Thanks for your friendly reminder. We can post all 2015 issued SSL certificate to CT log server if necessary.
For BR auditor, I think this issue is too technical that fewer auditor can find out this problem. We will add the quality control system to PKI system before issuing the certificate, and will check the crt.sh or use the CABF lint and X590 Lint to check the certificate before and after the certificate is issued to prevent such case, if such case happen, we will notify all browsers instantly. Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Matt Palmer Sent: Thursday, August 25, 2016 2:48 PM To: firstname.lastname@example.org Subject: Re: Incidents involving the CA WoSign On Thu, Aug 25, 2016 at 04:03:04AM +0000, Richard Wang wrote: > For transparency, WoSign announced full transparency for all SSL > certificate from July 5th that post all issued SSL certificate to > Google log server, browsers can distrust WoSign issued SSL certificate > after that day if no SCT embedded data in the certificate. That would be slightly more reassuring if there wasn't a history of certs being issued with seemingly misleading notBefore values... Separately, do you have any thoughts on the reports that WoSign's BR auditor did not note any of the misissuances? Also, what changes, exactly, has WoSign implemented to its policies and procedures to ensure that all trust programs in which WoSign is a participant are notified of future incidents, in line with each program's requirements? - Matt -- "The user-friendly computer is a red herring. The user-friendliness of a book just makes it easier to turn pages. There's nothing user-friendly about learning to read." -- Alan Kay _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy