RCE used by Intermediate CA to issue certificates.

8,173 views
Skip to first unread message

John Han (hanyuwei70)

unread,
Jun 9, 2023, 8:42:22 AM6/9/23
to dev-secur...@mozilla.org
Here is the story.
https://github.com/acmesh-official/acme.sh/issues/4659

Seems like they exploited acme.sh and let user to evade certificate issuing procedure.

Do we need to discuss this?

Andrew Ayer

unread,
Jun 9, 2023, 9:04:34 AM6/9/23
to John Han (hanyuwei70), dev-secur...@mozilla.org
The party in question (HiCA/QuantumCA) is not a certificate authority,
and I don't see any evidence that the actual CAs in question evaded any
validation requirements.

HiCA/QuantumCA is just acting as an intermediary between subscribers
and the issuance APIs operated by actual CAs[1]. Literally anyone can
do this and do monumentally stupid/insecure things; it's not productive
to have a discussion every time this happens.

Regards,
Andrew

[1] It's true they have a reseller relationship with ssl.com, who are
operating a white-label intermediate CA with "QuantumCA" in the
subject, but HiCA/QuantnumCA are also fronting other CAs, including
GTS, which doesn't require a reseller agreement to access their free
ACME API, so I don't see that aspect as being productive to discuss
either.

Kurt Seifried

unread,
Jun 9, 2023, 10:26:48 AM6/9/23
to Andrew Ayer, John Han (hanyuwei70), dev-secur...@mozilla.org
More details:



My one thought is this:

Shouldn't the root CA(s) that ultimately empower this reseller have some process to ensure they only mint trusted authorities that only mint trusted authorities and so on? And if a rogue intermediate/reseller CA pops up shouldn't they deal with it?

Because otherwise, I can stand up a root CA, and then sign intermediate CAs/resellers that do all the dirty/evil work and say "LOLZ. I'm a root CA. I didn't sign this. It's this bad intermediate/reseller CA, go punish them"

And seeing as how you can stand up an intermediate/reseller in literal minutes if you have a captive root CA to sign off on it...

I feel like the CCADB/Mozilla have abdicated responsibility in the sense of "well the root CA didn't do anything technically wrong..." rather than taking the approach of "shouldn't we encourage/force root CAs to be responsible for their downstream CAs and ensure a safe ecosystem for everyone?"



--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20230609090430.3a4e8396e6e0b856fc81c6ab%40andrewayer.name.


--
Kurt Seifried (He/Him)
ku...@seifried.org

mochaaP

unread,
Jun 9, 2023, 12:43:47 PM6/9/23
to dev-secur...@mozilla.org, Andrew Ayer, dev-secur...@mozilla.org, John Han (hanyuwei70)
Hello,

Although HiCA is not a CA itself, the person own HiCA seems also owns (or at least works for) Quantum CA[1][2]. they also confirmed that Quantum CA is operated by both their team and SSL.com team[3].

I think this probably is not as simple as a white-label intermediate CA being abused, rather a CA that resells their own product to themselves to prevent being punished for bad behaviors.

[1]: https://github.com/xiaohuilam (see "Pinned" section)
[2]: https://github.com/quantumca (see "People" section)
[3]: https://github.com/acmesh-official/acme.sh/issues/4659#issuecomment-1584546150 (note that this person never clearified their relationship with Quantum CA and only replied with "So this isn't the evidence to proof HiCA is a CA which managed PKI.")

Regards,
Zephyr Lykos

Xiaohui Lam

unread,
Jun 9, 2023, 1:08:08 PM6/9/23
to dev-secur...@mozilla.org, mochaaP, Andrew Ayer, dev-secur...@mozilla.org, John Han (hanyuwei70)
Thanks John to share this topic to the dev-security forum.

This is HiCA founder, let me to explain your concern, Mr John ,
the RCE is fully used to finish the challenge which validated by CAs, in another word, the ACME.sh-enrolled certificates which passing this RCE, it does compliant with each CA's BR validation requirements. CA did nothing wrong. And also by this trick can enroll any CA's certificate before acme.sh fix patch.

and to Mr @mochaaP, you said to punish our team, we're NOT a public CA or private CA(in my understanding, a CA must manage a or more PKI infrastructure physically), [3]so the clarify relationship to HiCA w/ QuantumCA is no necessary, but we still told we runs HiCA inside QuantumCA project's source code, it's a sub-application inside it.

I agree @Andrew's opinion, CAs shouldn't take any responsibilities to the RCE incidents. or there are hundreds acme-tools for CAs need to concern.

Thomas Zermeno

unread,
Jun 9, 2023, 2:17:26 PM6/9/23
to dev-secur...@mozilla.org, Xiaohui Lam, mochaaP, Andrew Ayer, dev-secur...@mozilla.org, John Han (hanyuwei70)
We would like to clarify that SSL.com discontinued issuing Quantum certs in 2022, and haven't issued any certs from the Quantum branded ICAs in 2023. Furthermore, there is absolutely no association between HiCA and SSL.com. In fact, only through the recent acme.sh RCE public discussions were we made aware of the existence of HiCA.

As a result, we took the initiative to further investigate and discovered that QUANTUM CA LIMITED dissolved on November 1, 2022. We were not notified about this change by Quantum.

Based on this fact, we plan to revoke the Quantum branded subCAs and all associated end-entity certificates within 7 days, as mandated by section 4.9.1.2 of our CP/CPS.

Regards,

Tom

Kurt Seifried

unread,
Jun 9, 2023, 2:35:07 PM6/9/23
to Thomas Zermeno, dev-secur...@mozilla.org, Xiaohui Lam, mochaaP, Andrew Ayer, John Han (hanyuwei70)
Is this an official statement from ssl.com? If so can you please provide proof that madca...@gmail.com is authorized to speak on behalf of ssl.com

Seriously, why do all these CA's lack the ability to host their own email?


--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Kurt Seifried

unread,
Jun 9, 2023, 2:36:09 PM6/9/23
to Xiaohui Lam, dev-secur...@mozilla.org, mochaaP, Andrew Ayer, John Han (hanyuwei70)
Is this an official statement from  HiCA? If so can you please provide proof that inao...@gmail.com is authorized to speak on behalf of HiCA? 

Seriously, why do all these CA's lack the ability to host their own email?
--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Xiaohui Lam

unread,
Jun 9, 2023, 3:08:30 PM6/9/23
to dev-secur...@mozilla.org, Kurt Seifried, dev-secur...@mozilla.org, mochaaP, Andrew Ayer, John Han (hanyuwei70), Xiaohui Lam
Yes, I'm staff for HiCA which on behalf of HiCA officially.

Those mail is sent from our server, not CAs. It's another project for reselling ssl.com(no selling anymore half year ago)'s mail template. these projects they are included in one source code repository(screenshot-of-eab-notification-email-source-code.png), and email template/layout is shared between some of them. we copied mail layout/template from ssl.com notify email and forget to update to our information, it's no associated with ssl.com mailing system.

And  all

Xiaohui Lam

unread,
Jun 9, 2023, 3:09:24 PM6/9/23
to dev-secur...@mozilla.org, Xiaohui Lam, Kurt Seifried, dev-secur...@mozilla.org, mochaaP, Andrew Ayer, John Han (hanyuwei70)

Sorry for a typo:

`It's another project for reselling ssl.com(no selling anymore half year ago)'s mail template` 
->
`It's another project for reselling ssl.com(no selling anymore half year ago)'s certificates` ...

mochaaP

unread,
Jun 9, 2023, 3:13:11 PM6/9/23
to dev-secur...@mozilla.org, Xiaohui Lam, mochaaP, Andrew Ayer, dev-secur...@mozilla.org, John Han (hanyuwei70)
Hi Xiaohui,

I think you may have misunderstood my message. What I meant to convey was that I am skeptical of your intention to resell your own CA for a dissolved Ltd. that was not subject to having its certificate revoked. We believe that this practice is uncommon for a reseller in such a case.

Please understand that my message was not intended to be hateful towards you or your team. If you believe that this was an honest mistake, please reply to this thread with more details. The community values transparency and trust, and we would be happy to hear your perspective.

Best regards,
Zephyr Lykos

Xiaohui Lam

unread,
Jun 9, 2023, 3:32:03 PM6/9/23
to dev-secur...@mozilla.org, mochaaP, Xiaohui Lam, Andrew Ayer, dev-secur...@mozilla.org, John Han (hanyuwei70)
Mr mochaaP,

We're running businesses under multi entities, one is UK company, and one is CN company, the UK company is registered and running by a former workmate which leaved our team, and CN company is registered and running by me.

We do stopped from selling SSL.com certificate due to business concern and the cross-sign root expiration concern, That meantime we do have some cooperates with other CAs without whitelabel/intermediateCA, some CAs are directly implemented and some are tier-2 implements(under other resellers). So, our website is kept running, including HiCA keeps.

But we will stop all misleading business to stop provide our Quantum brand products, only contain our China company's materials.

My KEY OPINION: our China entity has been kept in existence so we kept the reselling business.

Sincere.
Bruce Lam

Kurt Seifried

unread,
Jun 10, 2023, 12:39:16 PM6/10/23
to Xiaohui Lam, dev-secur...@mozilla.org, mochaaP, Andrew Ayer, John Han (hanyuwei70)
Is this really a situation where something extremely suspicious (remote code execution, CA's with multiple entities, some of which don't seem to properly exist, etc.) is going to be swept under the rug with a simple "yeah, we revoked this bad actors certificates, everything is fine"?

If HiCA can do this, how do we know there are not more intermediate/reseller CAs doing this?

https://news.ycombinator.com/item?id=36252310.

Just a note, apparently, websites have been shut down and stuff deleted with respect to HiCA.

Posting some of the threads here in case they get removed or whatever:

==================
egecks 1 day ago | prev | next [–]

I think the title buries the most horrifying part of this. The HiCA certificate authority is relying on an RCE to do an end-run around the semantics of the ACME HTTP-01 validation method.
Fucked up and they should be booted from every root program for this.

=================

0x0 1 day ago | prev | next [–]

Looks like they are issuing under a sub-CA of "ssl.com" according to https://github.com/acmesh-official/acme.sh/issues/4659#issue...
Interestingly, the mozilla dev-security-policy group seems to contain a recent discussion about including "ssl.com" in the root store here https://groups.google.com/a/mozilla.org/g/dev-security-polic...

Curious to know if this could, maybe it should, have ripple effects to the various SSL Root CA programs. Having someone run a subCA that actually exploits an RCE against ACME clients doesn't seem very trustworthy, and any CA enabling this behaviour should probably be kicked out of the trust stores?

reply


agwa 1 day ago | parent | next [–]

The sub CA is operated by ssl.com, not HiCA (which is not a trusted certificate authority). HiCA is relaying the certificate requests to ssl.com, which is properly validating the requests in accordance with all the requirements. ssl.com isn't doing anything wrong. That's why HiCA needs to exploit an RCE in acme.sh - ACME doesn't support relaying certificate requests to other CAs like this.
reply


0x0 23 hours ago | root | parent | next [–]

Someone posted a comment on github claiming they are the founder of Quantum (the sub CA of ssl.com - see https://crt.sh/?caid=200960 ) and that they are the provider of the HiCA service. So it does sound like there is a closer link here than your comment would indicate:
https://github.com/acmesh-official/acme.sh/issues/4659#issue...

reply


agwa 23 hours ago | root | parent | next [–]

Quantum is not a trusted CA. ssl.com has a white-labeled intermediate CA with the name "Quantum" in it, but this intermediate CA is operated by ssl.com under all the same controls as ssl.com's other intermediate CAs. Quantum has no ability to issue trusted certificates themselves.
reply


0x0 23 hours ago | root | parent | next [–]

So the person claiming to be the founder of "QuantumCA" does not possess the private key corresponding to https://crt.sh/?caid=200960 - can we be sure the private key is only accessible by ssl.com's CA system? So the certificates listed here aren't issued by this person, but by the ssl.com's system? https://crt.sh/?Identity=%25&iCAID=200960&exclude=expired&de...
Also, why would ssl.com even create a subCA named "QuantumCA"? Are they in business with this person claiming to be the founder of "QuantumCA" who appears to be responsible for exploiting this acme.sh 0day? What does this say about ssl.com's trustworthiness? Or is the person in the github comments lying?

reply


agwa 23 hours ago | root | parent | next [–]

> So the person claiming to be the founder of "QuantumCA" does not possess the private key corresponding to https://crt.sh/?caid=200960 - can we be sure the private key is only accessible by ssl.com's CA system? So the certificates listed here aren't issued by this person, but by the ssl.com's system? https://crt.sh/?Identity=%25&iCAID=200960&exclude=expired&de...
Correct. You can see the Quantum intermediates listed in ssl.com's most recent audit statement, meaning an auditor has verified that ssl.com has controls to protect the private key: https://www.cpacanada.ca/generichandlers/CPACHandler.ashx?at...

(The audit could be flawed, but it's the same amount of assurance we have for any intermediate CA's private key - the fact that "QuantumCA" is in the name does not change the risk calculus)

> Also, why would ssl.com even create a subCA named "QuantumCA"? Are they in business with this person claiming to be the founder of "QuantumCA" who appears to be responsible for exploiting this acme.sh 0day? What does this say about ssl.com's trustworthiness? Or is the person in the github comments lying?

There is a business relationship between QuantumCA and ssl.com. QuantumCA is a reseller of ssl.com, and they've paid extra to ssl.com so that the certificates they purchase get issued from an intermediate CA named "QuantumCA" rather than one of ssl.com's usual intermediate CAs which have "ssl.com" in the name. This lets QuantumCA pretend to be a real CA. This is a common practice in the industry, and I don't think it says anything about the trustworthiness of ssl.com, because the business relationship with QuantumCA doesn't in any way subvert the integrity of the WebPKI since ssl.com retains control of the issuance. Still, I wish intermediate CA white-labeling were banned because it causes terrible confusion about who is and isn't a CA.

reply


0x0 23 hours ago | root | parent | next [–]

I find it troubling that a root CA (ssl.com) is apparently OK with lending their name in a business relationship with an actor that is actively exploiting an acme.sh 0day.


tptacek 20 hours ago | root | parent | next [–]

This feels a little bit like doubling down to find ways to implicate the actual CA instead of the reseller. It's clear how mismanagement by a real CA would make a more interesting story than by this random no-longer-existing pseudo-reseller, but I don't think there's evidence to support that story yet.
reply


0x0 20 hours ago | root | parent | next [–]

But it's not a random pseudo-reseller? The one github comment from "the founder of Quantum CA" seems to say they are also the creator of HiCA, which is the entity that was exploiting the 0day in acme.sh. And the crt.sh link shows an intermediate CA cert named "QuantumCA", signed by ssl.com.
So QuantumCA == HiCA == exploiters of the acme.sh 0day, it's all the same entity? The intermediate CA could just as well be named "0dayexploitersCA"? Why is it not a huge concern that ssl.com is fine with operating such a "0dayexploitersCA" intermediate?

Am I missing something here?

reply
=================






--
You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.

Kurt Seifried

unread,
Jun 10, 2023, 2:08:47 PM6/10/23
to Xiaohui Lam, dev-secur...@mozilla.org
Forwarding this to the list, I'm not comfortable with off list discussions in private.

On Sat, Jun 10, 2023 at 11:18 AM Xiaohui Lam <inao...@gmail.com> wrote:
Mr Seifried,

> Is this really a situation where something extremely suspicious (remote code execution, CA's with multiple entities, some of which don't seem to properly exist, etc.) is going to be swept under the rug with a simple "yeah, we revoked this bad actors certificates, everything is fine"?

We are a reseller, not a physical root CA. This is a widely accepted solution for cross border businesses. We have business accepts online payment, the China users needs pay via alipay or wechat, to sign up the merchant we must have a china company,
and foreign needs stripe, merchant must be a non-MainlandChina company. this is not suspicious.

*. I represent the above opinion of my company

> If HiCA can do this, how do we know there are not more intermediate/reseller CAs doing this?

Most CA has no necessary to exploiting this RCE, because they can natively compatible with RFC 8555, they can define own CPS and CP, which contains validation policy, we does because we are not CA and can't to provider RFC 8555 ACME endpoint like a CA does. so a physical root CA has no necessary to provide ACME simulation by RCE. and also there're more difficulties for a ssl reseller to provide ACME service which real CAs won't undergo.

- CSR stage difference: Most CA's subscriber request process or reseller API process, requires CSR be submitted in the `new-order` API, ACME requires CSR be submitted in `finalize` API. I have a topic in letsencrypt community years ago about this - https://community.letsencrypt.org/t/why-acme-requires-domain-auth-first-before-csr/98482
- Challenge difference: Most CA's  subscriber request process or reseller API process's DNS validation requires `_<md5>` / `_dnsauth` dnshost, and dnstype possibly CNAME or possibly TXT, But ACME's DNS validation dnshost is constant: `_acme-challenge`, dnstype `TXT`.  And in a more deep talk ACME's dnsvalue needs publickey's thumbprint + server token which is totally different than traditional way's dnsvalue.


My opinion is community can research how many ACME was publicly provided, and investigate is the provider a physical CA. if is natively compatible with RFC 8555, no worry about that one and continue do investigate next.

*. I represent the above opinion of my personal. not my company.


Sincere,
Bruce.

Amir Omidi (aaomidi)

unread,
Jun 10, 2023, 10:02:14 PM6/10/23
to dev-secur...@mozilla.org, Kurt Seifried, Xiaohui Lam
Emailing on my personal capacity:

Xiaohui, can you please confirm that ssl.com was the only actual CA that was used for issuance through HiCA?

Xiaohui Lam

unread,
Jun 11, 2023, 9:32:26 AM6/11/23
to dev-secur...@mozilla.org, Kurt Seifried, Xiaohui Lam
Sorry, Mr Seifried, 
It's not meant to PM, I mean to post publicly, i don't know the "post thread" and "reply author"' differences actually.

Xiaohui Lam

unread,
Jun 11, 2023, 9:34:44 AM6/11/23
to dev-secur...@mozilla.org, Amir Omidi (aaomidi), Kurt Seifried, Xiaohui Lam
No, actually we implementing GTS, SSL.com and sometimes Let's Encrypt, Sectigo all the time. and especially SSL.com issued under SSL.com subCA, not under "Quantum Secure Site DV" acutally.
The CA

Xiaohui Lam

unread,
Jun 11, 2023, 9:37:42 AM6/11/23
to dev-secur...@mozilla.org, Amir Omidi (aaomidi), Kurt Seifried, Xiaohui Lam
Because the Quantum security site has OCSP customized services, we must ensure that all certificates under it comply with Chinese regulations, otherwise the ICP filing of OCSP may be revoked. So we can't issue certificates for everyone by default.
在2023年6月11日星期日 UTC+8 10:02:14<Amir Omidi (aaomidi)> 写道:

Xiaohui Lam

unread,
Jun 11, 2023, 9:42:16 AM6/11/23
to dev-secur...@mozilla.org, Thomas Zermeno, Xiaohui Lam, mochaaP, Andrew Ayer, dev-secur...@mozilla.org, John Han (hanyuwei70)
We agree with SSL.com canceling the 90-day certificate customers under Quantum subCA, but we object to the annual customer service payment.
Should SSL.com refund some of the certificates because they were multi-year subscription certificates purchased?

If not, why not cancel the product purchase entrance for more than 365 days on your website and interface?

It's likely a fraud in business.

It might should not be involved in this dev security group, but we wanna some expanding of this topic with other resellers and CAs in the industry.

Xiaohui Lam

unread,
Jun 12, 2023, 10:26:55 PM6/12/23
to dev-secur...@mozilla.org, Kurt Seifried, Xiaohui Lam
WX20230613-102227@2x.png

Kurt Seifried,

Because there's some translation problem with google groups poor translation, I did not distinguish effectively “reply all"(回复全部) and "reply author"(回复作者).
I clicked the last and triggered PM to your inbox.
It also bothers me that it doesn't show up in the list after I send it.


but the discriminatory connotation of this discomfort frustrates me, very.



在2023年6月11日星期日 UTC+8 02:08:47<Kurt Seifried> 写道:

Kurt Seifried

unread,
Jun 12, 2023, 11:11:07 PM6/12/23
to Xiaohui Lam, dev-secur...@mozilla.org
Would it perhaps be best if Mozilla disabled web posting? In my experience with other Google groups it has caused nothing but problems. I also think it is reasonable to assume people participating in this list will have access to a working email account that they can use to post and receive emails from the list. 

If requiring a working email address (ideally from the same domain as the one they claim to represent) is too high of a bar for CAs, then, well, I don't know what to say. I feel like a CA (root, intermediate, reseller or otherwise) should be able to set up their own email domain, no?

