Re: WoSign still trusted somehow on Mac even after manual distrust of StartCom
https://support.apple.com/en-us/HT204132 The source code for how Apple has implemented such blocks is available at https://opensource.apple.com/ Specifically https://opensource.apple.com/source/Security/Security-57337.60.2/OSX/libsecurity_apple_x509_tp/lib/tpCertAllowList.c.auto.html as called by https://opensource.apple.com/source/Security/Security-57337.60.2/OSX/libsecurity_apple_x509_tp/lib/tpCertGroup.cpp.auto.html You can see that the logic to check the allow list is implemented after Keychain checks - meaning yes, users can't disable the whitelist. You should talk to Apple if that bothers you :) On Tue, Nov 8, 2016 at 2:42 PM, Percywrote: > Yeah, I suspected so but I didn't find it in the security content > (https://support.apple.com/en-ca/HT207275). > > I remember when Gerv discussed the idea on whitelisting intermediate cert, he > mentioned that firefox didn't want to undermine user sovereignty by > overriding the user's trust choice. I guess Apple might not have considered > this. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign still trusted somehow on Mac even after manual distrust of StartCom
Yeah, I suspected so but I didn't find it in the security content (https://support.apple.com/en-ca/HT207275). I remember when Gerv discussed the idea on whitelisting intermediate cert, he mentioned that firefox didn't want to undermine user sovereignty by overriding the user's trust choice. I guess Apple might not have considered this. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign still trusted somehow on Mac even after manual distrust of StartCom
On Tue, Nov 8, 2016 at 2:23 PM, Percywrote: > You can see from image1 that all StartCom roots are marked distrust > systemwide. No WoSign roots are included on Mac. > > However when I'm accessing https://www.schrauger.com/ in Chrome, the HTTPS > connection is marked as valid (image2) and the certification authority of > WoSign is regarded as a valid intermediate cert. In the same session, when > accessing https://wosign.com, the same intermediate cert is marked as > untrusted (image3) which is what I expect. > > The same thing happened in Safari (Image 4&5). Can someone explain how the > Certification Authority of WoSign (Serial number: 7250751724796726) is > sometimes valid when the root cert is distrusted? > This probably isn't the list to ask about Safari or Chrome, but for sake of giving you a reply: Chrome - The bug to star is https://bugs.chromium.org/p/chromium/issues/detail?id=661003 Safari - Apple's announcement stated that they would be whitelisting certificates disclosed via CT before a particular date. So I suspect that's what coming in to play here. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy