This case is in the BR report: https://cert.webtrust.org/SealFile?seal=2019&file=pdf
Thanks. Best Regards, Richard -----Original Message----- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Wednesday, August 31, 2016 10:45 AM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang <rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <g...@mozilla.org> wrote: > Dear m.d.s.policy, > > Several incidents have come to our attention involving the CA "WoSign". > Mozilla is considering what action it should take in response to these > incidents. This email sets out our understanding of the situation. > > Before we begin, we note that Section 1 of the Mozilla CA Certificate > Enforcement Policy[0] says: "When a serious security concern is > noticed, such as a major root compromise, it should be treated as a > security-sensitive bug, and the Mozilla Policy for Handling Security > Bugs should be followed." It is clear to us, and appears to be clear > to other CAs based on their actions, that misissuances where domain > control checks have failed fall into the category of "serious security > concern". I have run into another bug that appears to be fixed in WoSign's infrastructure but is worth noting. In April 2015, two different WoSign CAs issued multiple certificates to distinct subjects using the same serial number. The CT logs have picked up two instances of this occuring: https://crt.sh/?serial=0D3BBDC3A0175E38F9D0070CD050986A shows eight distinct certificates with the same serial number, all with notBefore dates of 2015-04-14. https://crt.sh/?serial=056D1570DA645BF6B44C0A7077CC6769 shows dozens of distinct certificates with the same serial number, with notBefore dates between 2015-04-10 and 2015-04-14. I have not examined their management assertions to see if this was documented and I do not know if this was reported to Mozilla at the time. These certificates do not appear to meet RFC 5280's requirements, which say: "The serial number MUST be a positive integer assigned by the CA to each certificate. It MUST be unique for each certificate issued by a given CA (i.e., the issuer name and serial number identify a unique certificate)" (https://tools.ietf.org/html/rfc5280#section-4.1.2.2) Was Mozilla advised of this issue? Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
