Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that we'd issued to WoSign:
https://crt.sh/?id=3223853 https://crt.sh/?id=12716343 https://crt.sh/?id=12716433 See also: https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2 On 06/09/16 11:11, Rob Stradling wrote: > Hi Peter. Since you mentioned Comodo's cross-certification of the > "Certification Authority of WoSign" root, we thought we should respond... > > On 05/09/16 23:58, Peter Bowen wrote: > <snip> >> Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority >> of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST >> Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC expiring >> 2019-06-24T19:06:30Z > > This cross-certificate [1] is currently unexpired and unrevoked. However... > > The "UTN - DATACorp SGC" root was removed from NSS last year [2]. > > "UTN - DATACorp SGC" was also cross-certified by the "AddTrust External > CA Root" root [3], but we revoked the cross-certificates in December > 2015, invited Mozilla to add them to OneCRL [4] and disclosed them as > revoked to Salesforce [5]. (I don't know why Mozilla haven't yet added > these to OneCRL. A few weeks ago I marked Bug 1233408 as blocking Bug > 1155095 in the hope that it would get noticed!) > >> Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority >> of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST >> Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object expiring >> 2019-07-09T18:40:36Z > > These two cross-certificates [6] are currently unexpired and unrevoked. > However... > > The "UTN-USERFirst-Object" root is only enabled for the Code Signing > trust bit in NSS, which AIUI has been effectively dead for about a year [7]. > > There are 2 cross-certs (currently unconstrained and unrevoked) issued > by "AddTrust External CA Root" to "UTN-USERFirst-Object" [8]. However, > the cross-certs issued to WoSign [6] are EKU-constrained to Code Signing > / Time Stamping. > > <snip> >> 1) Should any action be taken against the operators of these CAs due >> to the incidents listed? >> >> My view is that the correct answer is "no, unless it is demonstrated >> that the CA operator had knowledge of undisclosed incidents", > > Comodo only learned of these incidents after they had been publicly > disclosed. > > <snip> >> 2) If Mozilla decides to take action that results in WoSign no longer >> being directly trusted, do those CAs with unrevoked unexpired >> cross-signs bear responsibility for any future mis-issuance by WoSign? > > Comodo will continue to work to ensure that Mozilla's trust decisions > are respected. > > > [1] https://crt.sh/?id=3223853 > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1208461 > > [3] https://crt.sh/?q=UTN+-+DATACorp+SGC&iCAID=1 > > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1233408 > > [5] https://crt.sh/mozilla-disclosures#revoked > > [6] https://crt.sh/?q=Certification+Authority+of+WoSign&iCAID=1395 > > [7] > https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02409.html > > [8] https://crt.sh/?q=UTN-USERFirst-Object&iCAID=1 -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
