On Monday, September 5, 2016 at 3:58:34 PM UTC-7, Peter Bowen wrote: > On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <g...@mozilla.org> wrote: > > Several incidents have come to our attention involving the CA "WoSign". > > Mozilla is considering what action it should take in response to these > > incidents. This email sets out our understanding of the situation. > > > > Before we begin, we note that Section 1 of the Mozilla CA Certificate > > Enforcement Policy[0] says: "When a serious security concern is noticed, > > such as a major root compromise, it should be treated as a > > security-sensitive bug, and the Mozilla Policy for Handling Security > > Bugs should be followed." It is clear to us, and appears to be clear to > > other CAs based on their actions, that misissuances where domain control > > checks have failed fall into the category of "serious security concern". > > Gerv and team, > > In addition to the direct impact, I note that WoSign is the subject of > cross-signatures from a number of other CAs that chain back to roots > in the Mozilla program (or were in the program). For example: > > Cross issued to /C=CN/O=WoSign CA Limited/CN=CA > \xE6\xB2\x83\xE9\x80\x9A\xE6\xA0\xB9\xE8\xAF\x81\xE4\xB9\xA6 by > /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate > Signing/CN=StartCom Certification Authority expiring > 2019-12-31T23:59:59Z > Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > of WoSign by /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate > Signing/CN=StartCom Certification Authority expiring > 2019-12-31T23:59:59Z > > Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > of WoSign G2 by /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA expiring > 2020-11-02T01:01:59Z > Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > of WoSign G2 by /C=PL/O=Unizeto Sp. z o.o./CN=Certum CA expiring > 2020-11-02T01:59:59Z > > Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC expiring > 2019-06-24T19:06:30Z > Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object expiring > 2019-07-09T18:40:36Z > > I have two questions: > > 1) Should any action be taken against the operators of these CAs due > to the incidents listed? > > My view is that the correct answer is "no, unless it is demonstrated > that the CA operator had knowledge of undisclosed incidents", as I > believe that the issuer should be able to rely upon the audit reports > and continued inclusion in the Mozilla trust store as prima facie > evidence of compliance with Mozilla policy. > > 2) If Mozilla decides to take action that results in WoSign no longer > being directly trusted, do those CAs with unrevoked unexpired > cross-signs bear responsibility for any future mis-issuance by WoSign? > > My view is the answer is yes, as WoSign would be a subordinate CA > rather than a peer being cross-signed. The Mozilla policy makes it > clear that "All certificates that are capable of being used to issue > new certificates, and which directly or transitively chain to a > certificate included in Mozilla’s CA Certificate Program, MUST be > operated in accordance with Mozilla’s CA Certificate Policy". > > Thanks, > Peter
Peter, I totally agree with your answers. However, relating to question 2, if WoSign is restricted to a set of white-listed certs or revoked, I think the restriction should apply regardless whether the cert is crossed signed or not. This will render question 2 moot, as other CAs are effectively only cross-signing the the set of white-listed certs. No certs will be trusted anyway, if WoSign is outright revoked either. I guess the only situation is that some future (misused) certs will be trusted by products that hasn't implemented the whitelist approach, e.g by iOS. Then I agree the other root certs should be treated as a subordinate CA. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy