Re: WoSign has new roots?

2016-11-23 Thread Gervase Markham 
Hi Arkadiusz,

On 23/11/16 07:25, Arkadiusz Ławniczak wrote:
> WoSign, as our Partner, is entitled to sell Asseco Data Systems
> (Certum) products through its own distribution network. While
> recently issued intermediate CAs certificates are dedicated to WoSign
> as our reseller, so that WoSign can sell certificates under its own
> brand, they (private keys and HSMs) remain under the exclusive
> control of Certum. As you may see and as Richard ammended previously,
> all certificates are being issued under Certum policy (as well as BR
> policy). This means that the verification of each end-entity
> certificate is implemented within the Certum's systems and
> procedures. In addition, the entire infrastructure is under the
> supervision of Certum.

Thank you for this statement, which (as Nick says) is reassuring, and
explains all the relevant details.

If Certum is doing the validation, and controls the private keys and
HSMs, then I don't see that Mozilla has an objection to this business
arrangement.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign has new roots?

2016-11-23 Thread Nick Lamb 
On Wednesday, 23 November 2016 07:25:28 UTC, Arkadiusz Ławniczak  wrote:
> This means that the verification of each end-entity certificate is 
> implemented within the Certum's systems and procedures. In addition, the 
> entire infrastructure is under the supervision of Certum.

Thank you, this is very re-assuring.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: WoSign has new roots?

2016-11-22 Thread Richard Wang 
This is a common way for all CAs that issued many intermediate CAs for its 
resellers.


Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Ryan Sleevi
Sent: Wednesday, November 23, 2016 7:35 AM
To: Patrick Figel <patrick@figel.email>
Cc: Tobias Sachs <janytob...@gmail.com>; 
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign has new roots?

On Tue, Nov 22, 2016 at 3:30 PM, Patrick Figel <patrick@figel.email> wrote:
> I'm a bit unclear on whether WoSign could be acting as a Registration 
> Authority for certificates issued under that intermediate and what the 
> auditing and disclose requirements for that would be - maybe someone 
> more familiar with the BRs can comment. WoSign acting as a RA prior to 
> finishing the re-application process would be troubling given their previous 
> failures in that area.

Whether or not it's intentional, as practiced by auditors today, it's an open 
field with vastly inconsistent standards or expectations as to whether they are 
scoped in the audit.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: WoSign has new roots?

2016-11-22 Thread Richard Wang 
Hi all,

This is the OEM certificate from Certum, Certum own and control everything with 
its own validation, you can check the test site: https://ovpretest.wosign.com 
that its CPS/CRL/OCSP/OID all belong to Certum.

I don't think WoSign can't be a reseller of other CA.

Thanks. 


Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Patrick Figel
Sent: Wednesday, November 23, 2016 7:30 AM
To: Tobias Sachs <janytob...@gmail.com>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign has new roots?

On Tue, Nov 22, 2016 at 10:56 PM, Tobias Sachs <janytob...@gmail.com> wrote:
> Am Dienstag, 22. November 2016 21:37:08 UTC+1 schrieb Lewis Resmond:
>> Hello,
>>
>> I just noticed following announcement by WoSign:
>>
>> https://www.wosign.com/english/News/certificate_pre.htm
>>
>> If I understand correctly, they now have new root certificates which chain 
>> up to Certum, which is in the root storage.
>>
>> What does that mean in particular? Are the previously taken sanctions now 
>> useless?
>
> According to this comment [1] I think yes. But this means also that the new 
> ca is now the target. You can find the cert mentioned there here [2] and the 
> intermediate here [3] which is not in the CT logs...

The intermediate certificates were disclosed in Mozilla's CA database[1] and 
are currently filed under "CP/CPS Same As Parent" and "Audits Same As Parent".

I assume that this means Certum holds the keys for these intermediates and 
WoSign is essentially acting as a reseller. I don't think that's something 
Mozilla can or should object to.

I'm a bit unclear on whether WoSign could be acting as a Registration Authority 
for certificates issued under that intermediate and what the auditing and 
disclose requirements for that would be - maybe someone more familiar with the 
BRs can comment. WoSign acting as a RA prior to finishing the re-application 
process would be troubling given their previous failures in that area.

[1]: https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign has new roots?

2016-11-22 Thread Ryan Sleevi 
On Tue, Nov 22, 2016 at 3:30 PM, Patrick Figel  wrote:
> I'm a bit unclear on whether WoSign could be acting as a Registration 
> Authority
> for certificates issued under that intermediate and what the auditing and
> disclose requirements for that would be - maybe someone more familiar with
> the BRs can comment. WoSign acting as a RA prior to finishing the 
> re-application
> process would be troubling given their previous failures in that area.

Whether or not it's intentional, as practiced by auditors today, it's
an open field with vastly inconsistent standards or expectations as to
whether they are scoped in the audit.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign has new roots?

2016-11-22 Thread Patrick Figel 
On Tue, Nov 22, 2016 at 10:56 PM, Tobias Sachs  wrote:
> Am Dienstag, 22. November 2016 21:37:08 UTC+1 schrieb Lewis Resmond:
>> Hello,
>>
>> I just noticed following announcement by WoSign:
>>
>> https://www.wosign.com/english/News/certificate_pre.htm
>>
>> If I understand correctly, they now have new root certificates which chain 
>> up to Certum, which is in the root storage.
>>
>> What does that mean in particular? Are the previously taken sanctions now 
>> useless?
>
> According to this comment [1] I think yes. But this means also that the new 
> ca is now the target. You can find the cert mentioned there here [2] and the 
> intermediate here [3] which is not in the CT logs...

The intermediate certificates were disclosed in Mozilla's CA database[1] and are
currently filed under "CP/CPS Same As Parent" and "Audits Same As Parent".

I assume that this means Certum holds the keys for these intermediates and
WoSign is essentially acting as a reseller. I don't think that's something
Mozilla can or should object to.

I'm a bit unclear on whether WoSign could be acting as a Registration Authority
for certificates issued under that intermediate and what the auditing and
disclose requirements for that would be - maybe someone more familiar with
the BRs can comment. WoSign acting as a RA prior to finishing the re-application
process would be troubling given their previous failures in that area.

[1]: https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign has new roots?

2016-11-22 Thread Tobias Sachs 
Am Dienstag, 22. November 2016 21:37:08 UTC+1 schrieb Lewis Resmond:
> Hello,
> 
> I just noticed following announcement by WoSign:
> 
> https://www.wosign.com/english/News/certificate_pre.htm
> 
> If I understand correctly, they now have new root certificates which chain up 
> to Certum, which is in the root storage.
> 
> What does that mean in particular? Are the previously taken sanctions now 
> useless?

According to this comment [1] I think yes. But this means also that the new ca 
is now the target. You can find the cert mentioned there here [2] and the 
intermediate here [3] which is not in the CT logs...


[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1309707#c11
[2] https://crt.sh/?id=53689359
[3] 
https://censys.io/certificates/c0ab07d9071a4cc1d34409178f8bca058310a8b111ddcfa655658760226f50f9

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

WoSign has new roots?

2016-11-22 Thread Lewis Resmond 
Hello,

I just noticed following announcement by WoSign:

https://www.wosign.com/english/News/certificate_pre.htm

If I understand correctly, they now have new root certificates which chain up 
to Certum, which is in the root storage.

What does that mean in particular? Are the previously taken sanctions now 
useless?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy