Apple has exacerbated the deplorable situation of the WoSign, announcing that soon will withdraw confidence to its free intermediate SSL-certificates for MacOS. Apple’s decision was made public a few days after Mozilla has accused this Chinese CA in the issuing of the SHA-1 certificate backdated to circumvent restrictions of trust lists. Having discovered this fact, in addition to other, smaller transgressions of WoSign, Mozilla experts began to think about the possibility of withdrawal of confidence to this CA and its affiliates StartCom on one year.
As for the Google and Microsoft, it is not clear whether their reaction will be as fast as that of Apple. The latter promised in his announcement of the block with the release of the next patch, simultaneously explaining that WoSign suffers from “multiple failures of management” processes associated with the issuance of free SSL-certificate G2 of the intermediate CA. Apple also noted that, although WoSign name is not on its list of trusted root CAs, intermediate certification service StartCom can used signing certificates issued by Comodo.
“In order to avoid disruptions in WoSign certificate holders and allow them to switch to the trusted root CA, Apple products will trust the existing individual certificates issued by that CA and intermediate previously published before September 19, 2016 in the open server logs according to the standard Certificate Transparency, – promised to Apple. – They will be treated as trusted as long as not lose power, be withdrawn or for whatever reason, will lose confidence by Apple. ”
The company plans to continue its investigation and is ready to toughen sanctions for WoSign / StartCom, if required.
The Mozilla, for its part, made public the results of investigation of the Chinese CA, presenting them as a separate document. According to the vendor, WoSign not only holds certificates in hindsight, but also, apparently, wrong their issues, allowing include in the certificate arbitrary domain names without due diligence. In addition, the Chinese company has not reported under the form about recent acquisition – StartCom.
WoSign already closed the service issuing free certificates, which became a bone of contention, although last week its offered the temporary use of fully functional certificates DV SSL, issued by a root CA WoSign.