undefined | Better HN

0 pointspfg9y ago0 comments

A common approach is to get SHA-1 certificates signed by roots that have been pulled from various root programs, but are still (likely) present on outdated devices that do not support SHA-2 (like XP <= SP2). I think CloudFlare is using one of Comodo's removed roots[1] for this purpose.

Once a root certificate has been pulled from a root program, they stop being in scope for the root program policies and the Baseline Requirements (at least that's the common interpretation), which would prohibit SHA-1 issuance from those roots. There's been some discussion about changing this.

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1208461

0 pointspfg9y ago0 comments

[1]: https://bugzilla.mozilla.org/show_bug.cgi?id=1208461

0 comments

4 comments · 1 top-level

0x09y ago· 3 in thread

So the allegation that "western" sites somehow do similar shady deals falls flat on its face, because the Wosign situation is all about the actions of a trusted CA. There is no comparison between trusted CAs and other random/untrusted/removed CAs.

pfgOP9y ago

I'm sure plenty of "western" sites have attempted to get similar deals (FWIW, Tyro, one of the companies that got SHA-1 certificates from WoSign, is based in Australia), but I'm not aware of any other CA incidents like this one. Other CAs seem to either use pulled roots or go through the proper exception process for SHA-1 issuance in the CA/B Forum. No one else has been caught backdating SHA-1 certificates to my knowledge. (For now?)

(Symantec accidentally signed a SHA-1 certificate from a publicly-trusted root while preparing their SHA-1 issuance exception application, but that's not quite as bad, I guess.)

kuschku9y ago

I did not claim they were doing anything shady, just that they got those certs through out-of-the-ordinary deals.

It would be a lot more justifiable (and far better for everyone involved) if, for example, the SHA1 certs through Comodo’s pulled root were available to everyone.

0x09y ago

That's at best off topic. We're discussing the actions and trustworthyness of a currently trusted root CA here.

1 more reply

j / k navigate · click thread line to collapse