Re: WoSign still trusted somehow on Mac even after manual distrust of StartCom

[Ryan Sleevi]

https://support.apple.com/en-us/HT204132

The source code for how Apple has implemented such blocks is available
at https://opensource.apple.com/

Specifically 
https://opensource.apple.com/source/Security/Security-57337.60.2/OSX/libsecurity_apple_x509_tp/lib/tpCertAllowList.c.auto.html
as called by 
https://opensource.apple.com/source/Security/Security-57337.60.2/OSX/libsecurity_apple_x509_tp/lib/tpCertGroup.cpp.auto.html

You can see that the logic to check the allow list is implemented
after Keychain checks - meaning yes, users can't disable the
whitelist. You should talk to Apple if that bothers you :)

On Tue, Nov 8, 2016 at 2:42 PM, Percy  wrote:
> Yeah, I suspected so but I didn't find it in the security content 
> (https://support.apple.com/en-ca/HT207275).
>
> I remember when Gerv discussed the idea on whitelisting intermediate cert, he 
> mentioned that firefox didn't want to undermine user sovereignty by 
> overriding the user's trust choice. I guess Apple might not have considered 
> this.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign still trusted somehow on Mac even after manual distrust of StartCom

[Percy]

Yeah, I suspected so but I didn't find it in the security content 
(https://support.apple.com/en-ca/HT207275).

I remember when Gerv discussed the idea on whitelisting intermediate cert, he 
mentioned that firefox didn't want to undermine user sovereignty by overriding 
the user's trust choice. I guess Apple might not have considered this. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign still trusted somehow on Mac even after manual distrust of StartCom

[Ryan Sleevi]

On Tue, Nov 8, 2016 at 2:23 PM, Percy  wrote:
> You can see from image1 that all StartCom roots are marked distrust 
> systemwide. No WoSign roots are included on Mac.
>
> However when I'm accessing https://www.schrauger.com/ in Chrome, the HTTPS 
> connection is marked as valid (image2) and the certification authority of 
> WoSign is regarded as a valid intermediate cert. In the same session, when 
> accessing https://wosign.com, the same intermediate cert is marked as 
> untrusted (image3) which is what I expect.
>
> The same thing happened in Safari (Image 4&5). Can someone explain how the 
> Certification Authority of WoSign (Serial number: 7250751724796726) is 
> sometimes valid when the root cert is distrusted?
>

This probably isn't the list to ask about Safari or Chrome, but for
sake of giving you a reply:

Chrome - The bug to star is
https://bugs.chromium.org/p/chromium/issues/detail?id=661003
Safari - Apple's announcement stated that they would be whitelisting
certificates disclosed via CT before a particular date. So I suspect
that's what coming in to play here.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy