Closed
Bug 994478
Opened 10 years ago
Closed 10 years ago
Remove StartCom CA from Mozilla for violation of CA policy
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 994033
People
(Reporter: jadevree, Assigned: kathleen.a.wilson)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:28.0) Gecko/20100101 Firefox/28.0 Iceweasel/28.0 (Beta/Release) Build ID: 20140319130652 Steps to reproduce: StartCom is in violation of CA policy regarding revocation of certificates known or reasonably believed to be compromised. http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/maintenance/ Examples: https://twitter.com/startssl https://cv.exbit.io/emails/startssl_heartbeat.txt http://www.techdirt.com/articles/20140409/11442426859/shameful-security-startcom-charges-people-to-revoke-ssl-certs-vulnerable-to-heartbleed.shtml https://news.ycombinator.com/item?id=7557764 Actual results: CA demands additional payments, even from paying (non-free) customers to revoke certificates believed to be compromised. Expected results: CA should revoke certificates upon in compliance with mozilla CA policy without demanding additional payments.
Note my interpretation is that that StartCom is in violation of the revocation requirements in section #2 of the Mozilla CA policy even if they make an exception this one time due to the OpenSSL heartbleed flaw. Their obligation to revoke certificates for reasons covered under section #2 applies regardless of payments from customers. A CA may charge for re-issuing the revoked certificates, but the revocation for any reason given in section #2 is distinct from issuing a new certificate.
Comment 2•10 years ago
|
||
As said in bug 994033, the right place discuss such topics is the https://lists.mozilla.org/listinfo/dev-security-policy mailing list.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Comment 3•10 years ago
|
||
Just as an experiment, I did this https://revokame.tonylampada.com.br/
Comment 4•10 years ago
|
||
Given Startcom's reply to it, it seems to me there's no doubt that the internet can't trust them anymore.
(In reply to tonylampada from comment #3) > Just as an experiment, I did this > https://revokame.tonylampada.com.br/ So basicly you took the time to get a certificate and pretty much just throw out the private key instantly as soon as you got the cert? Altough you just broke their CPS they might have to revoke that cert yes, but since you broke their CPS they might also be entitled to get reimbursed by you. http://www.startssl.com/policy.pdf Page 7 -> • Never share private keys with any third party and use adequate protection and best security practices to secure private keys in order prevent losses and compromises thereof. • Notify StartCom immediately in case of a private key compromise and request revocation of the affected certificate(s). But IMHO this was the most stupidest attempt I ever seen to fuel an already burning fire. Also, see comment #2; (In reply to Kai Engert (:kaie) from comment #2) > As said in bug 994033, the right place discuss such topics is the > https://lists.mozilla.org/listinfo/dev-security-policy mailing list. > > *** This bug has been marked as a duplicate of bug 994033 *** ^ There it is an ongoing discussion about Revocation Policy. Plese join that conversation.
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•