So Apple, in light of the incidents with WoSign, has made a giant whitelist of all of the WoSign and StartCom certificates in the certificate transparency logs as of the 19th of September. That list of certificates will be trusted, but any not in CT logs nor the root certificates from StartCom will be trusted. A more extreme response than Mozilla’s.
Apple’s statement only talks about WoSIgn certificates; they haven’t announced anything about StartCom (yet). As for comparisons between Mozilla’s response and Apple’s response, it’s hard, because the two are in different situations since Apple apparently never explicitly included WoSign’s root CA certificates. Apple is clearly distrusting WoSign somewhat more right now, since they’ve basically said ‘we don’t trust your issued dates here’, but they haven’t said outright that they’d block a future WoSign intermediate root certificate that was cross-signed by StartCom (although they probably would).
Mozilla’s actions are more extreme in that Mozilla is explicitly distrusting future StartCom certificates as well, and slightly less extreme in that (currently) they are trusting certificate issue dates for WoSign and StartCom certificates instead of taking a snapshot of the CT logs and only trusting that. Note that Mozilla’s one year timeout is a minimum; trusting future WoSign and StartCom certificates after that year is contingent on WoSign passing a bunch of relatively stringent checks. In one view, Apple has kept their options open by not saying anything about what they might do in the future while Mozilla has somewhat tied their hands.
Mozilla haven’t committed to their proposed plan yet. They’re meeting with reps from Qihoo 360 (which owns WoSign) in a few days, before a final decision is made.
In light of these findings, we are taking action to protect users in an upcoming security update. Apple products will no longer trust the WoSign CA Free SSL Certificate G2 intermediate CA.
Do the StartCom certs chain up to this intermediate? If so this would be a big sanction from Apple. If not, and it’s just whacking a Chinese intermediate, meh.
I believe they do, but I don’t have an Apple device on hand to check. Either that or it’s vice versa and that certificate is the one cross-signed by StartCom.
My understanding, based on what Apple wrote here (and what I’ve read elsewhere), is that StartCom certs do not chain up to this intermediate; they chain directly to StartCom’s own intermediate and CA certificates, as you’d expect for a company that was independent until WoSign bought them out. WoSign’s own root CA certificates were apparently never in Apple’s CA list, so this cross-signing was the only way WoSign had to get their certificates trusted by Apple products.