On 26/02/2018 10:27, Kurt Roeckx wrote:
I just came across this:
https://www.recordedfuture.com/code-signing-certificates/
I think the most important part of it is: "we confirmed with a high
degree of certainty that the certificates are created for a specific
buyer per request only and are registered using stolen corporate
identities"
I believe the claims there require investigation by the named CAs
(Comodo and Digicert (Symantec) brands) and an appropriate incident
report regarding the claimed misissuances.
These are (allegedly) genuine misissuances to entities other than
the identities named in the certificates, rather than technical
"misissuances" in violation of formal technical requirements.
These also appear to be systematic, as the alleged black market
vendors claim to obtain such misissued certificates on demand.
If the claims in that article are true, one or more vetting
procedures obviously fall short of their required effectiveness.
This may or may not be in accordance with BR and CPS minimum
procedures, but it is obviously an ongoing and true danger to the
relying parties at large.
While the Mozilla root store only cares about the EV SSL subset of
these misissuances, the EV codesign misissuances may involve failure
of procedures also used for Mozilla-trusted uses (SSL and S/MIME),
and thus should be included in incident reports.
The claims of misissuance for EV codesign certificates (only indirectly
relevant to Mozilla) are highly likely to be true, as EV codesign is
only available for SmartCard/HSM/USBToken stored private keys, making
theft of properly issued certificates near impossible.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
