Open Bug 1418451 Opened 8 years ago Updated 4 years ago

Feature Request: Change how "Verified by:" value is obtained for SSL Certs in Firefox

Categories

(Core :: Security: PSM, enhancement, P5)

Product:
Core
Component:
Security: PSM
Version:
57 Branch
Type:
enhancement

Tracking

()

Status:
REOPENED

People

(Reporter: tdelmas, Unassigned)

Details

(Whiteboard: Feature request - See Comment #9[psm-backlog])

Attachments

(2 files)

wosign1.PNG
204.48 KB, image/png
Details
wosign2.PNG
77.77 KB, image/png
Details
Attached image wosign1.PNG
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.52 Safari/537.36 Steps to reproduce: Visit https://www.wosign.com Click on the EV green text to see details Actual results: Firefox says "Certified by: WoSign CA limited" Expected results: Something else, such as: - By scary red warning because WoSign is not trusted - "Certified by: DigiCert"
Attached image wosign2.PNG
I though WoSign were not trusted anymore. If I'm mistaken, please close that bug. I see tree options: 1 - WoSign control the private key of that intermediate certificate and did makes the validation 2 - WoSign is not in control of the private key (DigiCert is) but did makes the validation 3 - WoSign is not in control of the private key (DigiCert is) and did not makes the validation (DigiCert did) but is just a reseler If it's the first option, is that normal considering that WoSign is not trusted? If it's the second option, is that normal that a CA delegate the validation to another CA that is not anymore trusted? If it's the third option, It's really confusion that Firefox says something wrong, especially when it's about a CA that is not trusted anymore... For information, WoSign is not WoSign anymore, but WoTrus: https://www.wosign.com/english/News/English_name_change_to_WoTrus_2017.htm
Component: Untriaged → Security: PSM
Product: Firefox → Core
Kathleen is probably the best person to address this, but my understanding is that it's not that all certificate hierarchies involving WoSign are untrusted, but rather that some are (particularly the ones leading to WoSign roots - see bug 1387260).
Flags: needinfo?(kwilson)
This is a vanity CA. The ICA is operated by DigiCert, covered by DigiCert's audit, and utilizes DigiCert's validation staff
Thank you Jeremy for the information. So it's only a UI bug in my opinion.
The certificate hierarchy for the SSL cert in https://www.wosign.com is: DigiCert High Assurance EV Root CA signed WoSign EV SSL Pro CA signed www.wosign.com SSL cert As far as I can tell there is nothing wrong with the www.wosign.com EV SSL cert. I expect that the CA, DigiCert, did their job to verify the identity of the representative of WoSign (the certificate subscriber), the identity of the organization, and that WoSign owns the domains included in the cert, which are: DNS Name: www.wosign.com DNS Name: wosign.com DNS Name: buy.wosign.com DNS Name: login.wosign.com That is exactly what EV treatment means. So, the bug as reported here is not actually a bug -- the certificate is fine, and the UI treatment is correct. By the way, David was referring to the WoSign root certificates, which are being removed as described here: https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/ However, that is very different from the concern pointed out in this bug, which is that WoSign as a company is able to get an EV SSL Cert for the domains that they own. According to the definition and purpose of EV SSL certificates, it is legitimate for them to be able to get an EV SSL certificate for domains that they own. So, this is not actually a bug. And Jeremy's Comment #4 answers my only question about this, regarding the WoSign subCAs of DigiCert -- that they are operated by DigiCert, not WoSign. So, no bug here.
Assignee: nobody → kwilson
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Flags: needinfo?(kwilson)
Resolution: --- → WORKSFORME
I'm sorry, I should have take another example than wosign.com... To answer to Kathleen, I agree, there is nothing wrong with the certificate, nor with the EV treatment. And of course WoSign can get an EV for domains that they own. My only problem is with the UI about the "Verified by": When I click on the EV green test the Firefox UI says "Verified by: WoSign CA limited" As stated by Jeremy, WoSign, didn't verified the identity of the owner of the website, DigiCert did, WoSign only sold that certificate. The Firefox UI should says "Verified by: DigiCert" (or any other variant, as "Verified by: DigiCert, sold by WoSign"). It's obviously a bug as the UI display the wrong information in the place where the veracity of the information matter the most. Or I am missing something?
> My only problem is with the UI about the "Verified by": > > When I click on the EV green test the Firefox UI says "Verified by: WoSign > CA limited" That information is pulled directly out of the Certificate. My recollection is that is the Issuer O of the end-entity certificate.
> That information is pulled directly out of the Certificate. My recollection is that is the Issuer O of the end-entity certificate. Yes, that's why I do not have an easy way to fix it to suggest. I see a few ways to explore: 1- To remove the "Verified by:" from the UI, but I feel it's the worst solution because it's reduce the information available the the user 2- To ask CAs for each intermediate they have who effectively do the validation/who own the private key, to display the correct information (Note: having that information may be valuable even outside that context) 3- Add that information directly to the issued (leaf) certificate in another way, as the "Issuer" field is not helful
(In reply to tdelmas@gmail.com from comment #9) > > That information is pulled directly out of the Certificate. My recollection is that is the Issuer O of the end-entity certificate. > > Yes, that's why I do not have an easy way to fix it to suggest. > > I see a few ways to explore: > > 1- To remove the "Verified by:" from the UI, but I feel it's the worst > solution because it's reduce the information available the the user > 2- To ask CAs for each intermediate they have who effectively do the > validation/who own the private key, to display the correct information > (Note: having that information may be valuable even outside that context) > 3- Add that information directly to the issued (leaf) certificate in another > way, as the "Issuer" field is not helful I suppose this is a feature request, so re-opening the bug to indicate so...
Assignee: kwilson → nobody
Status: RESOLVED → REOPENED
Ever confirmed: true
Resolution: WORKSFORME → ---
Summary: Firefox show EV certification with the mention "Certified by: WoSign CA limited" → Feature Request: Change how "Verified by:" value is obtained for SSL Certs in Firefox
Whiteboard: Feature request - See Comment #9
Severity: normal → enhancement
I guess this would be some sort of mapping from $(issuer identity) -> $(name of organization that actually did the verification)?
Priority: -- → P5
Whiteboard: Feature request - See Comment #9 → Feature request - See Comment #9[psm-backlog]
Severity: normal → N/A
Type: defect → enhancement
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: