StartCom: Action Items

RESOLVED INCOMPLETE

Status

NSS
CA Certificate Mis-Issuance
RESOLVED INCOMPLETE
9 months ago
9 days ago

People

(Reporter: Kathleen Wilson, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ca-incident-response])

Attachments

(1 attachment)

(Assignee)

Description

9 months ago
As per Bug #1309707, new certificates issued after October 21, 2016 that chain up to certificates with the following Subject Distinguished Names will no longer be trusted in Mozilla products, beginning with Firefox 51.

1) CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL 
2) CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL 

StartCom may apply for inclusion of new (replacement) root certificates[1] following Mozilla's normal root inclusion/change process[2] (minus waiting in the queue for the discussion), after they have completed all of the following action items, and shown that WoSign has no control (people or code) over StartCom.

1. Provide a list of changes that the CA plans to implement to ensure that there are no future violations of Mozilla's CA Certificate Policy and the CA/Browser Forum's Baseline Requirements.

2. Implement the changes, and update their CP/CPS to fully document their improved processes. The CP/CPS must explicitly state that it is prohibited to backdate the notBefore of certificates by more than one day.

3. Provide a public-facing attestation from a Licensed WebTrust Practitioner[3] acceptable to Mozilla that the changes have been made. This audit may be part of an annual WebTrust CA audit.

4. Provide auditor[3] attestation that a full performance audit has been performed confirming compliance with the CA/Browser Forum's Baseline Requirements. This audit may be part of an annual WebTrust BR audit. 

5. Provide auditor[3] attestation that a full security audit of the CA’s issuing infrastructure has been successfully completed.

6. 100% embedded CT for all issued certificates, with embedded SCTs from at least one Google and one non-Google log. The CA should not fulfill the non-Google log requirement by using logs that they run themselves. For as long as they do so, they will need to demonstrate ongoing evidence of efforts to get other logs to take their volume, and why those efforts have not been successful.

Notes:
[1] The new (replacement) root certificates may be cross-signed by the Affected Roots. However, the Affected Roots may *not* be cross-signed by the new (replacement) root certificates, because that would bring the concerns about the Affected Roots into the scope of the new roots. Due to the way we are implementing the distrust, the new root certificates must have a Subject Distinguished Name that does not overlap with the Subject Distinguished Names listed above.
[2] Mozilla's root inclusion/change process includes checking that certificates in the CA hierarchy comply with the CA/Browser Forum's Baseline Requirements.
[3] The auditor must be an external company, and approved by Mozilla.
(Assignee)

Updated

8 months ago
Whiteboard: Incident Action Items

Comment 1

7 months ago
Would this be why my email digital signatures suddenly stopped working, even though the certificates were issued last January.  I get no error other than the certificate can not be found.
Matt: no.

Gerv
Matt - if you're having issues with email signatures (I'm assuming in Thunderbird?), please file a new bug here: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM with as much detail as you can include. Thanks!
Flags: needinfo?(unicorn.consulting)

Comment 4

7 months ago
Bug 1325901 filed
Flags: needinfo?(unicorn.consulting)

Comment 5

6 months ago
Thankfully all but one of the Startcom certificates that I manage was minted before the cutoff date for this action ... but because that certificate won't work in browsers any more, I had to replace it with a certificate from another provider.

If these had been free certificates, then I wouldn't mind so much ... but we have paid Startcom for their services.  The amount we paid was significantly less than most providers, but it's still very frustrating.

Is there much chance of Startcom's efforts resulting in their certificates being useful again?
Comment hidden (abuse-reviewed)
Comment hidden (off-topic)
Comment hidden (off-topic)
trncfrmcn: this is not the right place for your comments. Please don't add more.

Gerv
(Assignee)

Updated

4 months ago
Component: CA Certificates → CA Certificate Mis-Issuance
Whiteboard: Incident Action Items → [ca-incident-response]
The requirements in comment 0 have been communicated to StartCom, and so this bug is currently not actionable. If and when StartCom reapply for inclusion, we can make sure they have met all these conditions.

Gerv
Status: NEW → RESOLVED
Last Resolved: 4 months ago
Resolution: --- → INCOMPLETE
Summary: StartCom Action Items → StartCom: Action Items
Comment hidden (abuse-reviewed)

Updated

3 months ago
Product: mozilla.org → NSS

Comment 12

9 days ago
Hi all,

I´d like to update this bug because StartCom just applied for inclussion in Mozilla again.

1.- List of changes

As stated in the remediation plan, StartCom has followed and finished all these steps. 

a.- StartCom is now a 100% Qihoo360 owned subordinate Company. Management has also changed. 
b.- There´re no StartCom employees working at any Wosign premises. StartCom has subcontracted Qihoo 360 for all PKI and development management.
c.- StartCom acquired EJBCA PKI software from Primekey (CA, VA and TSA). There´s no in-house development for PKI
d.- All StartCom servers are under Qihoo 360 premises in different locations, in China and US.
e.- StartCom has developed a new CMS system and website, using a new language, PHP, from scratch.  

2.- External pentesting

StartCom hired Cure53 as suggested by Mozilla. They were analyzing the new web and CMS system, firstly separately, and finally, integrated with the overall system. Only when the overall system was Ok, StartCom started to issue certificates from it.

3.- Webtrust audit

StartCom hired PwC for doing a full webtrust audit. There were findings, and they are reflected in the reports, but all were fixed. StartCom will perform an additional Webtrust audit after summer. The audit reports can be found at StartCom website (www.startcomca.com/policy)

4.- CT

StartCom logs all the SSL issued certificates in several CT logs. Currently in Google and StarCom CT log servers. StartCom used Venafi as well but was disqualified. It was also requested to use a not own-managed CT log and contacted several CT log server providers but with different answers or no answers. StartCom has contacted CNNIC, Symantec and Digicert but with no results. Also contacted Comodo, and they are willing to include the new StartCom certs when included in Chrome, once this is done, will start also publishing at new Comodo CT logs.


If you need further clarification, don´t hesitate in asking.

Regards

Comment 13

9 days ago
Created attachment 8886970 [details]
SC-02-summary-report.pdf
You need to log in before you can comment on or make changes to this bug.