James Kasten

unread,
Jun 13, 2023, 1:00:41 AM6/13/23
to dev-secur...@mozilla.org, Xiaohui Lam, Amir Omidi (aaomidi), Kurt Seifried

To be explicit, GTS does not have a business relationship with HiCA.

Normally ACME services have protections against these types of MitM-CAs, but the remote RCE allowed HiCA to bypass these controls [1, 2].

For instance, it is possible HiCA replaced the local client's key authorization during challenge validation with a key authorization provided by HiCA, granting authorization of the domain names to HiCA. HiCA could theoretically use these authorizations to continue to issue certificates for the affected domain names, or revoke the certificates that were issued. 

So clients of HiCA should also consider the lasting effects on the the domains in addition to your normal recovery procedures for an RCE. It may be prudent to reissue and revoke any certificates with your choice of CA directly and to watch certificate transparency logs for any future unintended issuance. GTS allows authorization reuse up to 28 days on our ACME endpoint and issues certificates with lifetimes up to 90 days. Other CAs may differ. By the current baseline requirements CAs can issue 398 day certificates and reuse the authorizations for 398 days [3].


James Kasten
Google Trust Services


1. https://datatracker.ietf.org/doc/html/rfc8555#section-6.4
2. https://datatracker.ietf.org/doc/html/rfc8555#section-10.2
3. https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.8.7.pdf

James Kasten

unread,
Jun 13, 2023, 1:00:45 AM6/13/23
to dev-secur...@mozilla.org, Xiaohui Lam, Amir Omidi (aaomidi), Kurt Seifried
The final reference should be "3. https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-v2.0.0.pdf" instead of the 1.8.7 link provided. (It doesn't change the discussion.) My apologies.

James Kasten
Google Trust Services

Xiaohui Lam

unread,
Jun 13, 2023, 2:35:11 AM6/13/23
to dev-secur...@mozilla.org, James Kasten, Xiaohui Lam, Amir Omidi (aaomidi), Kurt Seifried
James Kasten,

We apologize for the impact of the security incident on GTS.
I want to say that we will not do bad things, but we lack the means of notarization.

But there is a suggestion:
GTS could evaluate to disable pre-authorizations for domain names or IP addresses for the next 90 days, to reduce potential impacts of the incident.

Levi

unread,
Jun 13, 2023, 10:30:18 AM6/13/23
to dev-secur...@mozilla.org, James Kasten, Xiaohui Lam, Amir Omidi (aaomidi), Kurt Seifried
I think the key to this issue is "Is the CA should take actions to protect their third-party system security under authorized". This problem included the security of the system, public perception of their morality, and compliance issues. HiCA has used the RCE leak of ACME to add advertising to end users (or commercial activities) but as for now, there are not any security problems that destroy the security of CA reported. A few years ago, Quantum CA used the security leak of CA to issue the certificate which expires a period of 5 years, and now, HiCA used the security leak of ACME to add advertising to end users .

In conclusion, there are things we know:
1. There is not any reported security of CA issues (Sectigo, GTS, and more).
2. HiCA used the RCE leak of ACME but has not caused any security problems (as of now).
3. People think the CA must take action to protect the system security (not only for CA's system)
在2023年6月13日星期二 UTC+8 13:00:45<James Kasten> 写道:

Thomas Zermeno

unread,
Jun 13, 2023, 11:56:41 AM6/13/23
to dev-secur...@mozilla.org, Levi, James Kasten, Xiaohui Lam, Amir Omidi (aaomidi), Kurt Seifried
In light of the ongoing HiCA discussion, we feel compelled to provide additional clarity on the subject. Not only were we unaware of the existence of HiCA until recently, but we were unaware that QuantumCA was distributing acme.sh. QuantumCA's reseller account was never enabled for ACME therefore no certs were issued from any of QuantumCA branded SubCAs via ACME at any time.

However, SSL.com's free community ACME 90-day certs have been available since 2021 and we have no involvement, collaboration, or control over any ACME client scripts or applications including HiCA's acme.sh. Our courtesy ACME service is available in a similar vein as other free publicly trusted ACME TLS certificate providers with no restrictions or consideration on which ACME clients are allowed access to this service.

We do not collaborate on any projects with our SSL/TLS SubCA resellers other than to provide them brandable certificates. Many members of the community find brandable SubCAs valuable to help build reputation without having to invest in a fully dedicated CA infrastructure, and most reseller customers handle the privilege of their SubCAs responsibly. Unfortunately, there are cases where abuse, intentional or otherwise, may crop up. At SSL.com, we make every effort to respond swiftly and firmly whenever we are alerted of any issues related to our branded SubCAs.

In particular, SSL.com has already planned revocation of the branded SubCAs within the required 7-day time window from the moment we discovered the dissolution of QUANTUM CA LIMITED, in full compliance with our CP/CPS and the CA/B Forum Baseline Requirements. We are also reaching out to individual subscribers affected by this upcoming revocation event to minimize the impact.

Still, there are lessons to learn from this event. Although our CP/CPS stipulates customers’/resellers’ obligation to notify SSL.com of any business registration modification (which includes dissolution), we plan to introduce proactive measures, such as applying periodic reverification of all SubCA resellers' business registrations.

Finally, we view unwarranted statements, which are probably in violation of the Mozilla Community Participation Guidelines, or individual customer-to-company issues such as “refunds” as off-topic and will directly communicate with the reseller on such matters. We consider dev-security-policy group to be a public Forum to discuss ecosystem-wide security/policy issues and good practices. For example, we could discuss with other CAs to adopt the above-mentioned periodic reverification to further protect the ecosystem. 


Thank you,

Tom
SSL.com


P.S. I have used my Google email address for the m.d.s.p. since 2017. I continued to use it in this public group, after I took on the role of Compliance Manager at SSL.com, as a means to continue the legacy of the account and maintain records of the previous discussions.  Unless otherwise stated, all posts from this address should be considered official replies from SSL.com.

Xiaohui Lam

unread,
Jun 13, 2023, 12:59:47 PM6/13/23
to dev-secur...@mozilla.org, Thomas Zermeno, Levi, James Kasten, Xiaohui Lam, Amir Omidi (aaomidi), Kurt Seifried
Thomas Zermeno,


>   in full compliance with our CP/CPS and the CA/B Forum Baseline Requirements. We are also reaching out to individual subscribers affected by this upcoming revocation event to minimize the impact.

You mean to get in touch w/ our subscribers to purchase from SSL.com directly in the future? I don't think this is a behave friendly or good reputation of  a CA/Manufacturers to existing/former partners.

There is a proverb called "My customer's customer, isn't my customer".

We stand against poaching our clients, and I'm sure any reseller does too.

Thomas Zermeno

unread,
Jun 13, 2023, 1:52:14 PM6/13/23
to dev-secur...@mozilla.org, Xiaohui Lam
Bruce, We want to work with you on notifying the affected parties but we will proceed independently if we have to. We have no intention of "poaching"; we are trying to minimize the impact on those subscribers since the QUANTUM CA LIMITED entity no longer exists. If you want to assist SSL.com in contacting the affected subscribers, please contact us using the options in https://www.ssl.com/contact_us/ and we will route your request to the proper department. Regards,

Tom
SSL.com

Watson Ladd

unread,
Jun 14, 2023, 11:38:07 AM6/14/23
to Xiaohui Lam, dev-secur...@mozilla.org, Thomas Zermeno, mochaaP, Andrew Ayer, John Han (hanyuwei70)
On Sun, Jun 11, 2023 at 6:42 AM Xiaohui Lam <inao...@gmail.com> wrote:
>
> We agree with SSL.com canceling the 90-day certificate customers under Quantum subCA, but we object to the annual customer service payment.
> Should SSL.com refund some of the certificates because they were multi-year subscription certificates purchased?
>
> If not, why not cancel the product purchase entrance for more than 365 days on your website and interface?
>
> It's likely a fraud in business.

That's an interesting word to throw around for someone who has
committed what looks to all the world like a CFAA violation. I'm
struggling to understand why you would think this was acceptable
conduct to use an RCE in issuance, in short running code on sensitive
machines without user consent.

Furthermore the CA business is built on trust. SSL.com is doing the right thing.

Sincerely,
Watson Ladd
> --
> You received this message because you are subscribed to the Google Groups "dev-secur...@mozilla.org" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to dev-security-po...@mozilla.org.
> To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/f8c61c43-44df-45af-b809-6692cc13edb0n%40mozilla.org.



