On 06/09/2016 19:49, Jonathan Rudenberg wrote:

On Sep 5, 2016, at 16:25, hanyuwe...@gmail.com wrote:

I thought Wosign's report is not very convincible. The bug of subdomain have 
existed for a long time and it made me feel it is a feature not a bug. It's not 
a secret among the admin of personal or small sites. I am not very similar to 
CA stuff that time,just a subscriber of Wosign's free certificates.I have also 
signed subdomain certificate without validating root domain control. But I 
controlled both of them so I didn't think it is very serve problem.

So I think it is very important to audit how many certificates mis-issued by 
Wosign. Because this bug is used widely when I am running websites for Wosign 
provide FREE 3 year multi-domain certificates that time. ( We dont have Let's 
encrypt that time and Startcom just issue single domain.)

Do you believe that you have certificates issued by WoSign that include 
unvalidated domains that are not on the list in Figure 14 of the report[0]?

To clarify: validating a subdomain and issuing a certificate for it is fine, 
however it is incorrect to issue a certificate for a domain below the level 
that was validated. For example, if control of subdomain.example.com is the 
only thing validated, it would be incorrect to issue a certificate that 
included example.com or any other domains that did not end in 
.subdomain.example.com.

[0] https://www.wosign.com/report/wosign_incidents_report_09042016.pdf


Because of what hanyuwei70 wrote, I think it would be prudent to treat
two cases different *for this case only*:

1. The validated domain was www.foo.bar and the certificate was for
www.foo.bar and foo.bar.  This case should be treated more leniently.

2. The validated domain was baz.foo.bar and the certificate was for
baz.foo.bar and foo.bar.  In this case there is no reason to believe
that the certificate customer has any right to get a certificate for
foo.bar and the certificates must be revoked instantly with no delay.

If a customer paid money for a baz.foo.bar certificate and can now
prove that they do in fact control foo.bar in addition to baz.foo.bar,
the certificate should be reissued at no extra cost, since only the
WoSign validation work was wrong, not the result.

If a customer paid money for a baz.foo.bar certificate and did not
request or use the included foo.bar certification, that customer should
be offered a baz.foo.bar-only certificate at no extra charge, provided
they can still prove control of baz.foo.bar.

If a customer actually asked for a combined baz.foo.bar + foo.bar
certificate or used the foo.bar portion of such a certificate despite
having no rights to the foo.bar domain itself, then that customer
should not be able to get a new certificate at all, since they
deliberately acted fraudulently and took advantage of WoSign's
incompetence.  This includes the security researcher(s) who requested
such certificates only to prove that WoSign's systems don't work.



Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to