See below inline, thanks.
Best Regards, Richard -----Original Message----- From: Jeremy Rowley [mailto:jeremy.row...@digicert.com] Sent: Thursday, August 25, 2016 3:50 AM To: Jeremy Rowley <jeremy.row...@digicert.com>; Peter Bowen <pzbo...@gmail.com>; Gervase Markham <g...@mozilla.org> Cc: Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Also, I think the biggest concern is the mis issuance issues were not reported to Mozilla but were reported to Google. A failure to report a problem in domain validation creates a question of whether the CA can be trusted in the future. Could we boil these incidents down to the following concerns? 1) WoSign missued certificates by failing to have adequate security that the domain validation could be bypassed using a high level port R: we are searching if we mis-issued any certificate for this case since Google just told us to forbid the higher port, not told us any cert mis-issued. 2) WoSign should provide clarity on whether the issuance of a StartCom and WoSign cert through the same portal should be considered a mis-issuance R: As we clarified that this port issue is not related StartCom, just the API case that we declared, please refer to the previous emails. 3) WoSign was permitting higher level domain verification to enable issuance at lower level domains (which is now clearly impermissible) R: yes, but we fixed this bug. 4) WoSign appears to be backdating certificates to avoid BR compliance and R: AS I said in the Bugzilla, this is not the case, this is API bug that found and used by Computest only for two test certificate, not for any normal case. We don’t have old equipment customer to require SHA1 certificate. 5) WoSign failed to report mis-issuance to Mozilla R: Yes, I agree this is our mistake and never happen again in the future. Jeremy -----Original Message----- From: dev-security-policy [ <mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org> mailto:dev-security-policy-bounces+jeremy.rowley=digicert....@lists.mozilla.org] On Behalf Of Jeremy Rowley Sent: Wednesday, August 24, 2016 1:41 PM To: Peter Bowen < <mailto:pzbo...@gmail.com> pzbo...@gmail.com>; Gervase Markham < <mailto:g...@mozilla.org> g...@mozilla.org> Cc: Richard Wang < <mailto:rich...@wosign.com> rich...@wosign.com>; <mailto:mozilla-dev-security-pol...@lists.mozilla.org> mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign That's true. I think WoSign should chime in and provide clarity about what happened. There's far too many innocent explanations to start crying foul. However, the fact a researcher was able to obtain a cert without proper domain validation is pretty serious. I'd like to hear more details about how this was accomplished. Ports 8080 and 8443 aren't that uncommon so penalizing someone merely for port use seems harsh when there wasn't a policy against it. -----Original Message----- From: Peter Bowen [ <mailto:pzbo...@gmail.com> mailto:pzbo...@gmail.com] Sent: Wednesday, August 24, 2016 10:45 AM To: Gervase Markham < <mailto:g...@mozilla.org> g...@mozilla.org> Cc: Jeremy Rowley < <mailto:jeremy.row...@digicert.com> jeremy.row...@digicert.com>; <mailto:mozilla-dev-security-pol...@lists.mozilla.org> mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang < <mailto:rich...@wosign.com> rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham < <mailto:g...@mozilla.org> g...@mozilla.org> wrote: > On 24/08/16 17:12, Jeremy Rowley wrote: >> On incident 2, it sounds like they are both using the same >> auto-generation script. > > It seems like a bit more than that, doesn't it? Let's presume that > WoSign did not ship a copy of their intermediate cert's private key to > StartCom. Therefore, this cert must have been issued on the back end > by some sort of WoSign system. So either WoSign's back-end issuing > service has some form of authentication and the StartCom system had > those credentials (why?), or the WoSign system does not have any form > of authentication (concerning). I think you are missing the most likely option: CA hosting. My understanding is that it is not uncommon that one CA operator contracts with another CA operator to run a CA on behalf of the first operator. I don't think it has been clear what disclosure of this practice is required. Given that I believe this is widespread, I assumed that all of the issuing CAs in this case were operated by the same entity. Thanks, Peter
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
