Blocking Trust for WoSign CA Free SSL Certificate G2
Certificate
Authority WoSign experienced multiple control failures in their
certificate issuance processes for the WoSign CA Free SSL Certificate G2
intermediate CA. Although no WoSign root is in the list of Apple
trusted roots, this intermediate CA used cross-signed certificate
relationships with StartCom and Comodo to establish trust on Apple
products.
In
light of these findings, we took action to protect users in a security
update. Apple products no longer trust the WoSign CA Free SSL
Certificate G2 intermediate CA.
To
avoid disruption to existing WoSign certificate holders and to allow
their transition to trusted roots, Apple products trust individual
existing certificates that were issued from this intermediate CA and
published to public Certificate Transparency log servers by 2016-09-19.
They will continue to be trusted until they expire, are revoked, or are
untrusted at Apple’s discretion.
As
the investigation progresses, we will take further action on
WoSign/StartCom trust anchors in Apple products as needed to protect
users.
Further steps for WoSign
After
further investigation, we have concluded that in addition to multiple
control failures in the operation of the WoSign certificate authority
(CA), WoSign did not disclose the acquisition of StartCom.
We
are taking further actions to protect users in an upcoming security
update. Apple products will block certificates from WoSign and StartCom
root CAs if the "Not Before" date is on or after 1 Dec 2016 00:00:00
GMT/UTC.
No comments:
Post a Comment