Remove old StartCom root certs from NSS

[Kathleen Wilson via dev-security-policy]

And I think we should remove the old StartCom root certs from NSS.

Reference:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#StartCom
~~
Mozilla currently recommends not trusting any certificates issued by this CA 
after October 21st, 2016. That recommendation covers the following roots:

CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, 
O=StartCom Ltd., C=IL
CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL

This restriction has been implemented in both in the Mozilla platform security 
code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, 
etc.), and in addition, in the NSS library code, which is used by applications 
that use the NSS certificate verification APIs. 
~~


Please let me know if you foresee any problems with removing these root certs 
from NSS.

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Remove old WoSign root certs from NSS

[Kathleen Wilson via dev-security-policy]

I also think we should remove the old WoSign root certs from NSS.

Reference:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign
~~
Mozilla currently recommends not trusting any certificates issued by this CA 
after October 21st, 2016. That recommendation covers the following roots:

CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN

This restriction has been implemented in both in the Mozilla platform security 
code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, 
etc.), and in addition, in the NSS library code, which is used by applications 
that use the NSS certificate verification APIs. 
~~

Please let me know if you foresee any problems with removing these root certs 
from NSS.

Thanks,
Kathleen


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

How long to resolve unaudited unconstrained intermediates?

[Alex Gaynor via dev-security-policy]

Hi all,

I wanted to call some attention to a few intermediates which have been
hanging out in the "Audit required" section for quite a while:
https://crt.sh/mozilla-disclosures#disclosureincomplete

Specifically, the TurkTrust and Firmaprofesional ones. Both have issues
open in Bugzilla:

- https://bugzilla.mozilla.org/show_bug.cgi?id=1367842
- https://bugzilla.mozilla.org/show_bug.cgi?id=1368171

However, neither appears to have seen any attention from the CAs in the
past two months.

Section 5.3.2 of the Mozilla Root Policy says they have a week to disclose
the cert, however I'm a bit less clear on on what timeline they're required
to provide the audit statements.

Cheers,
Alex
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: WoSign new system passed Cure 53 system security audit

[Richard Wang via dev-security-policy]

I think you found the source: 
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824

Please note this email topic is just for releasing the news that WoSign new 
system passed the security audit, just for demonstration that we finished item 
5:
 " 5. Provide auditor[3] attestation that a full security audit of the CA’s 
issuing infrastructure has been successfully completed. "
" [3] The auditor must be an external company, and approved by Mozilla. "

NOT for the new root inclusion application.


Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Itzhak Daniel via dev-security-policy
Sent: Monday, July 10, 2017 2:39 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign new system passed Cure 53 system security audit

On Monday, July 10, 2017 at 9:00:04 AM UTC+3, Richard Wang wrote:
>  " 5. Provide auditor[3] attestation that a full security audit of the CA’s 
> issuing infrastructure has been successfully completed. "
> " [3] The auditor must be an external company, and approved by Mozilla. "

What is the source?

According to this thread [1]:
"1. Provide a list of changes that the CA plans to implement to ensure that 
there are no future violations of Mozilla Policy and the Baseline Requirements."

One of these changes is to remove the person responsible for:
1. Releasing unsecured and not fully tested software that allowed issuing 
certificates for Github without proper checks.
2. Back-dating SHA1 certificates.
3. Secretly purchasing another CA without disclosing it to Mozilla.
4. Actively lying and misleading about 2 and 3.

To my understanding, from reading the "Remediation Plan", one of the 
requirements made for WoSign by itself/parent company, is to remove the person 
responsible for most of the issue caused them to lose the trust bit.

I'm not in *any* position to tell who shell manage the daily operations of 
WoSign, but it gives a strong indication that nothing had really changed.

Links:
1. 
https://groups.google.com/d/msg/mozilla.dev.security.policy/BV5XyFJLnQM/_DwiB1PDGQAJ
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign new system passed Cure 53 system security audit

[Itzhak Daniel via dev-security-policy]

On Monday, July 10, 2017 at 9:00:04 AM UTC+3, Richard Wang wrote:
>  " 5. Provide auditor[3] attestation that a full security audit of the CA’s 
> issuing infrastructure has been successfully completed. "
> " [3] The auditor must be an external company, and approved by Mozilla. "

What is the source?

