Re: WoSign: updated report and discussion

[谭晓生]

I also said that the official website, ordering system, certificate management 
system are different and independent, which is the major cause of the bugs from 
technical perspective, that’s why Wosign suffered the incidents of bugs but 
StartCom haven’t.
The validation team, customer care team and tech support team are also 
independent, that is important for the quality control for the business, that’s 
also the important reason that StartCom did well except the 2 backdated 
certificates that instructed by Richard Wang directly.
StartCom as a CA for 17 years, contributed more or less to the industry and 
community, we do hired an in-proper person to manage the company and it have 
been fixed, fortunately, the ordering process, CMS process still keep the same 
with the original one of StartCom, we are changing the software soon, the time 
table will be released in this week.
Please give a chance to StartCom.

Thanks，
Xiaosheng Tan



在 2016/10/10 上午6:43，“dev-security-policy 代表 
Percy” 写入:

Tan said,  for StartCom and WoSign’s infrastructure, the PKI servers 
were/are shared, the CRL/OCSP, TSA code were cloned and the StartCom and WoSign 
shared the software development team. 

Also some management team are shared I assume since Richard Wang approved 
Tyro's backdated cert from StartCom.

As we saw most problems discovered are either due to software 
development(issue F,H,L,N,V) or management (issue S,P,R). And those team were 
shared between WoSign and StartCom at the time of the incidents. Consequently, 
at the time of the incidents, they're the same entity with regards to those 
issues. So I agree with the opinion that " If their 
operations are, in the future, functionally separated, then they can be 
considered for reinclusion separately.  However, for the purposes of what 
to 
do about them over *past* actions, when they were a single operational 
entity, their actions should be considered as such. "
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Include Symantec-brand Class 1 and Class 2 Root Certs

[Matt Palmer]

On Fri, Oct 07, 2016 at 09:05:37PM +0200, Jakob Bohm wrote:
> On 07/10/2016 19:14, Kathleen Wilson wrote:
> >On Thursday, October 6, 2016 at 4:27:10 PM UTC-7, Peter Bowen wrote:
> >>It isn't
> >>clear to me that the subordinate CA disclosure rule even applies to
> >>e-mail only roots.
> >
> >We consider roots with only the email trust bit enabled to be technically
> >constrained, such that their subCAs don't need to be disclosed.
> 
> But they are not constrained as to what e-mail addresses they can
> certify and at what trust level.  An EV-like e-mail certificate (in
> mozilla terms) is usually the same as an e-signature legally binding
> person certificate (in national/regional legislative terms), making
> them in some ways much more powerful than web certificates.

Are there any legislation that says, "any trust anchor in the Mozilla store
with the e-mail trust bit turned on is automatically a valid signature trust
anchor", though?  I'd expect that legislative frameworks would be at least a
*little* more prescriptive in their standards for identity verification for
digital signatures, and a trust anchor's compliance with *those* standards
would be far more important than whether or not it's in the Mozilla trust
store.

That's not to say that having more rigorous standards for inclusion in the
Mozilla root store with e-mail bit enabled wouldn't be good to have, but I
doubt that "legally binding e-signature" is a meaningful argument.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign: updated report and discussion

[Percy]

Tan said,  for StartCom and WoSign’s infrastructure, the PKI servers were/are 
shared, the CRL/OCSP, TSA code were cloned and the StartCom and WoSign shared 
the software development team. 

Also some management team are shared I assume since Richard Wang approved 
Tyro's backdated cert from StartCom.

As we saw most problems discovered are either due to software development(issue 
F,H,L,N,V) or management (issue S,P,R). And those team were shared between 
WoSign and StartCom at the time of the incidents. Consequently, at the time of 
the incidents, they're the same entity with regards to those issues. So I agree 
with the opinion that " If their 
operations are, in the future, functionally separated, then they can be 
considered for reinclusion separately.  However, for the purposes of what to 
do about them over *past* actions, when they were a single operational 
entity, their actions should be considered as such. "
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign: updated report and discussion

[Matt Palmer]

On Sun, Oct 09, 2016 at 08:47:59AM -0700, Peter Bowen wrote:
> I think the proposal from 360 to operate WoSign and StartCom as
> separate subsidiaries is interesting and something that is well worth
> reviewing if/when they apply to rejoin the program.  However that does
> not change the past.  WoSign and StartCom were, at least as of a month
> ago, under common control with WoSign owning and directing operations
> of StartCom.  Therefore I think they must be treated as one when
> reviewing what actions to take as a result of their past behavior.

This is my stance, too.  StartCom and WoSign have shared, and currently
share, technical, administrative, and management functions.  If their
operations are, in the future, functionally separated, then they can be
considered for reinclusion separately.  However, for the purposes of what to
do about them over *past* actions, when they were a single operational
entity, their actions should be considered as such.

- Matt

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign and StartCom: next steps

[Eddy Nigg]

On 10/07/2016 12:38 PM, Gervase Markham wrote:

I am a little surprised it hasn't appeared by now. We did not agree a
specific deadline, but my impression was that it would appear in a few
days, which I mentally interpreted as "by the end of the week". Today is
Friday, so there is still time for my vague expectations to be met :-)

I'm sure Edward, Tan and Inigo are working on it furiously. Perhaps they
can give a status update and an estimated time of publication?


Hi Gerv,

I'm sorry for the somewhat late reply due to holidays/weekends and 
flight connections of the participants of the meeting. First thanks for 
hosting the meeting and I'm sorry that I personally couldn't attend.


WoSign already provided its incident report which includes basically 
most information regarding the various issues and failures. There were 
parts of the proposed steps mentioned already, hereby I'm trying to 
summarize it. Next week we'll add sub sections and dates to it:



1)  Legal Structure - Separation of StartCom and Wosign's legal 
structure - StartCom reports directly to Qihoo 360.


2)  Management / Board - Mr. Tan is appointed Chairman of StartCom, 
Inigo Barreira appointed CEO/Director of StartCom.


3)  Team / Operations - Tan and Inigo work to separate StartCom and 
Wosign verification, development and management teams. Basically any 
previously shared functions (where they existed) will be separated.


4)  System / Software - Any shared infrastructure will be separated 
from WoSign, current code base will be reviewed by Qihoo 360 and audited 
internally. StartCom makes the systems available for an external 
security audit as necessary.


5)  All certificates past, present and future will be logged with CT 
compliant log servers.


6)  Public Documentation - StartCom will present its near-term plan 
and update as it progresses.



Item 6 is currently the outlined steps above, plus most specifications, 
sub steps, specific dates in particular for items 3 and 4. I assume that 
steps and promises StartCom commits to will be audible and/or easy to be 
confirmed.


I assume that Inigo will report to the mailing list sometimes directly 
too in order to update on the progress.


--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. 
XMPP:   start...@startcom.org 

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy