Apple weighed in on the ongoing WoSign fiasco over the weekend, saying it would soon distrust certificates issued by the Chinese Certificate Authority’s Free SSL Certificate G2 intermediate CA on macOS.
Apple’s decision comes several days after Mozilla accused the CA of backdating SHA-1 certificates to effectively bypass restrictions banning certs from being trusted. Mozilla’s CA team said last week that in wake of the discovery, and several other wrongdoings, it was considering blocking the the WoSign and its subsidiary StartCom for one year.
In light of Apple’s decision to outright block a specific intermediate WoSign certificate, it’s possible Firefox, which wasn’t exactly concrete in its stance last week, could come down harder on the CA after a scheduled face to face meeting with the company this week.
It’s unclear whether the remaining major root certificate stores, Microsoft and Google, will take as swift an action as Apple.
In an advisory from Apple, published late Friday, the company said it would block trust for the intermediate CA in an upcoming security update.
Apple said in the advisory that WoSign experienced “multiple control failures” in its certificate issuance processes for its Free SSL Certificate G2 intermediate CA.
While the company points out that no WoSign root is in the list of Apple trusted roots, the intermediate service is used to cross sign cert relationships with StartCom and Comodo to establish trust. Apple said it would give current WoSign certificate holders a chance to transition to trusted roots, as long as their certs were published to log servers by Sept. 9.
“To avoid disruption to existing WoSign certificate holders and to allow their transition to trusted roots, Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19. They will continue to be trusted until they expire, are revoked, or are untrusted at Apple’s discretion.”
Apple said it would continue its investigation and take further action on WoSign/StartCom trust anchors, if necessary.
Mozilla denounced the Chinese CA in a report it published last Monday. In addition to backdating certs, Mozilla said WoSign also appears to have mis-issued certs, allowed arbitrary domain names to be included in certs without validating them, and failed to report its acquisition of StartCom last month.
WoSign closed the free SSL certificate issuing service in question, which was offering functional DV SSL certs issued by its root, “WoSign CA Free SSL Certificate,” at least temporarily, last week amidst the controversy.
Gervase Markham, a software engineer for Mozilla, wrote last week in a post to Mozilla’s dev-security-policy email lists that officials from both StartCom and Qihoo 360, a Chinese security firm that has a controlling interest in the company, will meet Tuesday with Mozilla in London and decide what to do about the situation.
While Markham said Monday that Mozilla’s proposal to WoSign last week was just that, a proposal, he also noted that he believes the company has a lot of work to do in order to get on steady footing again.
“I currently believe that WoSign would need to make significant technical changes (and perhaps other sorts of changes) in order to pass a full security audit from a code auditor,” Markham wrote early Monday morning, “If the time period before the possibility of re-enablement was too short, there might be a temptation to rush this process, which would be in nobody’s interest.”