On Mon, Feb 26, 2018 at 3:05 PM, Wayne Thayer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On Mon, Feb 26, 2018 at 12:23 PM, Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On 26/02/2018 10:27, Kurt Roeckx wrote: > > > >> I just came across this: > >> > >> https://www.recordedfuture.com/code-signing-certificates/ > >> > >> I think the most important part of it is: "we confirmed with a high > >> degree of certainty that the certificates are created for a specific > buyer > >> per request only and are registered using stolen corporate identities" > >> > >> > > I believe the claims there require investigation by the named CAs > > (Comodo and Digicert (Symantec) brands) and an appropriate incident > > report regarding the claimed misissuances. > > > > While I agree in theory, I don't think sufficient information has been > provided to allow a CA to investigate. > > These are (allegedly) genuine misissuances to entities other than > > the identities named in the certificates, rather than technical > > "misissuances" in violation of formal technical requirements. > > > > These also appear to be systematic, as the alleged black market > > vendors claim to obtain such misissued certificates on demand. > > > > If the claims in that article are true, one or more vetting > > procedures obviously fall short of their required effectiveness. > > This may or may not be in accordance with BR and CPS minimum > > procedures, but it is obviously an ongoing and true danger to the > > relying parties at large. > > > > > These claims haven't been substantiated, but with multiple CAs allegedly > vulnerable, this appears to be a weakness in the EV Guidelines. > I'm not sure we have sufficient information to evaluate that. The article apparently conflates EV SSL with EV CodeSigning, the latter of which is vastly different in nature and requirements than the former (and with the former being relevant to scope of the Forum's activities) Further, it does not distinguish between the potential to obtain correctly-validated certificates due to compromised infrastructure, or the pre-existing set of certificates due to compromised keys or issuance credentials. It's these ambiguities that allow no reasonable conclusion to be made _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
