Re: WoSign has new roots?
Hi Arkadiusz, On 23/11/16 07:25, Arkadiusz Ławniczak wrote: > WoSign, as our Partner, is entitled to sell Asseco Data Systems > (Certum) products through its own distribution network. While > recently issued intermediate CAs certificates are dedicated to WoSign > as our reseller, so that WoSign can sell certificates under its own > brand, they (private keys and HSMs) remain under the exclusive > control of Certum. As you may see and as Richard ammended previously, > all certificates are being issued under Certum policy (as well as BR > policy). This means that the verification of each end-entity > certificate is implemented within the Certum's systems and > procedures. In addition, the entire infrastructure is under the > supervision of Certum. Thank you for this statement, which (as Nick says) is reassuring, and explains all the relevant details. If Certum is doing the validation, and controls the private keys and HSMs, then I don't see that Mozilla has an objection to this business arrangement. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign has new roots?
On Wednesday, 23 November 2016 07:25:28 UTC, Arkadiusz Ławniczak wrote: > This means that the verification of each end-entity certificate is > implemented within the Certum's systems and procedures. In addition, the > entire infrastructure is under the supervision of Certum. Thank you, this is very re-assuring. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: WoSign has new roots?
This is a common way for all CAs that issued many intermediate CAs for its resellers. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Ryan Sleevi Sent: Wednesday, November 23, 2016 7:35 AM To: Patrick Figel <patrick@figel.email> Cc: Tobias Sachs <janytob...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: WoSign has new roots? On Tue, Nov 22, 2016 at 3:30 PM, Patrick Figel <patrick@figel.email> wrote: > I'm a bit unclear on whether WoSign could be acting as a Registration > Authority for certificates issued under that intermediate and what the > auditing and disclose requirements for that would be - maybe someone > more familiar with the BRs can comment. WoSign acting as a RA prior to > finishing the re-application process would be troubling given their previous > failures in that area. Whether or not it's intentional, as practiced by auditors today, it's an open field with vastly inconsistent standards or expectations as to whether they are scoped in the audit. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: WoSign has new roots?
Hi all, This is the OEM certificate from Certum, Certum own and control everything with its own validation, you can check the test site: https://ovpretest.wosign.com that its CPS/CRL/OCSP/OID all belong to Certum. I don't think WoSign can't be a reseller of other CA. Thanks. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Patrick Figel Sent: Wednesday, November 23, 2016 7:30 AM To: Tobias Sachs <janytob...@gmail.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: WoSign has new roots? On Tue, Nov 22, 2016 at 10:56 PM, Tobias Sachs <janytob...@gmail.com> wrote: > Am Dienstag, 22. November 2016 21:37:08 UTC+1 schrieb Lewis Resmond: >> Hello, >> >> I just noticed following announcement by WoSign: >> >> https://www.wosign.com/english/News/certificate_pre.htm >> >> If I understand correctly, they now have new root certificates which chain >> up to Certum, which is in the root storage. >> >> What does that mean in particular? Are the previously taken sanctions now >> useless? > > According to this comment [1] I think yes. But this means also that the new > ca is now the target. You can find the cert mentioned there here [2] and the > intermediate here [3] which is not in the CT logs... The intermediate certificates were disclosed in Mozilla's CA database[1] and are currently filed under "CP/CPS Same As Parent" and "Audits Same As Parent". I assume that this means Certum holds the keys for these intermediates and WoSign is essentially acting as a reseller. I don't think that's something Mozilla can or should object to. I'm a bit unclear on whether WoSign could be acting as a Registration Authority for certificates issued under that intermediate and what the auditing and disclose requirements for that would be - maybe someone more familiar with the BRs can comment. WoSign acting as a RA prior to finishing the re-application process would be troubling given their previous failures in that area. [1]: https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign has new roots?
On Tue, Nov 22, 2016 at 3:30 PM, Patrick Figelwrote: > I'm a bit unclear on whether WoSign could be acting as a Registration > Authority > for certificates issued under that intermediate and what the auditing and > disclose requirements for that would be - maybe someone more familiar with > the BRs can comment. WoSign acting as a RA prior to finishing the > re-application > process would be troubling given their previous failures in that area. Whether or not it's intentional, as practiced by auditors today, it's an open field with vastly inconsistent standards or expectations as to whether they are scoped in the audit. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign has new roots?
On Tue, Nov 22, 2016 at 10:56 PM, Tobias Sachswrote: > Am Dienstag, 22. November 2016 21:37:08 UTC+1 schrieb Lewis Resmond: >> Hello, >> >> I just noticed following announcement by WoSign: >> >> https://www.wosign.com/english/News/certificate_pre.htm >> >> If I understand correctly, they now have new root certificates which chain >> up to Certum, which is in the root storage. >> >> What does that mean in particular? Are the previously taken sanctions now >> useless? > > According to this comment [1] I think yes. But this means also that the new > ca is now the target. You can find the cert mentioned there here [2] and the > intermediate here [3] which is not in the CT logs... The intermediate certificates were disclosed in Mozilla's CA database[1] and are currently filed under "CP/CPS Same As Parent" and "Audits Same As Parent". I assume that this means Certum holds the keys for these intermediates and WoSign is essentially acting as a reseller. I don't think that's something Mozilla can or should object to. I'm a bit unclear on whether WoSign could be acting as a Registration Authority for certificates issued under that intermediate and what the auditing and disclose requirements for that would be - maybe someone more familiar with the BRs can comment. WoSign acting as a RA prior to finishing the re-application process would be troubling given their previous failures in that area. [1]: https://mozillacaprogram.secure.force.com/CA/PublicAllIntermediateCerts ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: WoSign has new roots?
Am Dienstag, 22. November 2016 21:37:08 UTC+1 schrieb Lewis Resmond: > Hello, > > I just noticed following announcement by WoSign: > > https://www.wosign.com/english/News/certificate_pre.htm > > If I understand correctly, they now have new root certificates which chain up > to Certum, which is in the root storage. > > What does that mean in particular? Are the previously taken sanctions now > useless? According to this comment [1] I think yes. But this means also that the new ca is now the target. You can find the cert mentioned there here [2] and the intermediate here [3] which is not in the CT logs... [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1309707#c11 [2] https://crt.sh/?id=53689359 [3] https://censys.io/certificates/c0ab07d9071a4cc1d34409178f8bca058310a8b111ddcfa655658760226f50f9 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
WoSign has new roots?
Hello, I just noticed following announcement by WoSign: https://www.wosign.com/english/News/certificate_pre.htm If I understand correctly, they now have new root certificates which chain up to Certum, which is in the root storage. What does that mean in particular? Are the previously taken sanctions now useless? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy