While Mozilla's democracy decides what to do about WoSign, Apple's dictatorship has issued its edict: the Chinese certificate authority WoSign will be thrown out of Cupertino's trust list.
As we reported last week, after a lengthy investigation, Mozilla engineers accused WoSign of:
- Backdating certificates so it could still let customers present certs using insecure SHA-1 crypto,
- Concealing its ownership of Israeli certificate authority (CA) StartCom, and
- Letting StartCom issue backdated SHA-1 certs.
In twinned iOS and macOS announcements, Cupertino explains: “Although no WoSign root is in the list of Apple trusted roots, this intermediate CA used cross-signed certificate relationships with StartCom and Comodo to establish trust on Apple products.”
“Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA,” the advisories continue.
The decision will be implemented in the next round of security updates.
Existing certs published to transparency logs before September 19 will be trusted for now, and Apple says its investigation is continuing and will result in further action “as needed.” ®