360 is just an investor of Wosign, but we think we need to do 
> something because of what happened.
> I’d like to have suggestions from Gev to see if Richard Wang to join the 
> meeting is a better proposal.

Hi Xiaosheng,

I think it is a decision for Qihoo 360, WoSign and StartCom together to
decide who represents them. I'm confident that the three companies will
send representatives to the meeting who have the authority to discuss
and then publicly propose a remediation plan that we can consider, and
ensure that whatever is agreed is carried out.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Jakob Bohm]

On 27/09/2016 21:02, Erwann Abalea wrote:

Bonsoir,

Le mardi 27 septembre 2016 18:43:29 UTC+2, Han Yuwei a écrit :

在 2016年9月27日星期二 UTC+8下午11:21:26，Hector Martin "marcan"写道：

On 2016-09-27 23:21, Han Yuwei wrote:

在 2016年9月27日星期二 UTC+8下午8:33:28，Gervase Markham写道：

On 27/09/16 13:13, adroidm...@gmail.com wrote:

We must use Windows XP becuase some programs can only run on XP. We
have no money to get new programs and new Windows. Do you give $$$￥￥￥
to me??? You don't right? So please understand why we use XP.


Windows XP SP3 supports SHA-256. And of course, you always have the
option of Linux, which is a free modern operating system.

Gerv


There are a lot of software whose company is already down running at factoies, 
critical public infrastructures even hospital. We can't take the risk to 
upgrade the operating system. But I am not supporting continous using of SHA1 
certificates. Maybe you can understand this. :)


*Not* upgrading the operating system is a security risk. If you need to
interact with certificates, your computer is networked. If your computer
is networked, you absolutely cannot afford *not* to keep it up to date
and using a supported operating system. Anything else is asking to get
compromised, and then certificates are going to be the least of your
worries.

The "install it once and don't touch it" mentality stops working the
moment there's an Ethernet port with a cable connected to it. I would
hope networked equipment at critical public infrastructure like a
hospital is using a supported, updated operating system and software.

--
Hector Martin "marcan" (mar...@marcan.st)
Public Key: https://mrcn.st/pub


Yes, I totally agree with you.But some software can't work under newer system. 
Maybe we can find a solution towards this.


There are 2 solutions for this problem:

1/ a temporary one, where the certificate subscriber can demonstrate that it its relying 
parties can't accept SHA2 today but will be upgraded before the end of 2016. The 
procedure to get a SHA1 certificate is a public review with extended checks, it takes 
about 2 weeks to get the approval if nothing risky is found. It's the "SHA1 
Exceptions process" described in the extensive report written by Gerv. WoSign and 
StartCom have chosen to not follow it, and to hide their actions.

2/ a permanent one, where it's really not possible to upgrade the relying 
parties' systems to accept SHA2, or the subscriber is not willing to do the 
effort. The SHA1 certificate is issued by a non public CA, and this non public 
CA is explicitly imported as trusted in the necessary relying parties' systems.

There is no other alternative.



Note that in my daily work, I am aware of at least one system where
neither option is particularly viable, due to the platform vendor
locking down the system and then abandoning the signing services that
would usually authorize CA certificate imports.  This leaves the system
in question with a "set in stone" list of trusted (SHA-1) CAs.

Thus to cater to those systems (especially when the actual devices are
3rd party owned), the only practical solution would be for one of the
relevant old SHA-1 root CA certs to issue (via intermediaries etc.) new
SHA-1 certs until the hardware dies.  On a trust policy/BR level, the
key detail here is that the issuing root cert is a SHA-1 cert itself
and would thus be distrusted by SHA-1-distrusting systems anyway.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[谭晓生]

So far 360 is just an investor of Wosign, but we think we need to do something 
because of what happened.
I’d like to have suggestions from Gev to see if Richard Wang to join the 
meeting is a better proposal.

Thanks，
Xiaosheng Tan


在 16/9/30 上午10:03，“dev-security-policy 代表 Peter 
Kurrasch” 写入:

So if WoSign will not be present to discuss possible sanctions against 
WoSign, what are we to infer from that? Is Qihoo 360 acting in a capacity that 
is more than just an investor in WoSign? 

I'm trying not to get too far ahead of things, but this seems to be a very 
curious turn of events.


  Original Message  
From: Gervase Markham
Sent: Thursday, September 29, 2016 10:41 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: WoSign and StartCom: next steps

Hi everyone,

Following the publication of the recent investigative report,
representatives of Qihoo 360 and StartCom have requested a face-to-face
meeting with Mozilla. We have accepted, and that meeting will take place
next Tuesday in London.

After that, we expect to see a public response and proposal for
remediation from them, which will be discussed here before Mozilla makes
a final decision on the action we will take.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Vincent Lynch]

Hi Peter,

If you look in the original thread on M.S.D.P you will see that Qihoo made
a statement that they owned a majority share in WoSign. Im sure that
Mozilla has ensured Qihoo has the proper authority and permission to speak
on behalf of WoSign.

-Vincent

On Thu, Sep 29, 2016 at 10:03 PM, Peter Kurrasch  wrote:

> So if WoSign will not be present to discuss possible sanctions against
> WoSign, what are we to infer from that? Is Qihoo 360 acting in a capacity
> that is more than just an investor in WoSign?
>
> I'm trying not to get too far ahead of things, but this seems to be a very
> curious turn of events.
>
>
>   Original Message
> From: Gervase Markham
> Sent: Thursday, September 29, 2016 10:41 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: WoSign and StartCom: next steps
>
> Hi everyone,
>
> Following the publication of the recent investigative report,
> representatives of Qihoo 360 and StartCom have requested a face-to-face
> meeting with Mozilla. We have accepted, and that meeting will take place
> next Tuesday in London.
>
> After that, we expect to see a public response and proposal for
> remediation from them, which will be discussed here before Mozilla makes
> a final decision on the action we will take.
>
> Gerv
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
Vincent Lynch
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Peter Kurrasch]

So if WoSign will not be present to discuss possible sanctions against WoSign, 
what are we to infer from that? Is Qihoo 360 acting in a capacity that is more 
than just an investor in WoSign? 

I'm trying not to get too far ahead of things, but this seems to be a very 
curious turn of events.


  Original Message  
From: Gervase Markham
Sent: Thursday, September 29, 2016 10:41 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: WoSign and StartCom: next steps

Hi everyone,

Following the publication of the recent investigative report,
representatives of Qihoo 360 and StartCom have requested a face-to-face
meeting with Mozilla. We have accepted, and that meeting will take place
next Tuesday in London.

After that, we expect to see a public response and proposal for
remediation from them, which will be discussed here before Mozilla makes
a final decision on the action we will take.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Percy]

On Thursday, September 29, 2016 at 10:12:37 AM UTC-7, Han Yuwei wrote:
> 在 2016年9月29日星期四 UTC+8下午11:41:12，Gervase Markham写道：
> > Hi everyone,
> > 
> > Following the publication of the recent investigative report,
> > representatives of Qihoo 360 and StartCom have requested a face-to-face
> > meeting with Mozilla. We have accepted, and that meeting will take place
> > next Tuesday in London.
> > 
> > After that, we expect to see a public response and proposal for
> > remediation from them, which will be discussed here before Mozilla makes
> > a final decision on the action we will take.
> > 
> > Gerv
> 
> Could you disclosure what would you talk about or would be determined on the 
> meeting? And would there be a video or transcript about your meeting?

In the original document,  Mozilla stated that it "is committed to a fair, 
transparent and thorough investigation of the facts of each case." So I think 
at least a summary of the meeting is warranted, if the meeting results in any 
change of Mozilla's previous proposal against WoSign/StartCom.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Han Yuwei]

在 2016年9月29日星期四 UTC+8下午11:41:12，Gervase Markham写道：
> Hi everyone,
> 
> Following the publication of the recent investigative report,
> representatives of Qihoo 360 and StartCom have requested a face-to-face
> meeting with Mozilla. We have accepted, and that meeting will take place
> next Tuesday in London.
> 
> After that, we expect to see a public response and proposal for
> remediation from them, which will be discussed here before Mozilla makes
> a final decision on the action we will take.
> 
> Gerv

Could you disclosure what would you talk about or would be determined on the 
meeting? And would there be a video or transcript about your meeting?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Re: WoSign and StartCom

[Dean Coclin]

