Hi Peter. Since you mentioned Comodo's cross-certification of the "Certification Authority of WoSign" root, we thought we should respond...
On 05/09/16 23:58, Peter Bowen wrote: <snip> > Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC expiring > 2019-06-24T19:06:30Z This cross-certificate [1] is currently unexpired and unrevoked. However... The "UTN - DATACorp SGC" root was removed from NSS last year [2]. "UTN - DATACorp SGC" was also cross-certified by the "AddTrust External CA Root" root [3], but we revoked the cross-certificates in December 2015, invited Mozilla to add them to OneCRL [4] and disclosed them as revoked to Salesforce [5]. (I don't know why Mozilla haven't yet added these to OneCRL. A few weeks ago I marked Bug 1233408 as blocking Bug 1155095 in the hope that it would get noticed!) > Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object expiring > 2019-07-09T18:40:36Z These two cross-certificates [6] are currently unexpired and unrevoked. However... The "UTN-USERFirst-Object" root is only enabled for the Code Signing trust bit in NSS, which AIUI has been effectively dead for about a year [7]. There are 2 cross-certs (currently unconstrained and unrevoked) issued by "AddTrust External CA Root" to "UTN-USERFirst-Object" [8]. However, the cross-certs issued to WoSign [6] are EKU-constrained to Code Signing / Time Stamping. <snip> > 1) Should any action be taken against the operators of these CAs due > to the incidents listed? > > My view is that the correct answer is "no, unless it is demonstrated > that the CA operator had knowledge of undisclosed incidents", Comodo only learned of these incidents after they had been publicly disclosed. <snip> > 2) If Mozilla decides to take action that results in WoSign no longer > being directly trusted, do those CAs with unrevoked unexpired > cross-signs bear responsibility for any future mis-issuance by WoSign? Comodo will continue to work to ensure that Mozilla's trust decisions are respected. [1] https://crt.sh/?id=3223853 [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1208461 [3] https://crt.sh/?q=UTN+-+DATACorp+SGC&iCAID=1 [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1233408 [5] https://crt.sh/mozilla-disclosures#revoked [6] https://crt.sh/?q=Certification+Authority+of+WoSign&iCAID=1395 [7] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02409.html [8] https://crt.sh/?q=UTN-USERFirst-Object&iCAID=1 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy