Thanks for your friendly reminder.

We can post all 2015 issued SSL certificate to CT log server if necessary.

For BR auditor, I think this issue is too technical that fewer auditor can find 
out this problem.

We will add the quality control system to PKI system before issuing the 
certificate, and will check the or use the CABF lint and X590 Lint to 
check the certificate before and after the certificate is issued to prevent 
such case, if such case happen, we will notify all browsers instantly. 

Best Regards,


-----Original Message-----
From: dev-security-policy 
[] On 
Behalf Of Matt Palmer
Sent: Thursday, August 25, 2016 2:48 PM
Subject: Re: Incidents involving the CA WoSign

On Thu, Aug 25, 2016 at 04:03:04AM +0000, Richard Wang wrote:
> For transparency, WoSign announced full transparency for all SSL 
> certificate from July 5th that post all issued SSL certificate to 
> Google log server, browsers can distrust WoSign issued SSL certificate 
> after that day if no SCT embedded data in the certificate.

That would be slightly more reassuring if there wasn't a history of certs being 
issued with seemingly misleading notBefore values...

Separately, do you have any thoughts on the reports that WoSign's BR auditor 
did not note any of the misissuances?  Also, what changes, exactly, has WoSign 
implemented to its policies and procedures to ensure that all trust programs in 
which WoSign is a participant are notified of future incidents, in line with 
each program's requirements?

- Matt

"The user-friendly computer is a red herring. The user-friendliness of a book 
just makes it easier to turn pages. There's nothing user-friendly about 
learning to read."
                -- Alan Kay

dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to