FYI-Tyro is not the company referenced on the CA/B Forum agenda.Dean CoclinCA/B Forum Chair   On 09/28/16, Nick Lamb wrote: On Wednesday, 28 September 2016 18:33:07 UTC+1, Percy  wrote:> I'm assuming WoSign/StartCom pressured Tyro to remove the blog post. WoSign/StartCom has previously publicly threatened legal actions over the secret purchase. I would say it's just as likely that Tyro's executives decided that the blog post doesn't match up with the current story they want to start telling.Tomorrow's CA/B agenda, the new Symantec-issued wildcard for Tyro, and other factors suggest that Tyro now intends to pursue the SHA-1 exception process. On the whole there's no overwhelming reason they shouldn't be able to qualify for that process, but it may be a lot easier if they can manage to come up with one coherent story for how they got here which avoids contradicting the known facts or their own previous assertions, such as those in the blog post.___dev-security-policy mailing listdev-security-policy@lists.mozilla.orghttps://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Nick Lamb]

On Wednesday, 28 September 2016 18:33:07 UTC+1, Percy  wrote:
> I'm assuming WoSign/StartCom pressured Tyro to remove the blog post. 
> WoSign/StartCom has previously publicly threatened legal actions over the 
> secret purchase. 

I would say it's just as likely that Tyro's executives decided that the blog 
post doesn't match up with the current story they want to start telling.

Tomorrow's CA/B agenda, the new Symantec-issued wildcard for Tyro, and other 
factors suggest that Tyro now intends to pursue the SHA-1 exception process. On 
the whole there's no overwhelming reason they shouldn't be able to qualify for 
that process, but it may be a lot easier if they can manage to come up with one 
coherent story for how they got here which avoids contradicting the known facts 
or their own previous assertions, such as those in the blog post.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Percy]

On Wednesday, September 28, 2016 at 12:16:51 AM UTC-7, Peter Gutmann wrote:
> Percy  writes:
> >On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote:
> >> Participants may be interested in this blog post from Tyro:
> >> https://tyro.com/blog/merchant-security-is-tyros-priority/
> >
> >So this is almost proof that WoSign/StartCom has been intentionally back-
> >dating certificates to avoid blocks on SHA-1 issuance in browsers. 
> 
> Did anyone keep a copy of that post?  Looks like they took it down pretty
> quickly, possibly in response to the above.
> 
> Peter.

I'm assuming WoSign/StartCom pressured Tyro to remove the blog post. 
WoSign/StartCom has previously publicly threatened legal actions over the 
secret purchase. 

Are those suppression attempts factored in when making trust decisions?  
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Rob Stradling]

On 28/09/16 12:23, Nick Lamb wrote:
> On Tuesday, 27 September 2016 10:15:38 UTC+1, Gervase Markham  wrote:
>> https://tyro.com/blog/merchant-security-is-tyros-priority/
> 
> This site reproduces what I guess is an email from Tyro (can't find similar 
> text on their website) that suggests very strongly they weren't prepared for 
> SHA-1 deprecation at all and hadn't previously even notified their customers 
> of the necessary upgrades.
> 
> http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/
> 
> If May was really the first time they realised they had a problem that's 
> pretty damning.

Presumably this...

  "The certificate that we use to secure our integration system expires
   on the 6th of June, 2016 and the new certificate cannot be accepted
   by POSs that run on Windows XP Service pack 2 or earlier."

...is referring to https://crt.sh/?id=1455926 and
https://crt.sh/?id=20031959.  If so, that would seem to imply that
https://crt.sh/?id=21427475 had not been issued when that article was
posted.

(The alternative, and I would suggest unlikely, explanation is that Tyro
did possess https://crt.sh/?id=21427475 when that article was posted,
but for some reason they'd already made the decision to not use it).

BTW, I found a couple of other references:

http://www.possolutions.com.au/blog/windows-xp-sp2-expires

http://www.possolutions.com.au/blog/if-you-are-running-windows-xp-or-server-2003

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Gervase Markham]

On 28/09/16 12:23, Nick Lamb wrote:
> This site reproduces what I guess is an email from Tyro (can't find
> similar text on their website) that suggests very strongly they
> weren't prepared for SHA-1 deprecation at all and hadn't previously
> even notified their customers of the necessary upgrades.
> 
> http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/

Very interesting. Thank you :-)

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Nick Lamb]

On Tuesday, 27 September 2016 10:15:38 UTC+1, Gervase Markham  wrote:
> https://tyro.com/blog/merchant-security-is-tyros-priority/

This site reproduces what I guess is an email from Tyro (can't find similar 
text on their website) that suggests very strongly they weren't prepared for 
SHA-1 deprecation at all and hadn't previously even notified their customers of 
the necessary upgrades.

http://www.newsagencyblog.com.au/2016/06/02/if-you-are-running-windows-xp/

If May was really the first time they realised they had a problem that's pretty 
damning.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Adam Caudill]

> On Sep 28, 2016, at 3:16 AM, Peter Gutmann  wrote:
> 
> Did anyone keep a copy of that post?  Looks like they took it down pretty
> quickly, possibly in response to the above.



Thankfully it was still in Bing’s cache (thanks to Ryan Hurst for reminding me 
to check there); here’s an Archive.org copy of Bing’s cached copy:

https://web.archive.org/web/20160928082744/http://cc.bingj.com/cache.aspx?q=url%3ahttps%3a%2f%2ftyro.com%2fblog%2fmerchant-security-is-tyros-priority%2f=3142275970384=en-US=en-US=CXAExr3p_O5p0vSMb-OFFm7Vt8ZUhoMF

--
Adam Caudill
a...@adamcaudill.com
http://adamcaudill.com/


signature.asc
Description: Message signed with OpenPGP using GPGMail
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Shengjing Zhu]

One question,
Since WoSign and StartCom have certification which is cross signed by Certum 
CA(https://wiki.mozilla.org/CA:WoSign_Issues#Cross_Signing), does that mean 
browser will still trust any certification signed by "Certification Authority 
of WoSign G2" if the website owner sends a certification chain indicates this 
cross signed certification?

Is there any way to distrust intermediate certification by its common name?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Peter Gutmann]

Percy  writes:
>On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote:
>> Participants may be interested in this blog post from Tyro:
>> https://tyro.com/blog/merchant-security-is-tyros-priority/
>
>So this is almost proof that WoSign/StartCom has been intentionally back-
>dating certificates to avoid blocks on SHA-1 issuance in browsers. 

Did anyone keep a copy of that post?  Looks like they took it down pretty
quickly, possibly in response to the above.

Peter.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Percy]

WoSign's official website stated that "For Free SSL Certificate, it support 20 
domain names for 3 years period" 
(https://buy.wosign.com/free/freeEmailcert.html). In order to identify possible 
backdated certs in the future, I suggest that WoSign/StartCom be mandated to 
upload all unexpired certs (especially those in 2014) to CT, so that we can 
have a complete list of domains. 


On Monday, September 26, 2016 at 7:21:13 AM UTC-7, Gervase Markham wrote:
> Today, Mozilla is publishing an additional document containing further
> research into the back-dating of SHA-1 certificates, in violation of the
> CAB Forum Baseline Requirements, to avoid browser blocks. It also
> contains some conclusions we have drawn from the recent investigations,
> and a proposal for discussion regarding the action that Mozilla's root
> program should take in response.
> 
> Because this document is extensive and contains embedded images, links
> and formatting, I have published it on Google Docs instead of as an
> email message here:
> 
> https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit
> 
> However, this forum is the appropriate place for discussing it. Please
> feel free to cut and paste any parts you wish to quote and comment on.
> 
> Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Erwann Abalea]

Bonsoir,

Le mardi 27 septembre 2016 18:43:29 UTC+2, Han Yuwei a écrit :
> 在 2016年9月27日星期二 UTC+8下午11:21:26，Hector Martin "marcan"写道：
> > On 2016-09-27 23:21, Han Yuwei wrote:
> > > 在 2016年9月27日星期二 UTC+8下午8:33:28，Gervase Markham写道：
> > >> On 27/09/16 13:13, adroidm...@gmail.com wrote:
> > >>> We must use Windows XP becuase some programs can only run on XP. We
> > >>> have no money to get new programs and new Windows. Do you give $$$￥￥￥
> > >>> to me??? You don't right? So please understand why we use XP.
> > >>
> > >> Windows XP SP3 supports SHA-256. And of course, you always have the
> > >> option of Linux, which is a free modern operating system.
> > >>
> > >> Gerv
> > > 
> > > There are a lot of software whose company is already down running at 
> > > factoies, critical public infrastructures even hospital. We can't take 
> > > the risk to upgrade the operating system. But I am not supporting 
> > > continous using of SHA1 certificates. Maybe you can understand this. :)
> > 
> > *Not* upgrading the operating system is a security risk. If you need to
> > interact with certificates, your computer is networked. If your computer
> > is networked, you absolutely cannot afford *not* to keep it up to date
> > and using a supported operating system. Anything else is asking to get
> > compromised, and then certificates are going to be the least of your
> > worries.
> > 
> > The "install it once and don't touch it" mentality stops working the
> > moment there's an Ethernet port with a cable connected to it. I would
> > hope networked equipment at critical public infrastructure like a
> > hospital is using a supported, updated operating system and software.
> > 
> > -- 
> > Hector Martin "marcan" (mar...@marcan.st)
> > Public Key: https://mrcn.st/pub
> 
> Yes, I totally agree with you.But some software can't work under newer 
> system. Maybe we can find a solution towards this.

There are 2 solutions for this problem:

1/ a temporary one, where the certificate subscriber can demonstrate that it 
its relying parties can't accept SHA2 today but will be upgraded before the end 
of 2016. The procedure to get a SHA1 certificate is a public review with 
extended checks, it takes about 2 weeks to get the approval if nothing risky is 
found. It's the "SHA1 Exceptions process" described in the extensive report 
written by Gerv. WoSign and StartCom have chosen to not follow it, and to hide 
their actions.

2/ a permanent one, where it's really not possible to upgrade the relying 
parties' systems to accept SHA2, or the subscriber is not willing to do the 
effort. The SHA1 certificate is issued by a non public CA, and this non public 
CA is explicitly imported as trusted in the necessary relying parties' systems.

There is no other alternative.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Percy]

On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote:
> On 26/09/16 15:20, Gervase Markham wrote:
> > However, this forum is the appropriate place for discussing it. Please
> > feel free to cut and paste any parts you wish to quote and comment on.
> 
> Participants may be interested in this blog post from Tyro:
> https://tyro.com/blog/merchant-security-is-tyros-priority/
> 
> Gerv

So this is almost proof that WoSign/StartCom has been intentionally back-dating 
certificates to avoid blocks on SHA-1 issuance in browsers. And when being 
specifically asked about those certs, WoSign/StartCom expressively attempted to 
deceive this community by saying all certs are normal. 

Based on this new evidence, do you think the statement "This distrust would 
remain for a minimum of 1 year. After that time, WoSign/StartCom may be 
readmitted to the Mozilla trust program, under the following conditions" should 
be updated to reflect this? 

I think Audit only works for a benign party with unintentional mistakes. The 
new evidence suggest WoSign/StartCom is almost hostile. 
If WoSign/StartCom willfully deceives auditors, changes the code between 
audits, intentionally malpractices outside of auditing period, I don't think 
audits are a safe-guard against them.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Han Yuwei]

在 2016年9月27日星期二 UTC+8下午11:21:26，Hector Martin "marcan"写道：
> On 2016-09-27 23:21, Han Yuwei wrote:
> > 在 2016年9月27日星期二 UTC+8下午8:33:28，Gervase Markham写道：
> >> On 27/09/16 13:13, adroidm...@gmail.com wrote:
> >>> We must use Windows XP becuase some programs can only run on XP. We
> >>> have no money to get new programs and new Windows. Do you give $$$￥￥￥
> >>> to me??? You don't right? So please understand why we use XP.
> >>
> >> Windows XP SP3 supports SHA-256. And of course, you always have the
> >> option of Linux, which is a free modern operating system.
> >>
> >> Gerv
> > 
> > There are a lot of software whose company is already down running at 
> > factoies, critical public infrastructures even hospital. We can't take the 
> > risk to upgrade the operating system. But I am not supporting continous 
> > using of SHA1 certificates. Maybe you can understand this. :)
> 
> *Not* upgrading the operating system is a security risk. If you need to
> interact with certificates, your computer is networked. If your computer
> is networked, you absolutely cannot afford *not* to keep it up to date
> and using a supported operating system. Anything else is asking to get
> compromised, and then certificates are going to be the least of your
> worries.
> 
> The "install it once and don't touch it" mentality stops working the
> moment there's an Ethernet port with a cable connected to it. I would
> hope networked equipment at critical public infrastructure like a
> hospital is using a supported, updated operating system and software.
> 
> -- 
> Hector Martin "marcan" (mar...@marcan.st)
> Public Key: https://mrcn.st/pub

