On Tue, Jul 11, 2017 at 11:40 AM, Alex Gaynor <agay...@mozilla.com> wrote:
> Is this a correct summary: > > - The report included here is supposed to fulfill the network security > test portion of the BRs > No. This is #5 from https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 , and relates to the overall security design of the system which in part stemmed from issues such as the ability to cause arbitrary (backdated) issuance via manipulation of API parameters. That is, it's orthogonal to the BRs, and intended to take a more systemic approach to the system design. > - This report does not attest to BR compliance (or non-compliance) > Correct > - To complete an application for the Mozilla Root Program, WoSign would be > required to additionally provide a WebTrust audit (or equivalent, as > described in the Mozilla PKI Policy section 3.1) > Correct, as required by #3 and #4. > - Based on your reading of the complete network security test, you would > not expect WoSign to be able to pass a BR Audit without qualifications > Correct. > > Alex > > On Tue, Jul 11, 2017 at 11:35 AM, Ryan Sleevi via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > >> On Tue, Jul 11, 2017 at 11:16 AM, Jonathan Rudenberg via >> dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: >> >> > >> > > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via >> > dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: >> > > >> > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: >> > >> >> > >> Please note this email topic is just for releasing the news that >> WoSign >> > new system passed the security audit, just for demonstration that we >> > finished item 5: >> > >> " 5. Provide auditor[3] attestation that a full security audit of the >> > CA’s issuing infrastructure has been successfully completed. " >> > >> " [3] The auditor must be an external company, and approved by >> Mozilla. >> > " >> > > >> > > It also seems a bit strange to report item 5 "successfully completed" >> > before we hear anything about the other items. How about starting with >> item >> > 1? What are your plans voor fixing the problems? >> > >> > It’s worth noting that the problems have not stopped yet. There are a >> > bunch of certificates issued over the past few months that do not comply >> > with the Baseline Requirements issued from the new "StartCom BR SSL >> ICA”, >> > for example: >> > >> > https://crt.sh/?opt=cablint&q=8BDFE4A526BFB35C8A417B10F4D0AB >> > E9E1D60D28A412539D5BC71C19B46FEF21 >> > https://crt.sh/?opt=cablint&q=124AAD38DAAC6B694D65F45226AB51 >> > 52FC46D229CBC203E0814D175F39977FF3 >> > https://crt.sh/?opt=cablint&q=9B78C78B32F4AC717B3DEFDABDACC4 >> > FEFA61BFD17782B83F75ADD82241147721 >> > https://crt.sh/?opt=cablint&q=AAB0B5A08F106639A5C9D720CD37FD >> > B30E7F337AEBAF9407FD854B5726303F7B >> > https://crt.sh/?opt=cablint&q=9DCE6A924CE837328D379CE9B7CDF4 >> > A2BA8A0E8EC01018B9DE736EBC64442361 >> > https://crt.sh/?opt=cablint&q=62A9A9FDCDC04A043CF2CB1A5EAFE3 >> > 3CF9ED8796245DE4BD5250267ADEFF005A >> > https://crt.sh/?opt=cablint&q=6A72FA5DCC253D2EE07921898B9A9B >> > B263FD1D20FE61B1F52F939C0C1C0DCFEE >> > https://crt.sh/?opt=cablint&q=238E2E96665748D2A05BAAEEC8BAE6 >> > AFE7B7EF4B1ADA4908354C855C385ECD81 >> > https://crt.sh/?opt=cablint&q=C11C00EB0E14EEB30567D749FFD304 >> > 45E0B490D1DCA7B7E082FD1CB0A40A71C0 >> > https://crt.sh/?opt=cablint&q=4DEF4CFD21A969E8349E4428FDEC73 >> > 767C01DE6127843312511B71029F4E3836 >> >> >> It's worth noting that, on the basis of the security audit report full >> details shared by WoSign, the system that was security audited does not >> comply with the Baseline Requirements, nor, as designed, can it. The >> system >> would need to undergo non-trivial effort to comply with the Baseline >> Requirements. >> _______________________________________________ >> dev-security-policy mailing list >> dev-security-policy@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-security-policy >> > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
