See below inline, thanks.

Best Regards,


-----Original Message-----
From: dev-security-policy 
[] On 
Behalf Of Ryan Sleevi
Sent: Friday, August 26, 2016 3:10 AM
Subject: Re: Incidents involving the CA WoSign

On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote:
> We can post all 2015 issued SSL certificate to CT log server if necessary.

Is there any reason not to do that proactively?

R: OK, we will post all 2015 issued SSL certificates to CT log server, but this 
take time since we issued 115K SSL certificate in 2015. 
Now we are posting the (1) using higher level port validated orders related to 
incident 0, total 72 certificates. To be clear, those certificates are 
validated by website control validation method that using other port except 80 
and 443; (2) Mis-issued certificate with un-validated subdomain related to 
incident 1, total 33 certificates. I will list all URL to this mail 
Some certificates are revoked after getting report from subscriber, but some 
still valid, if any subscriber think it must be revoked and replaced new one, 
please contact us in the system, thanks.   

> For BR auditor, I think this issue is too technical that fewer auditor can 
> find out this problem.

The audit letter included an attestation from Management that, during the time 
of the audit, management believed that the CA complied with the Baseline 

Management was aware of non-compliance, by virtue of revocation and system and 
procedural changes to align with compliance.

Thus, do you believe it was faithful and accurate for Management to warrant 
that the CA was operated in compliance with the BRs, given that Management was 
aware of incidents of non-compliance?

R:  This is my fault that I think it is not serious enough to state in the 
assertion letter, now I know and every related employee know how to do this in 
the future.

dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to