I think we're well past the point where a "do-over" can be considered a reasonable remedy. The problem is not simply one in which certs were issued improperly nor is it simply one in which there were mistakes in the CA infrastructure. Such problems, I think, could fall under a category where starting over with new roots, new audits, etc. would seem acceptable.
Rather, what we have here is basically a rogue operator that has threatened the trust and integrity of the global PKI system. Their conduct has undermined efforts to establish and maintain security on the Internet (e.g. backdating SHA-1 certs). Their conduct has flaunted rules and regulations for reasons that are still to this day not fully understood (e.g. ownership and problems with the auditng). Their conduct has caused undue consternation to web site owners (e.g. github) due to cert mis-issuance. Their conduct has put their own customers in a difficult position as they must now consider obtaining new certs for their websites. Starting over with new roots won't remedy these problems. Original Message From: Stephen Schrauger Sent: Tuesday, September 27, 2016 7:32 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: WoSign and StartCom > > Should StartCom/WoSign be permitted to re-apply using the same roots, > > or would they need new roots? > > New roots. Considering the extent to which StartCom/WoSign have > mismanaged things, there could be further misissued certificates > chaining to their roots that we don't know about. The only way to > protect the ecosystem from such certificates is to require new roots - > roots that have only ever operated under the new audits that will be > required by Mozilla. > > Regards, > Andrew I agree that they should need new roots. But on top of the points Andrew makes, it would also require StartCom and WoSign to get cross-signed if they wish to continue supporting older devices that lack their new roots. They would have to regain the trust of another root CA who would be willing to cross-sign their new roots. Or else StartCom and WoSign would have to accept that new certificates created under their new root may not work on older devices, since older computers and embedded devices aren't always able to update their root stores. Assuming they want new certificates to work on older devices, I imagine the need to be cross-signed would create another point of trust, since another CA willing to cross-sign would do their own audit and have added requirements. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
