WoSign(沃通) StartCom Cnnic CA

如标题,这些都是国内的CA 机构,都是被审出有问题的。都是不能用的。PKI 的基础是各方对于CA的绝对信任,如果CA不讲诚信、不按规矩办事,基础就没了,安全自然无从谈起了。能力是一方面,管理是另一方面,但关键是态度,总不能靠行骗一直混下去吧??


SSL Labs Distrusts WoSign and StartCom certificates

Posted by Ivan Ristic in SSL Labs on April 5, 2017 3:35 AM

In the second half of 2016, a series of events unfolded that culminated with something many didn’t think was possible (or at least thought very unlikely): a public CA was distrusted. The CA in question was WoSign, a Chinese CA who made some waves by offering free certificates back in the day, before Let’s Encrypt came onto the scene. To make the case even more remarkable, another CA—StartCom—was distrusted at the same time. These were CAs with substantial installed user bases, largely because both had offered free certificates.

To fully understand what happened requires a lot of digging for background information. Luckily, the blog posts from Mozilla and Google not only give their reasons, but provide helpful links where you can obtain further information if you desire. Apple also joined in the ban; Microsoft did not yet make any announcements.

In short, the root cause for the bans was the fact that the browser vendors have lost trust in WoSign’s “technical and management capabilities”. In addition, WoSign has been accused of dishonesty(不诚实) and continued and persistent deception(一直在欺骗). To a large extent, StartCom didn’t feature in the story as a significant role, but their fate was sealed because they had been acquired by WoSign and later became part of the same management and technical hierarchy. They now seem to effectively be two brands within the same organisation.

The decisions to ban WoSign and StartCom were made largely in October 2016, but the actual trust changes started to take place in January 2017. Browser vendors generally attempted to keep all existing certificates alive, which is potentially challenges given that one of the accusations leveled at WoSign was certificate backdating. (In absence of a widespread deployment of a public log mechanism for certificates, for example Certificate Transparency, there is no way to verify a certificates’ not-before and not-after dates.) However, this is not something that can be done reliably, which is why many web sites with WoSign’s and StartCom’s certificates started to experience disruption. Furthermore, all vendors are committed to taking whatever actions in the future they feel necessary, including completely revoking trust in the doomed CAs. Mozilla said that they could do that as early as April 2017.

In the nutshell, if you have a WoSign and StartCom certificate in production today, there is no guarantee that it will work for your users. In the future, it will get only worse, and it will not get better until you replace your certificate and use another CA. To that end, SSL Labs will actively distrust WoSign and StartCom certificates in the near future. Within the next couple of days our development and production systems will start showing a warning when WoSign or StartCom certificates are encountered. From 8 May 2017 such certificates will be graded with a T (no trust). Web sites that continue to use them will receive a T grade. We hope that we can raise further awareness with this action and help site operations transition as smoothly as possible.

你可能感兴趣的:(WoSign(沃通) StartCom Cnnic CA)