Sorry for a typo: `It's another project for reselling ssl.com(no selling anymore half year ago)'s mail template` -> `It's another project for reselling ssl.com(no selling anymore half year ago)'s certificates` ...
在2023年6月10日星期六 UTC+8 03:08:30<Xiaohui Lam> 写道: > Yes, I'm staff for HiCA which on behalf of HiCA officially. > > Those mail is sent from our server, not CAs. It's another project for > reselling ssl.com(no selling anymore half year ago)'s mail template. > these projects they are included in one source code repository( > screenshot-of-eab-notification-email-source-code.png > <https://github-production-user-asset-6210df.s3.amazonaws.com/6964962/244780779-6318b18b-4941-4d22-87b3-640535c5649f.jpg>), > and > email template/layout is shared between some of them. we copied mail > layout/template from ssl.com notify email and forget to update to our > information, it's no associated with ssl.com mailing system. > > And all > 在2023年6月10日星期六 UTC+8 02:36:09<Kurt Seifried> 写道: > >> Is this an official statement from HiCA? If so can you please provide >> proof that inao...@gmail.com is authorized to speak on behalf of HiCA? >> >> Seriously, why do all these CA's lack the ability to host their own email? >> On Fri, Jun 9, 2023 at 11:08 AM Xiaohui Lam <inao...@gmail.com> wrote: >> >>> Thanks John to share this topic to the dev-security forum. >>> >>> This is HiCA founder, let me to explain your concern, Mr John , >>> the RCE is fully used to finish the challenge which validated by CAs, in >>> another word, the ACME.sh-enrolled certificates which passing this RCE, it >>> does compliant with each CA's BR validation requirements. CA did nothing >>> wrong. And also by this trick can enroll any CA's certificate before >>> acme.sh fix patch. >>> >>> and to Mr @mochaaP, you said to punish our team, we're NOT a public CA >>> or private CA(in my understanding, a CA must manage a or more PKI >>> infrastructure physically), [3]so the clarify relationship to HiCA w/ >>> QuantumCA is no necessary, but we still told we runs HiCA inside QuantumCA >>> project's source code, it's a sub-application inside it. >>> >>> I agree @Andrew's opinion, CAs shouldn't take any responsibilities to >>> the RCE incidents. or there are hundreds acme-tools for CAs need to concern. >>> 在2023年6月10日星期六 UTC+8 00:43:47<mochaaP> 写道: >>> >>>> Hello, >>>> >>>> Although HiCA is not a CA itself, the person own HiCA seems also owns >>>> (or at least works for) Quantum CA[1][2]. they also confirmed that Quantum >>>> CA is operated by both their team and SSL.com team[3]. >>>> >>>> I think this probably is not as simple as a white-label intermediate CA >>>> being abused, rather a CA that resells their own product to themselves to >>>> prevent being punished for bad behaviors. >>>> >>>> [1]: https://github.com/xiaohuilam (see "Pinned" section) >>>> [2]: https://github.com/quantumca (see "People" section) >>>> [3]: >>>> https://github.com/acmesh-official/acme.sh/issues/4659#issuecomment-1584546150 >>>> >>>> (note that this person never clearified their relationship with Quantum CA >>>> and only replied with "So this isn't the evidence to proof HiCA is a CA >>>> which managed PKI.") >>>> >>>> Regards, >>>> Zephyr Lykos >>>> >>>> On Friday, June 9, 2023 at 9:04:34 PM UTC+8 Andrew Ayer wrote: >>>> >>>> On Fri, 9 Jun 2023 05:42:22 -0700 (PDT) >>>> "John Han (hanyuwei70)" <hanyu...@gmail.com> wrote: >>>> >>>> > Here is the story. >>>> > https://github.com/acmesh-official/acme.sh/issues/4659 >>>> > >>>> > Seems like they exploited acme.sh and let user to evade certificate >>>> > issuing procedure. >>>> > >>>> > Do we need to discuss this? >>>> >>>> The party in question (HiCA/QuantumCA) is not a certificate authority, >>>> and I don't see any evidence that the actual CAs in question evaded any >>>> validation requirements. >>>> >>>> HiCA/QuantumCA is just acting as an intermediary between subscribers >>>> and the issuance APIs operated by actual CAs[1]. Literally anyone can >>>> do this and do monumentally stupid/insecure things; it's not productive >>>> to have a discussion every time this happens. >>>> >>>> Regards, >>>> Andrew >>>> >>>> [1] It's true they have a reseller relationship with ssl.com, who are >>>> operating a white-label intermediate CA with "QuantumCA" in the >>>> subject, but HiCA/QuantnumCA are also fronting other CAs, including >>>> GTS, which doesn't require a reseller agreement to access their free >>>> ACME API, so I don't see that aspect as being productive to discuss >>>> either. >>>> >>>> -- >>> >> You received this message because you are subscribed to the Google Groups >>> "dev-secur...@mozilla.org" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to dev-security-po...@mozilla.org. >>> >> To view this discussion on the web visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/431eb7de-181e-4a32-9d22-3698bc7b0d0bn%40mozilla.org >>> >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/431eb7de-181e-4a32-9d22-3698bc7b0d0bn%40mozilla.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> >> -- >> Kurt Seifried (He/Him) >> ku...@seifried.org >> > -- You received this message because you are subscribed to the Google Groups "dev-security-policy@mozilla.org" group. To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-policy+unsubscr...@mozilla.org. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/c699137c-5ba6-467b-8957-fdac41ff9fben%40mozilla.org.
