Re: Something About CFCA (China Financial Certification Authority)

[Eric Mill]

On Mon, Oct 31, 2016 at 8:29 PM, Percy  wrote:

> On Sunday, October 30, 2016 at 4:19:12 AM UTC-7, Han Yuwei wrote:
> > According to their CPS (Chinese version 3.2 Jul.2016),
> >
> > 1. All CAs can issue SM2 certificates and uses SM3 Hash.
> >
> > 2. There is a "signing key" generated by subscriber and "encryption key"
> generated by CFCA which transmitted to subscriber.
> >
> > 3. For SSL certificate, the longest vaild duration is 5 years, which is
> much more than 39 months.
> >
> > Are those conflicting with Mozilla's policy?
>
> https://www.ssllabs.com/ssltest/analyze.html?d=www.cfca.com.cn
>
> This server is vulnerable to the OpenSSL Padding Oracle vulnerability
> (CVE-2016-2107) and insecure. Grade set to F.
>
> Rather ironical for a CA's official site, isn't it?
>

But off-topic for this thread.


> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
konklone.com | @konklone 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Something About CFCA (China Financial Certification Authority)

[Percy]

On Sunday, October 30, 2016 at 4:19:12 AM UTC-7, Han Yuwei wrote:
> According to their CPS (Chinese version 3.2 Jul.2016),
> 
> 1. All CAs can issue SM2 certificates and uses SM3 Hash.
> 
> 2. There is a "signing key" generated by subscriber and "encryption key" 
> generated by CFCA which transmitted to subscriber.
> 
> 3. For SSL certificate, the longest vaild duration is 5 years, which is much 
> more than 39 months.
> 
> Are those conflicting with Mozilla's policy?

https://www.ssllabs.com/ssltest/analyze.html?d=www.cfca.com.cn

This server is vulnerable to the OpenSSL Padding Oracle vulnerability 
(CVE-2016-2107) and insecure. Grade set to F.

Rather ironical for a CA's official site, isn't it?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Ryan Sleevi]

On Monday, October 31, 2016 at 4:40:49 PM UTC-7, Percy wrote:
> Ryan,
> It's great Chrome will distrust WoSign and StartCom. Google's blog post
> stated that "Due to a number of technical limitations and concerns, Google
> Chrome is unable to trust all pre-existing certificates while ensuring our
> users are sufficiently protected from further misissuance.". Could you
> elaborate what whitelist method will Google adopt?

You should star this bug - 
https://bugs.chromium.org/p/chromium/issues/detail?id=661003 - for additional 
details.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Ryan Sleevi]

On Monday, October 31, 2016 at 5:07:06 PM UTC-7, nessun...@gmail.com wrote:
> I see that Google's response (and Apple's) is harsher than Mozilla, by 
> caterogically distrusts WoSign and StartCom without granting the option, as 
> Mozilla does, to resubmit a new CA application after a set period of time 
> through which they work to correct their flawed procedures.

(Wearing a Google hat)

Though omitted from the post, which focused on impact and options for users and 
site operators, it's not correct to conclude that it's impossible to 
re-establish trust.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[nessuno . acasa]

I see that Google's response (and Apple's) is harsher than Mozilla, by 
caterogically distrusts WoSign and StartCom without granting the option, as 
Mozilla does, to resubmit a new CA application after a set period of time 
through which they work to correct their flawed procedures. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Percy]

Ryan,
It's great Chrome will distrust WoSign and StartCom. Google's blog post
stated that "Due to a number of technical limitations and concerns, Google
Chrome is unable to trust all pre-existing certificates while ensuring our
users are sufficiently protected from further misissuance.". Could you
elaborate what whitelist method will Google adopt?

Furthermore, even though Google is completely blocked in China, news about
Google are mostly not censored. Is it possible for Google to have a Chinese
translation as well, especially regarding WoSign? Such translation can
accelerate the early removal process.


Percy Alpha(PGP
)


On Mon, Oct 31, 2016 at 4:18 PM, Ryan Sleevi  wrote:

> On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote:
> > The security blog about Distrusting New WoSign and StartCom Certificates
> has been published:
> >
> > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-
> startcom-certificates/
> >
> > Chinese translations of it will be posted soon.
> >
> > Thanks,
> > Kathleen
>
> Google has now posted its response, in light of the findings and
> discussion helpfully driven by Mozilla, at https://security.googleblog.
> com/2016/10/distrusting-wosign-and-startcom.html
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

[Ryan Sleevi]

On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote:
> The security blog about Distrusting New WoSign and StartCom Certificates has 
> been published:
> 
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
> 
> Chinese translations of it will be posted soon.
> 
> Thanks,
> Kathleen

Google has now posted its response, in light of the findings and discussion 
helpfully driven by Mozilla, at 
https://security.googleblog.com/2016/10/distrusting-wosign-and-startcom.html
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign: updated report and discussion

[Percy]

According to http://se.360.cn/event/gmzb.html, the browser needs to send a
http header Accept-Protocal: SM-SSL. Perhaps someone can do an Internet
scan against Chinese sites (especially gov) to observe SM2 certs

Percy Alpha(PGP
)


On Mon, Oct 31, 2016 at 10:54 AM, Han Yuwei  wrote:

> 在 2016年10月31日星期一 UTC+8下午11:50:46，Gervase Markham写道：
> > On 30/10/16 19:47, Han Yuwei wrote:
> > > SM2 is widely used in Chinese government websites. There is a openssl
> > > branch (https://github.com/guanzhi/GmSSL) who implemented
> > > SM2/SM3/SM4. And I don't see any other depolyment in HTTPS.
> >
> > Right, but my question remains: can you find a site with a WoSign SM2
> > certificate, which chains up to a root Mozilla trusts?
> >
> > Gerv
>
> I am sorry that I can't provide such a certificate for I am not involved
> in these systems. And I am not likely think there could be a SM2
> certificate because major broswers don't implemented SM2/SM3/SM4 so the
> server would only send RSA/ECC certificates.
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Adding column to revoked intermediate cert reports

[Kathleen Wilson]

Just FYI...

We will be adding a new column to the revoked intermediate cert reports that 
are available here:

https://wiki.mozilla.org/CA:RevokedSubCAcerts

It will be called "Alternate CRL" and will be between the current "CRL URL(s)" 
and "OCSP URL(s)" columns.

The "Alternate CRL" field will be only editable by Mozilla, and will be in the 
"Mozilla Fields" section of the page layout for intermediate certs.

I had been putting this information into the Comments field but we need to 
separate it into its own field for our tool that will be automatically checking 
Salesforce for revoked intermediate certs that should be added to OneCRL. Note 
that there will always be a manual step for approving changes for OneCRL, but 
the tool will make it a bit easier.

Kathleen


___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign: updated report and discussion

[Han Yuwei]

在 2016年10月31日星期一 UTC+8下午11:50:46，Gervase Markham写道：
> On 30/10/16 19:47, Han Yuwei wrote:
> > SM2 is widely used in Chinese government websites. There is a openssl
> > branch (https://github.com/guanzhi/GmSSL) who implemented
> > SM2/SM3/SM4. And I don't see any other depolyment in HTTPS.
> 
> Right, but my question remains: can you find a site with a WoSign SM2
> certificate, which chains up to a root Mozilla trusts?
> 
> Gerv

I am sorry that I can't provide such a certificate for I am not involved in 
these systems. And I am not likely think there could be a SM2 certificate 
because major broswers don't implemented SM2/SM3/SM4 so the server would only 
send RSA/ECC certificates.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign: updated report and discussion

[Gervase Markham]

On 30/10/16 19:47, Han Yuwei wrote:
> SM2 is widely used in Chinese government websites. There is a openssl
> branch (https://github.com/guanzhi/GmSSL) who implemented
> SM2/SM3/SM4. And I don't see any other depolyment in HTTPS.

Right, but my question remains: can you find a site with a WoSign SM2
certificate, which chains up to a root Mozilla trusts?

Gerv

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

[Peter Bowen]

On Sun, Oct 30, 2016 at 11:34 PM,   wrote:
> wangs...@gmail.com於 2016年10月31日星期一 UTC+8下午2時22分05秒寫道：
>> 在 2016年10月28日星期五 UTC+8上午8:19:43，Percy写道：
>> > "When facing any requirements of laws and regulations or any demands for 
>> > undergoing legal
>> > process of court and other agencies, GDCA must provide confidential 
>> > information in this CP"
>> >
>> > Can GDCA specify what other agencies are included? In China, many requests 
>> > are relayed simply through a phone call without any paper trail or IM and 
>> > the service providers must meet the demand very quickly. Are such informal 
>> > procedures honored by GDCA?
>>
>> Agencies include: public security organization, procuratorate, court.
>> The agency is required to meet the following conditions:
>> 1. provide paper official letters
>> 2. submit application to GDCA on site
>> 3. site applicants must be law enforcement officers
>
> I figured out that you are selling certificates on Taobao.com instead of 
> handling application on your own website, does it matches your CP and CPS and 
> if it conflicts with Mozilla's policy?

There is nothing in Mozilla's policy that forbids CAs using resellers
and/or selling via 3rd party sites.  Many, if not most, CAs in the
Mozilla program have reseller programs.

Thanks,
Peter
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

help

[chun . yin . cheung]

Help.  My previous email account (cheungchun...@gmail.com) Is blocked.  I want 
to subscribe to the mailgroup using my company account 
(chun.yin.che...@cn.pwc.com).

Regards

CY

> 在 2016年10月28日，下午11:28，Chun Yin Cheung  写道：
> 
> help
> 
> Regards
> 
> CY

_
The information transmitted is intended only for the person or entity to which 
it is addressed 
and may contain confidential and/or privileged material.  Any review, 
retransmission, dissemination 
or other use of, or taking of any action in reliance upon, this information by 
persons or entities other 
than the intended recipient is prohibited. If you received this in error, 
please contact the sender and 
delete the material from any computer. Any views or opinions expressed in this 
email are solely 
those of the author and do not necessarily represent those of PwC.

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Something About CFCA (China Financial Certification Authority)

[jonathansshn]

在 2016年10月31日星期一 UTC+8上午11:28:04，Han Yuwei写道：
> 在 2016年10月31日星期一 UTC+8上午9:35:04，jonath...@gmail.com写道：
> > Please see 6.1.7 which describes these content.
> 
> In version 3.2 I see that "证书最长期限（年）" (maxium validity period) about 
> "SSL服务器证书" (SSL Server Certficates) is 5.
> 
> And I don't see any other informations about SM2 usage

 We feel that there is no  need to discuss those root that NOT included in 
Mozilla and  other public trusted root store. sm2 is not valid for BR right 
now，so we didn't apply our sm2 root for inclusion. It is as simple as that. 
hence， we do not plan to explain further about our NOT included root.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

[wangsn1206]

在 2016年10月30日星期日 UTC+8下午9:13:32，Gervase Markham写道：
> On 29/10/16 22:23, Han Yuwei wrote:
> > Is SM2 acceptable in publicy-trusted CAs? I don't think so.
> 
> No; the BRs list the permitted algorithms, and SM2 is not one of them.
> 
> > Maybe Gerv could explain more about this. And I am wondering what can
> > CA do if government requirement conflicts with Mozilla's policy?
> 
> It may well be a government requirement that Chinese CAs be able to
> issue SM2 certificates. However, no-one has yet demonstrated that it's a
> requirement that they do so from specific roots (i.e. the ones trusted
> by the major root stores).
> 
> Gerv
We know that SM2 is not a permitted algorithm in BRs list. And we only apply 
for GDCA TrustAUTH R5 ROOT to be included this time.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

[wangsn1206]

在 2016年10月28日星期五 UTC+8上午8:19:43，Percy写道：
> "When facing any requirements of laws and regulations or any demands for 
> undergoing legal
> process of court and other agencies, GDCA must provide confidential 
> information in this CP"
> 
> Can GDCA specify what other agencies are included? In China, many requests 
> are relayed simply through a phone call without any paper trail or IM and the 
> service providers must meet the demand very quickly. Are such informal 
> procedures honored by GDCA?

Agencies include: public security organization, procuratorate, court.
The agency is required to meet the following conditions:
1. provide paper official letters 
2. submit application to GDCA on site
3. site applicants must be law enforcement officers
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy