The Feisty Duck "Bulletproof TLS Newsletter" sent out yesterday seems
to slightly misreport the WoSign/StartCom situation, as it claims the
distrust has already been "finally decided", rather than just proposed.
Below is a copy of the (text version) of the relevant portion of the
newsletter:
Mozilla no longer trusts WoSign and StartCOM
==
The certificate authority WoSign came under fire for various security
incidents. Gervase Markham from Mozilla started the debate with an
email to Mozilla's security policy mailing list
https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/mKSMaz9eCgAJ
..
Someone was able to generate a certificate for github.io by controlling
a subdomain
https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com.
For some time it was possible to generate certificates by controlling
unprivileged port numbers.
In a third incident it was possible to generate SHA-1-signed
certificates, which happened through the certificate issuance system
from StartCom, indicating that the two companies share parts of their
infrastructure. It later turned out that Wosign had backdated several
certificates in order to circumvent the SHA-1 ban starting January this
year.
During the debate several further issues came up
https://wiki.mozilla.org/CA:WoSign_Issues and a former employee of
StartCom claimed that WoSign is now the sole owner of StartCom. This
was later confirmed by investigations from Mozilla
https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/0pqpLJ_lCJQ
..
Mozilla finally decided that new certificates from WoSign and StartCOM
would no longer be trusted in their browser
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/preview
..
They can reapply for browser inclusion in a year under certain
conditions. Existing certificates will still be trusted. This
theoretically allows WoSign to create backdated certificates, however
Mozilla announced that if they see any evidence of this they will
immediately distrust all Wosign/StartCOM certificates.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy