Mozilla, a free-software community, has listed a number of issues that China’s WoSign CA company is confirmed to have or suspicious of having. These 11 issues suggest WoSign CA’s poor management over its digital certificates.
In one incident, WoSign CA issued 392 certificates with duplicate serial numbers, across a handful of different serial numbers between April 9, 2015 and April 14, 2015. In another, WoSign issued two certificates that have subject public keys which are for the SM2 algorithm. SM2 is an elliptic-curve-based algorithm but it does not use the US NIST P-256, P-384, or P-521 curves. This violates the CA/Browser Forum Baseline Requirements, whose section 6.1.5 requires that only these three curves be used for elliptic curve keys in certificatess covered by the BRs.
To these two and a number of other issues listed, WoSign CA has provided its response in a statement written in English.
“We understand that remediation action was taken by WoSign to revoke those certificates in a timely manner. Incident investigation with root cause analysis was conducted and relevant result was documented in relevant incident report. Follow up action was also conducted to prevent the recurrence of the incident.” responded WoSign CA to the issue of duplicating serial numbers.
Meanwhile, Richard Wang. CEO and CTO of WoSign personally responded in another occasion regarding the use of SM2 algorithm, “This is another case that we will include it in our report. We issued two test cert using SM2 algorithm that used the same serial number as the RSA cert (same subject) to test if we can setup a gateway that install this two type cert, it can shake hand automatically using different cert based on the browser algorithm support.”
But perhaps most concerning to the media is WoSign CA’s secrete acquisition of StartCom, a CA business based in Eilat, Israel. WoSign purchased StartCom CA and did not disclose the transaction as a change of ownership, which may violate section 5 of the Mozilla CA Certificate Maintenance Policy.
In cryptography, a CA stands for “certificate authority” or “certification authority”. It is an entity that issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows different parties to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. In this model of trust relationships, a CA is a trusted third party—trusted both by the subject of the certificate and by the party relying upon the certificate.
Worldwide, the CA business is fragmented, with national or regional providers dominating their home market. This is because many uses of digital certificates, such as for legally binding digital signatures, are linked to local law, regulations, and accreditation schemes for certificate authorities.