--
Astra mortemque praestare gradatim

John Liptak

unread,
Jun 14, 2023, 12:27:20 PM6/14/23
to dev-secur...@mozilla.org
I want to point out that 上海帝熙科技有限公司 (HiCA's entity in China) is operating illegally in China. This company does NOT have 电子认证服务许可证, 电子认证服务使用密码许可证, and 电子政务电子认证服务批文 issued by the State Cryptography Administration (国家密码管理局). Moreover, I could not find this company's ICP License (ICP证) on https://tsm.miit.gov.cn/, so they cannot do e-commerce in China. They only have ICP beian, which means their websites can NOT be used to earn profits.

Xiaohui Lam

unread,
Jun 14, 2023, 1:46:40 PM6/14/23
to dev-secur...@mozilla.org, Watson Ladd, dev-secur...@mozilla.org, Thomas Zermeno, mochaaP, Andrew Ayer, John Han (hanyuwei70), Xiaohui Lam
@Watson Ladd,

Again,

We agree ssl.com to cancel free certificates.
It means there aren't only free certificates we're providing.     But also paid certificates, if only annually(1 year) cert been cancelled it be fine we can take it, but there are many multiple year subscription purchased by our users(including some OV certs).
If you bought something with a period of many years, but delivered it on an annual basis, and the merchant ran away after one year, would you defend your consumer rights?
It should sounds fair to refund remaining subscriptions' fee if cancelled?   Especially we haven't to proof OV or EV is associated with HiCA because the CA's OV/OV won't become issued automatically after domain names been validated.     so HiCA didn't implement them ever.
We agree to revoke free certificates because our integrating on HiCA, certificates provided were only free.   No CA's paid product was integrated ever.

We mean we do not agree no additional proceeding for the subscriptions/(certificates to be issued) more than 1 year after revoked

personal word from me, Mr Ladd, It is recommended not to do serious injuries because that are not gentlemen.  Did you see someone disclose that the server was hacked after run `acme.sh --issue --server https://acme.hi.cn/directory` on the Internet, or did you get a completely offensive injection code?  We can accept a source code audit of the project w/ full git log and databases binlog if you're willing to bear the cost and we think it's fair because your keyboard swearing didn't pay for anything but electricity so you want to blame please prove it, if exists and we shall keep our ears open.

Xiaohui Lam

unread,
Jun 14, 2023, 1:58:03 PM6/14/23
to dev-secur...@mozilla.org, John Liptak
Mr John Liptak,


It's not against the regulations, it isn't against CA/B Forum BR or CA's CP & CPS at least.

First, the cryptography license license is mandatory only for CAs (organizations who operate PKI facilities);
Secondly, There are many sole proprietorship (self-employed people) are also selling SSL digital certificates and running their own websites, which is totally unable to enroll ICP Registration License.

And your post is completely weering off topic.

Xiaohui Lam

unread,
Jun 14, 2023, 2:04:03 PM6/14/23
to dev-secur...@mozilla.org, Thomas Zermeno, Xiaohui Lam
OK,

We'll provide a list of domains of certificate which we've already proceeded replaced certificate to sup...@ssl.com from my email br...@quantumca.limited soon.
Please do not try to contact the email address and contact number of clients on the list.

: -)

Sincere,
Bruce

Watson Ladd

unread,
Jun 14, 2023, 8:39:53 PM6/14/23
to Xiaohui Lam, dev-secur...@mozilla.org, Thomas Zermeno, mochaaP, Andrew Ayer, John Han (hanyuwei70)
On Wed, Jun 14, 2023 at 10:46 AM Xiaohui Lam <inao...@gmail.com> wrote:
>
> @Watson Ladd,
>
> Again,
>
> We agree ssl.com to cancel free certificates.
> It means there aren't only free certificates we're providing. But also paid certificates, if only annually(1 year) cert been cancelled it be fine we can take it, but there are many multiple year subscription purchased by our users(including some OV certs).
> If you bought something with a period of many years, but delivered it on an annual basis, and the merchant ran away after one year, would you defend your consumer rights?

If the merchant broke into my home to deliver it, I'd be calling the police.

Sincerely,
Watson Ladd

Amir Omidi

unread,
Jun 14, 2023, 9:16:23 PM6/14/23