According to this thread [1]:
"1. Provide a list of changes that the CA plans to implement to ensure that 
there are no future violations of Mozilla Policy and the Baseline Requirements."

One of these changes is to remove the person responsible for:
1. Releasing unsecured and not fully tested software that allowed issuing 
certificates for Github without proper checks.
2. Back-dating SHA1 certificates.
3. Secretly purchasing another CA without disclosing it to Mozilla.
4. Actively lying and misleading about 2 and 3.

To my understanding, from reading the "Remediation Plan", one of the 
requirements made for WoSign by itself/parent company, is to remove the person 
responsible for most of the issue caused them to lose the trust bit.

I'm not in *any* position to tell who shell manage the daily operations of 
WoSign, but it gives a strong indication that nothing had really changed.

Links:
1. 
https://groups.google.com/d/msg/mozilla.dev.security.policy/BV5XyFJLnQM/_DwiB1PDGQAJ
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: WoSign new system passed Cure 53 system security audit

[Richard Wang via dev-security-policy]

Please note that the Mozilla requirement is:

 " 5. Provide auditor[3] attestation that a full security audit of the CA’s 
issuing infrastructure has been successfully completed. "
" [3] The auditor must be an external company, and approved by Mozilla. "

That WoSign did it very well -- PASS the full security audit.

And Richard Wang leading the RD team have done a good job for the new system 
development and passed the security audit.

Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Percy via dev-security-policy
Sent: Monday, July 10, 2017 12:41 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign new system passed Cure 53 system security audit

So it seems that Richard Wang still has the final executive decisions regarding 
security in daily operations. Basically WoSign simply changed the title of the 
position from CEO to COO and bypassed Mozilla's requirement?

On Sunday, July 9, 2017 at 7:26:28 PM UTC-7, Richard Wang wrote:
> The important thing is by the board of directors, the Company Legal 
> Representative is changed to Mr. Shi Xiaohong, VP of 360.
>
>
> The daily operation thing is by COO.
>
> Best Regards,
>
>
> Richard
>
>
>
> From: Eric Mill [mailto:e...@konklone.com]
> Sent: Monday, July 10, 2017 10:12 AM
> To: Richard Wang 
> Cc: Itzhak Daniel ; 
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: WoSign new system passed Cure 53 system security audit
>
>
>
> So who acts as the CEO for WoSign when final executive decisions need to be 
> made?
>
>
>
>
>
> On Sun, Jul 9, 2017 at 9:41 PM, Richard Wang via dev-security-policy 
> >
>  wrote:
>
>Mr Wang is the COO now according to Mr. Tan's public announcement on March 
> CAB Forum meeting.
>
>CEO is still N/A, if anyone is interesting in the CEO position, please 
> send your Resume to Mr. Tan.
>
>
>Best Regards,
>
>Richard
>
>
>-Original Message-
>From: dev-security-policy 
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org]
>  On Behalf Of Itzhak Daniel via dev-security-policy
>Sent: Monday, July 10, 2017 4:57 AM
>To: 
> mozilla-dev-security-pol...@lists.mozilla.org
>Subject: Re: WoSign new system passed Cure 53 system security audit
>
>Mr. Wang is mentioned on the end of the document, what is Richard Wang 
> current official responsibility of Mr. Wang at WoSign?
>
>According to the incident report, release on October 2016 [1], Mr. Wang 
> was suppose to be relieved of his duties as CEO, this is mentioned in 3 
> separate paragraphs (P.17,P.25,P.26).
>
>Links:
>1. https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf
>
>___
>dev-security-policy mailing list
>
> dev-security-policy@lists.mozilla.org
>https://lists.mozilla.org/listinfo/dev-security-policy
>___
>dev-security-policy mailing list
>
> dev-security-policy@lists.mozilla.org
>https://lists.mozilla.org/listinfo/dev-security-policy
>
>
>
>
>
>
>
>--
>
>konklone.com | 
> @konklone

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy