On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote: > Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates > that we'd issued to WoSign: > > https://crt.sh/?id=3223853 > https://crt.sh/?id=12716343 > https://crt.sh/?id=12716433 > > See also: > https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2 > > On 06/09/16 11:11, Rob Stradling wrote: > > Hi Peter. Since you mentioned Comodo's cross-certification of the > > "Certification Authority of WoSign" root, we thought we should respond... > > > > On 05/09/16 23:58, Peter Bowen wrote: > > <snip> > >> Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > >> of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > >> Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC expiring > >> 2019-06-24T19:06:30Z > > > > This cross-certificate [1] is currently unexpired and unrevoked. However... > > > > The "UTN - DATACorp SGC" root was removed from NSS last year [2]. > > > > "UTN - DATACorp SGC" was also cross-certified by the "AddTrust External > > CA Root" root [3], but we revoked the cross-certificates in December > > 2015, invited Mozilla to add them to OneCRL [4] and disclosed them as > > revoked to Salesforce [5]. (I don't know why Mozilla haven't yet added > > these to OneCRL. A few weeks ago I marked Bug 1233408 as blocking Bug > > 1155095 in the hope that it would get noticed!) > > > >> Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > >> of WoSign by /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST > >> Network/OU=http://www.usertrust.com/CN=UTN-USERFirst-Object expiring > >> 2019-07-09T18:40:36Z > > > > These two cross-certificates [6] are currently unexpired and unrevoked. > > However... > > > > The "UTN-USERFirst-Object" root is only enabled for the Code Signing > > trust bit in NSS, which AIUI has been effectively dead for about a year [7]. > > > > There are 2 cross-certs (currently unconstrained and unrevoked) issued > > by "AddTrust External CA Root" to "UTN-USERFirst-Object" [8]. However, > > the cross-certs issued to WoSign [6] are EKU-constrained to Code Signing > > / Time Stamping. > > > > <snip> > >> 1) Should any action be taken against the operators of these CAs due > >> to the incidents listed? > >> > >> My view is that the correct answer is "no, unless it is demonstrated > >> that the CA operator had knowledge of undisclosed incidents", > > > > Comodo only learned of these incidents after they had been publicly > > disclosed. > > > > <snip> > >> 2) If Mozilla decides to take action that results in WoSign no longer > >> being directly trusted, do those CAs with unrevoked unexpired > >> cross-signs bear responsibility for any future mis-issuance by WoSign? > > > > Comodo will continue to work to ensure that Mozilla's trust decisions > > are respected. > > > > > > [1] https://crt.sh/?id=3223853 > > > > [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1208461 > > > > [3] https://crt.sh/?q=UTN+-+DATACorp+SGC&iCAID=1 > > > > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1233408 > > > > [5] https://crt.sh/mozilla-disclosures#revoked > > > > [6] https://crt.sh/?q=Certification+Authority+of+WoSign&iCAID=1395 > > > > [7] > > https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02409.html > > > > [8] https://crt.sh/?q=UTN-USERFirst-Object&iCAID=1 > > -- > Rob Stradling > Senior Research & Development Scientist > COMODO - Creating Trust Online
Does this mean all end entity certs chained to them are blocked immediately? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
