Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Remove old WoSign root certs from NSS
744 views
Skip to first unread message
Kathleen Wilson
Jul 10, 2017, 3:47:31 PM7/10/17
to mozilla-dev-s...@lists.mozilla.org
I also think we should remove the old WoSign root certs from NSS.
Reference:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign
~~
Mozilla currently recommends not trusting any certificates issued by this CA after October 21st, 2016. That recommendation covers the following roots:
CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
This restriction has been implemented in both in the Mozilla platform security code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, etc.), and in addition, in the NSS library code, which is used by applications that use the NSS certificate verification APIs.
~~
Please let me know if you foresee any problems with removing these root certs from NSS.
Thanks,
Kathleen
Reference:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign
~~
Mozilla currently recommends not trusting any certificates issued by this CA after October 21st, 2016. That recommendation covers the following roots:
CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
This restriction has been implemented in both in the Mozilla platform security code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, etc.), and in addition, in the NSS library code, which is used by applications that use the NSS certificate verification APIs.
~~
Please let me know if you foresee any problems with removing these root certs from NSS.
Thanks,
Kathleen
Kathleen Wilson
Aug 3, 2017, 6:55:34 PM8/3/17
to mozilla-dev-s...@lists.mozilla.org
Kathleen
Message has been deleted
Kathleen Wilson
Aug 25, 2017, 7:42:29 PM8/25/17
to mozilla-dev-s...@lists.mozilla.org
On Friday, August 4, 2017 at 12:01:15 AM UTC-7, Percy wrote:
> I suggest that Mozilla can post an announcement now about the complete removal of WoSign/StartCom to alert website developers. I suspect that a moderate amount of Chinese websites are still using WoSign certs chained to the old roots. Google posted about this complete removal here https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html
>
> And since WoSign has the most presence in China, I suggest Mozilla can instruct Mozilla China to post such announcement in Chinese as well.
Here's a DRAFT for such an announcement, that I could post to Mozilla's Security Blog [1].
~~ DRAFT ~~
Title: Removing Disabled WoSign and StartCom Certificates from Firefox 58
In October 2016, Mozilla announced[2] that, as of Firefox 51, we would stop validating new certificates chaining to the below list of root certificates owned by the companies WoSign and StartCom.
The announcement also indicated our intent to eventually completely remove these root certificates from Mozilla’s Root Store[3], so that we would no longer validate certificates issued even before that date by those roots. That time has now arrived. We plan to release the relevant changes[4] to Network Security Services (NSS)[5] in November, and then the changes will be picked up in Firefox 58[6], due for release in January 2018. Sites using certificates chaining up to any of the following root certificates need to migrate to another root certificate.
This announcement applies to the root certificates with the following names:
CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
Mozilla Security Team
~~
As always, I will appreciate your constructive feedback.
Thanks,
Kathleen
[1] https://blog.mozilla.org/security/
[2] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
[3] https://wiki.mozilla.org/CA
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1387260
https://bugzilla.mozilla.org/show_bug.cgi?id=1392849
[5] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
[6] https://wiki.mozilla.org/RapidRelease/Calendar
> I suggest that Mozilla can post an announcement now about the complete removal of WoSign/StartCom to alert website developers. I suspect that a moderate amount of Chinese websites are still using WoSign certs chained to the old roots. Google posted about this complete removal here https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html
>
> And since WoSign has the most presence in China, I suggest Mozilla can instruct Mozilla China to post such announcement in Chinese as well.
Here's a DRAFT for such an announcement, that I could post to Mozilla's Security Blog [1].
~~ DRAFT ~~
Title: Removing Disabled WoSign and StartCom Certificates from Firefox 58
In October 2016, Mozilla announced[2] that, as of Firefox 51, we would stop validating new certificates chaining to the below list of root certificates owned by the companies WoSign and StartCom.
The announcement also indicated our intent to eventually completely remove these root certificates from Mozilla’s Root Store[3], so that we would no longer validate certificates issued even before that date by those roots. That time has now arrived. We plan to release the relevant changes[4] to Network Security Services (NSS)[5] in November, and then the changes will be picked up in Firefox 58[6], due for release in January 2018. Sites using certificates chaining up to any of the following root certificates need to migrate to another root certificate.
This announcement applies to the root certificates with the following names:
CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
Mozilla Security Team
~~
As always, I will appreciate your constructive feedback.
Thanks,
Kathleen
[1] https://blog.mozilla.org/security/
[2] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
[3] https://wiki.mozilla.org/CA
[4] https://bugzilla.mozilla.org/show_bug.cgi?id=1387260
https://bugzilla.mozilla.org/show_bug.cgi?id=1392849
[5] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
[6] https://wiki.mozilla.org/RapidRelease/Calendar
Message has been deleted
Richard Wang
Aug 28, 2017, 1:59:48 AM8/28/17
to mozilla-dev-s...@lists.mozilla.org
We released replacement notice in Chinese in our website:
https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm
https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm
https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm
And we have sent broadcast email to our customer, but some customers still don't replace its certificate due to many kind of reasons that this must be cooperated by customers.
Best Regards,
Richard
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosig...@lists.mozilla.org] On Behalf Of Percy via dev-security-policy
Sent: Monday, August 28, 2017 11:34 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Remove old WoSign root certs from NSS
Such an announcement will be great. And Chinese translation posted on Mozilla China will be greatly appreciated too.
A Chinese announcement is rather appreciated because some very large companies, for example, OFO which received $450M in funding and currently valued at 1B [1] is still using WoSign certs [2]; Fapiao, which deals with receipts for Starbucks in China, was using the old WoSign cert[3] until two weeks ago. It only changed the cert after customer complaints for months. Those are by far not isolated cases.
[1]https://en.wikipedia.org/wiki/Ofo_(bike_sharing)
[2]https://common.ofo.so/
[3]https://crt.sh/?q=fapiao.com
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm
https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm
https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm
And we have sent broadcast email to our customer, but some customers still don't replace its certificate due to many kind of reasons that this must be cooperated by customers.
Best Regards,
Richard
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosig...@lists.mozilla.org] On Behalf Of Percy via dev-security-policy
Sent: Monday, August 28, 2017 11:34 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Remove old WoSign root certs from NSS
A Chinese announcement is rather appreciated because some very large companies, for example, OFO which received $450M in funding and currently valued at 1B [1] is still using WoSign certs [2]; Fapiao, which deals with receipts for Starbucks in China, was using the old WoSign cert[3] until two weeks ago. It only changed the cert after customer complaints for months. Those are by far not isolated cases.
[1]https://en.wikipedia.org/wiki/Ofo_(bike_sharing)
[2]https://common.ofo.so/
[3]https://crt.sh/?q=fapiao.com
_______________________________________________
dev-security-policy mailing list
dev-secur...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Message has been deleted
Richard Wang
Aug 29, 2017, 10:01:53 PM8/29/17
to mozilla-dev-s...@lists.mozilla.org
Please stop to misleading the audience, the first news has link that refer to second news.
We have provided best service for our customer more than 10 years that we are continue as always, to provide high quality pre-sale and after-sales service for our customers.
Best Regards,
Richard
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosig...@lists.mozilla.org] On Behalf Of Percy via dev-security-policy
Sent: Wednesday, August 30, 2017 3:54 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Remove old WoSign root certs from NSS
We have provided best service for our customer more than 10 years that we are continue as always, to provide high quality pre-sale and after-sales service for our customers.
Best Regards,
Richard
-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosig...@lists.mozilla.org] On Behalf Of Percy via dev-security-policy
Sent: Wednesday, August 30, 2017 3:54 AM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Remove old WoSign root certs from NSS
On Sunday, August 27, 2017 at 10:59:48 PM UTC-7, Richard Wang wrote:
> We released replacement notice in Chinese in our website:
> https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm
> https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm
> https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm
>
> And we have sent broadcast email to our customer, but some customers still don't replace its certificate due to many kind of reasons that this must be cooperated by customers.
>
>
> Best Regards,
>
> Richard
I have to point out that of all the above 3 post, only one, namely https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm mentions anything about replacing the certs.
> We released replacement notice in Chinese in our website:
> https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm
> https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm
> https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm
>
> And we have sent broadcast email to our customer, but some customers still don't replace its certificate due to many kind of reasons that this must be cooperated by customers.
>
>
> Best Regards,
>
> Richard
Message has been deleted
Message has been deleted
Message has been deleted
Kathleen Wilson
Aug 30, 2017, 2:15:04 PM8/30/17
to mozilla-dev-s...@lists.mozilla.org
Posted:
https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/
I will look into getting this translated and published in China.
Thanks,
Kathleen
https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/
I will look into getting this translated and published in China.
Thanks,
Kathleen
Message has been deleted
Gervase Markham
Sep 1, 2017, 6:27:02 AM9/1/17
to Kathleen Wilson
On 30/08/17 18:50, Kathleen Wilson wrote:
> https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/
>
> I will look into getting this translated and published in China.
Here are the links to the post in Chinese, kindly supplied by our
> https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/
>
> I will look into getting this translated and published in China.
colleagues:
http://mozilla.com.cn/thread-389981-1-1.html
http://www.toutiao.com/i6460694823383876110/
http://weibo.com/1663337394/FjOcBkk6e?type=repost#_rnd1504260080825
https://mp.weixin.qq.com/s?__biz=MTc0MDM5MjUwMQ==&mid=2651082547&idx=1&sn=ca6759cd7a0a035028579e7705b59e6f&chksm=547350696304d97fad4eaab40cf1d933f794525e358afc6ae40bcc1c47ff6e3007c407e0ccf0#rd
Gerv
0 new messages