Chinese root CA issues rogue/fake certificates

Matt Palmer mpalmer at
Thu Sep 8 06:09:43 UTC 2016

On Wed, Sep 07, 2016 at 04:15:47PM -0700, Eric Kuhnke wrote:
> Further update on all known suspicious activity from Wosign:
> Seriously, what level of malice and/or incompetence does one have to rise
> to in order to be removed from the Mozilla (and hopefully Microsoft and
> Chrome) trusted root CA store?  Is this not sufficient?

At this point, it's pretty clear that WoSign as an operational CA is going
to be no more, at least as far as Mozilla is concerned.  The number of
issues is immense, and nobody on m.d.s.p is arguing in favour of keeping the
root (except WoSign).  The other major trust stores are completely opaque as
to their process, but a root pulled from Mozilla is practically dead in the

The problem is that just pulling the root is extremely damaging -- to
Mozilla, and to the ecosystem.  If a root gets pulled, all the sites that
are currently using a WoSign-issued cert "stop working".  Since plenty of
people use WoSign certs (in China, as well as their "free" issuance
offering), a lot of sites go dead all at once.  Since users cannot stand to
not have their dancing kitten gifs, they'll barge through any barrier you
put in place, whether that be clicking past warnings or switching to another
browser.  Mozilla doesn't want to lose (more) market share, and training
people to click past security warnings is a really, really dumb move.

There are a number of things that could be done to reduce the mess of a
pulled root, but many of them involve the cooperation of the CA being
pulled, and it's highly unlikely that they'd be in a cooperative mood.

The relevant discussion at the moment is around how best to cause
WoSign to no longer be trusted, *without* causing collateral damage (or at
least minimising it).  Certificate Transparency can help, maybe, but
CT isn't a live query mechanism, and shipping a giant whitelist of all valid
WoSign certs is... large.

Honest Achmed had the right idea.

- Matt

Nit-pickers' corner: Chrome uses the OS trust store; Google doesn't run its
own trust store for Chrome, although it does maintain *something* for
Android.  Chrome has a cert blacklist, and its own EV treatment criteria,
but no trust store as such.

More information about the NANOG mailing list