憑證應用專業評鑑論壇

 找回密碼
 立即註冊
搜索
查看: 1335|回復: 0

大陸的wosign要被google取消資格

[複製鏈接]

7

主題

7

帖子

111

積分

管理員

Rank: 9Rank: 9Rank: 9

積分
111
發表於 2016-11-8 16:28:40 | 顯示全部樓層 |閱讀模式
wosign因為違反憑證的相關營運商規定,目前google已經決定要取消他們的憑證植入瀏覽器資格! 以下為轉貼google的文件!
[color=rgba(0, 0, 0, 0.870588)]Distrusting WoSign and StartCom Certificates
[color=rgba(0, 0, 0, 0.870588)]Certificate Authorities (CAs) play a key role in web security by issuing digital certificates to website operators. These certificates are trusted by browsers to authenticate secure connections to websites. CAs who issue certificates outside the policies required by browsers and industry bodies can put the security and privacy of every web user at risk.

[color=rgba(0, 0, 0, 0.870588)]Google has determined that two CAs, WoSign and StartCom, have not maintained the high standards expected of CAs and will no longer be trusted by Google Chrome, in accordance with our Root Certificate Policy[color=rgba(0, 0, 0, 0.870588)]. This view is similar to the recent announcements by the root certificate programs of both Apple[color=rgba(0, 0, 0, 0.870588)] and Mozilla[color=rgba(0, 0, 0, 0.870588)]. The rest of this post provides background to that decision and how we plan to minimize disruption while still protecting users.
[color=rgba(0, 0, 0, 0.870588)]
[color=rgba(0, 0, 0, 0.870588)][color=rgba(0, 0, 0, 0.870588)]Background

[color=rgba(0, 0, 0, 0.870588)]On August 17, 2016, Google was notified by GitHub's security team that WoSign had issued a certificate for one of GitHub's domains without their authorization. This prompted an investigation, conducted in public as a collaboration with Mozilla and the security community, which found a number of other cases of WoSign misissuance[color=rgba(0, 0, 0, 0.870588)].

[color=rgba(0, 0, 0, 0.870588)]The investigation concluded that WoSign knowingly and intentionally misissued certificates in order to circumvent browser restrictions and CA requirements. Further, it determined that StartCom, another CA, had been purchased by WoSign, and had replaced infrastructure, staff, policies, and issuance systems with WoSign's. When presented with this evidence, WoSign and StartCom management actively attempted to mislead the browser community about the acquisition and the relationship of these two companies. For both CAs, we have concluded there is a pattern of issues and incidents that indicate an approach to security that is not in concordance with the responsibilities of a publicly trusted CA.
[color=rgba(0, 0, 0, 0.870588)]Action

[color=rgba(0, 0, 0, 0.870588)]Beginning with Chrome 56, certificates issued by WoSign and StartCom after October 21, 2016 00:00:00 UTC will not be trusted. Certificates issued before this date may continue to be trusted, for a time, if they comply with the Certificate Transparency in Chrome[color=rgba(0, 0, 0, 0.870588)] policy or are issued to a limited set of domains known to be customers of WoSign and StartCom.

[color=rgba(0, 0, 0, 0.870588)]Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance. As a result of these changes, customers of WoSign and StartCom may find their certificates no longer work in Chrome 56.

[color=rgba(0, 0, 0, 0.870588)]In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of these CAs. This staged approach is solely to ensure sites have the opportunity to transition to other Certificate Authorities that are still trusted in Google Chrome, thus minimizing disruption to users of these sites. Sites that find themselves on this whitelist will be able to request early removal once they’ve transitioned to new certificates. Any attempt by WoSign or StartCom to circumvent these controls will result in immediate and complete removal of trust.

[color=rgba(0, 0, 0, 0.870588)]We remain committed to ensuring the safety and privacy of Google Chrome users. We appreciate the impact to users visiting sites with affected certificates and to the operators who run these sites, but the nature of these incidents, and the need to protect our users, prevent us from being able to take less disruptive steps.

回復

使用道具 舉報

您需要登錄後才可以回帖 登錄 | 立即註冊

本版積分規則

憑證專業評鑑網|Certificate Authority Forum  

JS of wanmeiff.com and vcpic.com Please keep this copyright information, respect of, thank you!JS of wanmeiff.com and vcpic.com Please keep this copyright information, respect of, thank you!

網站版權所有:CAForum Group(2013-2014)

使用 Dizcus X3.1.

快速回復 返回頂部 返回列表