Deception (was: WoSign: updated report and discussion)

I agree that it probably is not worth dwelling on the "Andy Ligg question" in particular but I think there is a broader issue at play which is worth addressing: deception. I think there is ample evidence that WoSign engaged in a deliberate, persistent, and extensive campaign of deception

Re: WoSign: updated report and discussion

On 11/10/16 15:08, Nick Lamb wrote: > Mozilla could choose to do that too, and agree that when a new CA is > added to NSS it will use the Mozilla CA (trusted but never used to > issue end entity certificates) to cross sign the new CA. The > resulting certificate could be included in chains for the

Re: Incidents involving the CA WoSign

Don't sell your namesake domain short! Sure, the Google domains are subject to different types of attacks than ‎most others but any domain with a cert has value. For example, I'd be happy to use gerv.net as a landing page for my spam campaign or as a phishing site or, even better, as a host for

Re: WoSign: updated report and discussion

On Tue, Oct 11, 2016 at 7:08 AM, Nick Lamb wrote: > > Some of the major root trust stores (e.g. Microsoft, Apple) also operate > their own root CA, which they include in that store, for internal purposes at > least. I believe none of them is trusted by another root trust

Re: WoSign: updated report and discussion

On Tuesday, 11 October 2016 09:47:20 UTC+1, Gervase Markham wrote: > I guess you could ask a trusted competitor to generate them on new > hardware and hold the HSMs securely, then you include the roots in > Firefox straight away, and then only tell the competitor to release the > HSMs to CA Foo

Re: WoSign: updated report and discussion

Process to apply a SSL certificate of StartCom: Step 1. StartCom customer sign-in his/her account on official website of StartCom; Step 2. Customer do the domain validation via “Validations Wizard”; Step 3. PKI validation system send the verification code to domain name whois admin email, the

Re: WoSign: updated report and discussion

Hi Eddy, While I have sympathy with what you say, your analysis is incomplete in one respect. On 11/10/16 09:41, Eddy Nigg wrote: > The problematic issue in relation to StartCom is obviously the _two > backdated SHA1 certificates_ There is also the case of StartEncrypt. While no known

Re: WoSign: updated report and discussion

On 11/10/16 02:55, Ryan Sleevi wrote: > CAs would and could address that continuinity by signing their new > root with their old (distrusted) root, and only issuing certificates > with the new root, while the old root fades into obsolecence. > > This offers continuity because the certs issued by

Re: WoSign: updated report and discussion

On 11/10/16 01:04, Kathleen Wilson wrote: > I think what you are saying is that the CA needs to re-apply for > inclusion with new root certificates (not their old root certs). > Correct? If yes, I am inclined towards that idea too. I've heard that > it would cause continuity issues, but I don't

Re: WoSign: updated report and discussion

Hi Kathleen, On 10/10/2016 09:39 PM, Kathleen Wilson wrote: I would like to remind everyone that when making decisions about what to do about CA mis-issuance, it is expressly *not* a goal for me to mete out punishment. Rather, my primary goal is to help keep end-users safe, based on the

Re: WoSign: updated report and discussion

On Tuesday, 11 October 2016 01:04:14 UTC+1, Kathleen Wilson wrote: > Why do we need a minimum of 1 year? > What purpose does that serve? > If they meet all our requirements earlier, why couldn't we discuss it earlier > than 1 year? The exact period of one year is of course arbitrary. However I

Re: WoSign: updated report and discussion

On 10/10/16 23:00, Ryan Hurst wrote: > I also believe there are a few core questions that are relevant to > “what it depends on”, these include: Is it reasonable for the > operational and technical failures StartCom made prior to the > acquisition to be handled as a separate incident? I presume