We revoked this certificate, and we know this certificate is for test only.

For transparency, WoSign announced full transparency for all SSL certificate 
from July 5th that post all issued SSL certificate to Google log server, 
browsers can distrust WoSign issued SSL certificate after that day if no SCT 
embedded data in the certificate.

And WoSign even plan to post the code signing certificate and client 
certificate to log server for full transparency for all certificates.

See this news if you missed: 

And we plan to setup an free alert service for worldwide users that if any SSL 
certificate for domain you care is issued from any CA, then you can get the 
alert email, this will benfit the ecosystem.

Best Regards,


-----Original Message-----
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On 
Behalf Of s...@gmx.ch
Sent: Thursday, August 25, 2016 8:18 AM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign

Of course, adding the affected certs to OneCRL should be done immediately.

WoSign also has to be transparent about all (mis) issued certs in the past and 
have to provide this info in the future.
If they can't, I think we may consider if the current certs that are valid for 
3 years should be restricted to a shorter period.


> For the thread's reference, here's the crt.sh link for the misissued 
> GitHub
> certificate:
> https://crt.sh/?id=29647048
> Valid for 3 years, for github.com. It's not in OneCRL, CRLset, or 
> Microsoft's disallowedcert.stl.
> On Wed, Aug 24, 2016 at 9:08 AM, Gervase Markham <g...@mozilla.org> wrote:
>> Taking into account all these incidents and the actions of this CA, 
>> Mozilla is considering what action to take. Your input is welcomed.

dev-security-policy mailing list

Reply via email to