Closed Bug 994478 Opened 10 years ago Closed 10 years ago

Remove StartCom CA from Mozilla for violation of CA policy

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 994033

People

(Reporter: jadevree, Assigned: kathleen.a.wilson)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 Iceweasel/28.0 (Beta/Release)
Build ID: 20140319130652

Steps to reproduce:

StartCom is in violation of CA policy regarding revocation of certificates known or reasonably believed to be compromised.

http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/

Examples:

https://twitter.com/startssl
https://cv.exbit.io/emails/startssl_heartbeat.txt
http://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-ssl-certs-vulnerable-to-heartbleed.shtml
https://news.ycombinator.com/item?id=7557764


Actual results:

CA demands additional payments, even from paying (non-free) customers to revoke certificates believed to be compromised.


Expected results:

CA should revoke certificates upon in compliance with mozilla CA policy without demanding additional payments.
Note my interpretation is that that StartCom is in violation of the revocation requirements in section #2 of the Mozilla CA policy even if they make an exception this one time due to the OpenSSL heartbleed flaw. Their obligation to revoke certificates for reasons covered under section #2 applies regardless of payments from customers.


A CA may charge for re-issuing the revoked certificates, but the revocation for any reason given in section #2 is distinct from issuing a new certificate.
Status: UNCONFIRMED → NEW
Ever confirmed: true
As said in bug 994033, the right place discuss such topics is the https://lists.mozilla.org/listinfo/dev-security-policy mailing list.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Just as an experiment, I did this
https://revokame.tonylampada.com.br/
Given Startcom's reply to it, it seems to me there's no doubt that the internet can't trust them anymore.
(In reply to tonylampada from comment #3)
> Just as an experiment, I did this
> https://revokame.tonylampada.com.br/
So basicly you took the time to get a certificate and pretty much just throw out the private key instantly as soon as you got the cert?

Altough you just broke their CPS they might have to revoke that cert yes, but since you broke their CPS they might also be entitled to get reimbursed by you.

http://www.startssl.com/policy.pdf Page 7 ->
• Never share private keys with any third party and use
adequate protection and best security practices to secure
private keys in order prevent losses and compromises thereof.
• Notify StartCom immediately in case of a private key
compromise and request revocation of the affected
certificate(s). 

But IMHO this was the most stupidest attempt I ever seen to fuel an already burning fire. Also, see comment #2;
(In reply to Kai Engert (:kaie) from comment #2)
> As said in bug 994033, the right place discuss such topics is the
> https://lists.mozilla.org/listinfo/dev-security-policy mailing list.
> 
> *** This bug has been marked as a duplicate of bug 994033 ***

^ There it is an ongoing discussion about Revocation Policy. Plese join that conversation.
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.