Yes, I totally agree with you.But some software can't work under newer system. 
Maybe we can find a solution towards this.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Hector Martin "marcan"]

On 2016-09-27 23:21, Han Yuwei wrote:
> 在 2016年9月27日星期二 UTC+8下午8:33:28，Gervase Markham写道：
>> On 27/09/16 13:13, adroidm...@gmail.com wrote:
>>> We must use Windows XP becuase some programs can only run on XP. We
>>> have no money to get new programs and new Windows. Do you give $$$￥￥￥
>>> to me??? You don't right? So please understand why we use XP.
>>
>> Windows XP SP3 supports SHA-256. And of course, you always have the
>> option of Linux, which is a free modern operating system.
>>
>> Gerv
> 
> There are a lot of software whose company is already down running at 
> factoies, critical public infrastructures even hospital. We can't take the 
> risk to upgrade the operating system. But I am not supporting continous using 
> of SHA1 certificates. Maybe you can understand this. :)

*Not* upgrading the operating system is a security risk. If you need to
interact with certificates, your computer is networked. If your computer
is networked, you absolutely cannot afford *not* to keep it up to date
and using a supported operating system. Anything else is asking to get
compromised, and then certificates are going to be the least of your
worries.

The "install it once and don't touch it" mentality stops working the
moment there's an Ethernet port with a cable connected to it. I would
hope networked equipment at critical public infrastructure like a
hospital is using a supported, updated operating system and software.

-- 
Hector Martin "marcan" (mar...@marcan.st)
Public Key: https://mrcn.st/pub
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Han Yuwei]

在 2016年9月27日星期二 UTC+8下午8:33:28，Gervase Markham写道：
> On 27/09/16 13:13, adroidm...@gmail.com wrote:
> > We must use Windows XP becuase some programs can only run on XP. We
> > have no money to get new programs and new Windows. Do you give $$$￥￥￥
> > to me??? You don't right? So please understand why we use XP.
> 
> Windows XP SP3 supports SHA-256. And of course, you always have the
> option of Linux, which is a free modern operating system.
> 
> Gerv

There are a lot of software whose company is already down running at factoies, 
critical public infrastructures even hospital. We can't take the risk to 
upgrade the operating system. But I am not supporting continous using of SHA1 
certificates. Maybe you can understand this. :)
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Gervase Markham]

On 27/09/16 13:13, adroidm...@gmail.com wrote:
> We must use Windows XP becuase some programs can only run on XP. We
> have no money to get new programs and new Windows. Do you give $$$￥￥￥
> to me??? You don't right? So please understand why we use XP.

Windows XP SP3 supports SHA-256. And of course, you always have the
option of Linux, which is a free modern operating system.

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Gervase Markham]

On 26/09/16 15:20, Gervase Markham wrote:
> However, this forum is the appropriate place for discussing it. Please
> feel free to cut and paste any parts you wish to quote and comment on.

Participants may be interested in this blog post from Tyro:
https://tyro.com/blog/merchant-security-is-tyros-priority/

Gerv


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Percy]

"However, many eyes are on the Web PKI and if such additional back-dating is 
discovered (by any means), Mozilla will immediately and permanently revoke 
trust in all WoSign and StartCom roots."
Could you elaborate a bit on concrete ways of discovering such backdating? 

As WoSign itself suggested, they might only operate such shady practices in 
C=CN. Google is blocked there and hence renders Chrome's automatic certificate 
reporting useless. Most security researchers on this forum will not visit 
Chinese websites and have minimum chances of discovering such certs manually. 
If WoSign is not posting those certs to CT, are there any concrete proposal to 
detect them? Will there be an Internet wide scanning to compare certs issued in 
the wide with the logged CT data?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Han Yuwei]

在 2016年9月26日星期一 UTC+8下午10:21:13，Gervase Markham写道：
> Today, Mozilla is publishing an additional document containing further
> research into the back-dating of SHA-1 certificates, in violation of the
> CAB Forum Baseline Requirements, to avoid browser blocks. It also
> contains some conclusions we have drawn from the recent investigations,
> and a proposal for discussion regarding the action that Mozilla's root
> program should take in response.
> 
> Because this document is extensive and contains embedded images, links
> and formatting, I have published it on Google Docs instead of as an
> email message here:
> 
> https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit
> 
> However, this forum is the appropriate place for discussing it. Please
> feel free to cut and paste any parts you wish to quote and comment on.
> 
> Gerv

Seems like we are not able to get a free 1-year certificate. I am very 
disappointed about that.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Gervase Markham]

On 26/09/16 18:10, Andrew Ayer wrote:
> This contradicts the "Issue D" section at
> https://wiki.mozilla.org/CA:WoSign_Issues which says that this
> issue was not a BR violation.

You are quite right, thank you - fixed :-)

> The two *.zlbaba.com certificates (https://crt.sh/?id=30773543 and
> https://crt.sh/?id=31103218) do not appear to be matching to me:
> their public keys and serial numbers are different.

The serial numbers of all the pairs are different (which is good;
issuing two certs with the same serial number is an RFC violation, see
Issues H and P). I've not done an analysis of whether the public keys
match for some of the pairs; feel free to do one if you like. If you
think two different public keys casts doubt on the idea that these two
certs were issued at the same time, feel free to think that. However,
the document does not stand or fall on whether or not these are
co-issued pairs or not; that is merely a conjecture to try and establish
how long the misissuance happened for, as we have no other reliable dates.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[Andrew Ayer]

> This fixing of the notAfter date in this style of certificate may
> have been a sensible move to avoid accidentally issuing SHA-1
> certificates whose validity extends into 2017, which would also be a
> BR violation.

This contradicts the "Issue D" section at
https://wiki.mozilla.org/CA:WoSign_Issues which says that this
issue was not a BR violation.

> Many of the rest of the Macau certificates, which do not have an
> embedded SCT to show when they were issued, have "matching"
> SHA-256 versions issued at some point in 2016, with everything the
> same except the issuing intermediate certificate, the hash algorithm
> and the notBefore/notAfter dates. This hints at the possibility that
> the two certificates were actually issued at the same time, and the
> date in the SHA-256 version is the correct issue date for both. If
> this is true, it shows misissuance continued until at least June 2016
> (*.zlbaba.com SHA-1, SHA-256).

The two *.zlbaba.com certificates (https://crt.sh/?id=30773543 and
https://crt.sh/?id=31103218) do not appear to be matching to me:
their public keys and serial numbers are different.

> Should StartCom/WoSign be permitted to re-apply using the same roots,
> or would they need new roots?

New roots.  Considering the extent to which StartCom/WoSign have
mismanaged things, there could be further misissued certificates
chaining to their roots that we don't know about.  The only way to
protect the ecosystem from such certificates is to require new roots -
roots that have only ever operated under the new audits that will be
required by Mozilla.

Regards,
Andrew
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom

[yuhongbao_386]

On Monday, September 26, 2016 at 7:21:13 AM UTC-7, Gervase Markham wrote:
> Today, Mozilla is publishing an additional document containing further
> research into the back-dating of SHA-1 certificates, in violation of the
> CAB Forum Baseline Requirements, to avoid browser blocks. It also
> contains some conclusions we have drawn from the recent investigations,
> and a proposal for discussion regarding the action that Mozilla's root
> program should take in response.
> 
> Because this document is extensive and contains embedded images, links
> and formatting, I have published it on Google Docs instead of as an
> email message here:
> 
> https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit
> 
> However, this forum is the appropriate place for discussing it. Please
> feel free to cut and paste any parts you wish to quote and comment on.
> 
> Gerv

"However, we don’t feel that Mozilla’s users in China have lower requirements 
for CA trustworthiness than Mozilla’s users elsewhere."
To be honest, I do hope that there are not many XP SP2 users in China anymore.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom audit reports

[Peter Bowen]

On Fri, Sep 23, 2016 at 10:46 AM, Eddy Nigg  wrote:
> On 09/23/2016 05:53 AM, Peter Bowen wrote:
>>
>> Review of StartCom audit reports
>> for the period 1 January 2015 to 31 December 2015
>>
>> Good:
>> - Uses AICPA standards
>> - Uses current criteria versions
>>
>> Bad:
>> - Only covers two roots, not subordinate CAs (true for all three
>> reports: CA, BR, and EV)
>> - Does not provide assurance that subordinate CA certificate requests
>> are accurate, authenticated, and approved
>> - Does not provide assurance that it meets the Network and Certificate
>> System Security Requirements as set forth by the CA/Browser Forum
>
>
>
> Speaking only for StartCom here, as far as I know and as per auditing
> standards, all intermediate CAs are audited (no external intermediates
> existed).
>
> As to network security, I believe this is part of the Baseline Requirements
> audit. But if necessary I can ask our auditors and also WebTrust directly if
> there is really missing something. I assume that all is included, covered
> and implied, but should a mistake have happened in the statements made by
> the auditors I'm sure we can get a corrected statement or explanation.

I'm super happy that this was all checked.  I know other auditors have
re-issued opinion letters when they missed things unintentionally.
Maybe you could ask EY to reissue to include the list of SubCAs and
the full coverage.  I noticed EY Israel got added back to the WebTrust
site, after being unintentionally dropped during the update to remove
non-CA auditors, so that should also enable posting it to the seal
archive.

One other question on your report:  It says the services were provided
at Eilat, Israel during the period Jan 1, 2015 to Dec 31, 2015.
Richard said in an email a few hours ago that the StartCom validation
team was also in the UK.  Did that team not spin up until January 2016
or later?

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom audit reports

[Eddy Nigg]

On 09/23/2016 05:53 AM, Peter Bowen wrote:

Review of StartCom audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers two roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests
are accurate, authenticated, and approved
- Does not provide assurance that it meets the Network and Certificate
System Security Requirements as set forth by the CA/Browser Forum



Speaking only for StartCom here, as far as I know and as per auditing 
standards, all intermediate CAs are audited (no external intermediates 
existed).


As to network security, I believe this is part of the Baseline 
Requirements audit. But if necessary I can ask our auditors and also 
WebTrust directly if there is really missing something. I assume that 
all is included, covered and implied, but should a mistake have happened 
in the statements made by the auditors I'm sure we can get a corrected 
statement or explanation.


--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. 
XMPP:   start...@startcom.org 

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom audit reports

[Gervase Markham]

On 23/09/16 06:35, Richard Wang wrote:
> For StartCom, Eddy can say something about it, StartCom is 1000% independent 
> for everything at 2015.

You've said this or something very similar twice now, both times saying
"at 2015". This is probably a language thing, because native English
speakers would not use "at" here.

So can I ask what you mean? Do you mean "1000% independent today", or do
you mean "it was 1000% independent in 2015 (but things may have changed
since)"?

Gerv


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: WoSign and StartCom audit reports

[Richard Wang]

Thanks for your hard work. I wish you can finish check for all other CA's 
report ASAP.

For WoSign, the report covered all 4 roots, not 3 roots.

For StartCom, Eddy can say something about it, StartCom is 1000% independent 
for everything at 2015.


Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Peter Bowen
Sent: Friday, September 23, 2016 10:54 AM
To: mozilla-dev-security-pol...@lists.mozilla.org 

Subject: WoSign and StartCom audit reports

As hinted at in my earlier email about what is expected in audit reports, I've 
been looking at WebTrust audit reports from many CAs in the Mozilla program and 
those applying to be in the program.

Since there has been lots of discussion about WoSign and Startcom recently, I 
took a look at their latest reports.  I thought others might be interested in 
the result.

Thanks,
Peter

Review of WoSign audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers three roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests are 
accurate, authenticated, and approved

Really Bad:
- Includes 'emphasis of matters' which show failures of controls but still 
claims to be an unqualified opinion
- The EV opinion does not note that some of the EV certificates using a SHA-1 
hash in the signature have expiration dates after 2016-12-31


Review of StartCom audit reports
for the period 1 January 2015 to 31 December 2015

Good:
- Uses AICPA standards
- Uses current criteria versions

Bad:
- Only covers two roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not provide assurance that subordinate CA certificate requests are 
accurate, authenticated, and approved
- Does not provide assurance that it meets the Network and Certificate System 
Security Requirements as set forth by the CA/Browser Forum 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy