On Friday, August 25, 2017 at 4:42:29 PM UTC-7, Kathleen Wilson wrote:
> On Friday, August 4, 2017 at 12:01:15 AM UTC-7, Percy wrote:
> > I suggest that Mozilla can post an announcement now about the complete
> > removal of WoSign/StartCom to alert website developers. I suspect that a
> > moderate amount of Chinese websites are still using WoSign certs chained to
> > the old roots. Google posted about this complete removal here
> > https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html
> >
> >
> > And since WoSign has the most presence in China, I suggest Mozilla can
> > instruct Mozilla China to post such announcement in Chinese as well.
>
>
> Here's a DRAFT for such an announcement, that I could post to Mozilla's
> Security Blog [1].
>
> ~~ DRAFT ~~
>
> Title: Removing Disabled WoSign and StartCom Certificates from Firefox 58
>
> In October 2016, Mozilla announced[2] that, as of Firefox 51, we would stop
> validating new certificates chaining to the below list of root certificates
> owned by the companies WoSign and StartCom.
>
> The announcement also indicated our intent to eventually completely remove
> these root certificates from Mozilla’s Root Store[3], so that we would no
> longer validate certificates issued even before that date by those roots.
> That time has now arrived. We plan to release the relevant changes[4] to
> Network Security Services (NSS)[5] in November, and then the changes will be
> picked up in Firefox 58[6], due for release in January 2018. Sites using
> certificates chaining up to any of the following root certificates need to
> migrate to another root certificate.
>
> This announcement applies to the root certificates with the following names:
>
> CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
> CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
> CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
> CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
> CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing,
> O=StartCom Ltd., C=IL
> CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
>
> Mozilla Security Team
> ~~
>
> As always, I will appreciate your constructive feedback.
>
> Thanks,
> Kathleen
>
> [1] https://blog.mozilla.org/security/
> [2]
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
> [3] https://wiki.mozilla.org/CA
> [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1387260
> https://bugzilla.mozilla.org/show_bug.cgi?id=1392849
> [5] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
> [6] https://wiki.mozilla.org/RapidRelease/Calendar
Such an announcement will be great. And Chinese translation posted on Mozilla
China will be greatly appreciated too.
A Chinese announcement is rather appreciated because some very large companies,
for example, OFO which received $450M in funding and currently valued at 1B [1]
is still using WoSign certs [2]; Fapiao, which deals with receipts for
Starbucks in China, was using the old WoSign cert[3] until two weeks ago. It
only changed the cert after customer complaints for months. Those are by far
not isolated cases.
[1]https://en.wikipedia.org/wiki/Ofo_(bike_sharing)
[2]https://common.ofo.so/
[3]https://crt.sh/?q=fapiao.com
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
