Slashdot Mirror
Mozilla's Proposed Conclusion: Game Over For WoSign and Startcom? (google.com)
Reader Zocalo writes: Over the last several months Mozilla has been investigating a large number of breaches of what Mozilla deems to be acceptable CA protocols by the Chinese root CA WoSign and their perhaps better known subsidiary StartCom, whose acquisition by WoSign is one of the issues in question. Mozilla has now published their proposed solution (GoogleDocs link), and it's not looking good for WoSign and Startcom. Mozilla's position is that they have lost trust in WoSign and, by association StartCom, with a proposed action to give WoSign and StartCom a "timeout" by distrusting any certificates issued after a date to be determined in the near future for a period of one year, essentially preventing them issuing any certificates that will be trusted by Mozilla. Attempts to circumvent this by back-dating the valid-from date will result in an immediate and permanent revocation of trust, and there are some major actions required to re-establish that trust at the end of the time out as well.
This seems like a rather elegant, if somewhat draconian, solution to the issue of what to do when a CA steps out of line. Revoking trust for certificates issued after a given date does not invalidate existing certificates and thereby inconvenience their owners, but it does put a severe -- and potentially business-ending -- penalty on the CA in question. Basically, WoSign and StartCom will have a year where they cannot issue any new certificates that Mozilla will trust, and will also have to inform any existing customers that have certificate renewals due within that period they cannot do so and they will need to go else where -- hardly good PR!
What does Slashdot think? Is Mozilla going too far here, or is their proposal justified and reasonable given WoSign's actions, making a good template for potential future breaches of trust by root CAs, particularly in the wake of other CA trust breaches by the likes of CNNIC, DigiNotar, and Symantec?
This seems like a rather elegant, if somewhat draconian, solution to the issue of what to do when a CA steps out of line. Revoking trust for certificates issued after a given date does not invalidate existing certificates and thereby inconvenience their owners, but it does put a severe -- and potentially business-ending -- penalty on the CA in question. Basically, WoSign and StartCom will have a year where they cannot issue any new certificates that Mozilla will trust, and will also have to inform any existing customers that have certificate renewals due within that period they cannot do so and they will need to go else where -- hardly good PR!
What does Slashdot think? Is Mozilla going too far here, or is their proposal justified and reasonable given WoSign's actions, making a good template for potential future breaches of trust by root CAs, particularly in the wake of other CA trust breaches by the likes of CNNIC, DigiNotar, and Symantec?
When I signed my organization up with StartCom (StartSSL) 18 months ago, I did a few hours of research in attempt to do my due diligence. Unfortunately I found absolutely no information tying StartCom to WoSign or any Chinese groups. Had I known who was actually behind StartCom, I would have found another solution. I'm sure that I'm not the only admin in this position.
As the submitter, I pitched it as possibly draconian because they're basically proposing to kill the business of both WoSign and, more critically perhaps, Startcom. It might be presented as a one year timeout but, realistically, what business can survive for an entire year without actually being able to generate any revenue, and even if they survive that long have to jump through some pretty big hoops before they can start operations again - including having Mozilla appoint someone to audit them and their code? There's also the issue of Startcom - until around year ago they were their own (Israeli) business and a lot of people took advantage of Startcom's free certificates - they were in many ways the forerunner of Let's Encrypt in bringing SSL/TLS to the masses - and those users are going to get at least slightly singed as well.
Anyway, since the story isn't really the place for the writer's opinion and the comments are, for the the record I think that WoSign really screwed up, they deserve what they get, and this a good solution for this and future CA incidents that minimises the fallout on those customers who already have one of their certs. Also, once they finalise this, I think Mozilla's next step should be to write this up as policy and then try and get Google, Microsoft and Apple on board with it as an agreed template for multilaterally handling the inevitable future incidents. The whole root CA system is only as strong as its weakest link, and if it's going to survive as a viable means of establishing trust then when weak links are identified they need to be removed with prejudice as soon as possible - it's not just great power that requires great responsibility; it's trust too.
UNIX? They're not even circumcised! Savages!
I thought the 'punishment' was an interesting take to show a loss of trust, after a certain date and the ability to regain it after a period of time. I found it slightly more interesting that Mozilla would also choose to no longer accept audits conducted by Ernst & Young. That could potentially be huge as it shows (at least in some manner) that their auditors were not conducting a thorough audit or did not have the technical prowess to fully audit a CA.
think before you write, it'll save me moderator points.
All we should have is the "Registrar Model":
Register Domain, Get Domain & Certificate from Registrar.
Use Certificate to sign a "fingerprint" of your Server.
Register the signed "fingerprint" with your Domain Registrar.
Domain Lookups would include the signed fingerprint of your server.
Done.