On Mon, Mar 27, 2017 at 10:39:17AM -0400, Antoine Beaupre wrote: > On Thu, Mar 23, 2017 at 09:25:42AM -0500, Michael Shuler wrote: > > Thanks for the report, Chris. > > Any timeline for this deployment? Do you need help with patching this > in?
Actually, I'm not sure I understand what's going on here. While Mozilla announced they would stop trusting WoSign, they didn't actually remove the trust roots from the store. Indeed, they said they "may choose to remove them at any point after March 2017", which they haven't done yet. WoSign and StartCom are still both here: https://mozillacaprogram.secure.force.com/CA/CACertificatesInFirefoxReport and here: https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt ... the latter seemingly being the source for our own certdata.txt. That said, Mozilla should refuse certs issued after October 21, 2016, something we can't do ourselves. So the patch would probably be to add this to the blacklist.txt file: "StartCom Certification Authority" "StartCom Certification Authority" "StartCom Certification Authority" "StartCom Certification Authority" "StartCom Certification Authority G2" "StartCom Certification Authority G2" "WoSign" "WoSign" "WoSign China" "WoSign China" "Certification Authority of WoSign G2" "Certification Authority of WoSign G2" "CA WoSign ECC Root" "CA WoSign ECC Root" This list was generated with: egrep 'WoSign|StartCom' mozilla/certdata.txt | grep UTF | sed 's/CKA_LABEL UTF8 //' I hope that helps! A.
signature.asc
Description: PGP signature