We classified this 33 misissuance certificate into two types: one type is we think this misissuance certificate is obviously not from the domain owner, we revoked this type certificates instantly after we know the misissuance ---- Your statement is contradicted by the fact that the other two mis-issued Github certs are not revoked 14 months after the original breach and you being aware of such breach.
we will post all issued SSL certificate in 2015 to CT log server soon. ----- Multiple users from the original thread have identified mis-issued certificate in the CT log (aggregated here http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html ) I don't see how posting to CT log helps. Because WoSign didn't even deal with mis-issued certs even after posting such certs to CT logs. Besides, WoSign has issued back-dated certs, due to bug or not. Hence at least all CT should be required for ALL WoSign issued cert. Third, due to the English language limit, we know we can't understand all related international standard that it may have some bugs in the system in the past and maybe in the future ------ This is absurd. Are you saying THE largest CA in China, WoSign cannot afford to hire a few developers fluent in English to help understand the international standards and in turn inform their peers? I understand that WoSign has to affirm they understand and will comply with BR to be included in the program. Are you saying that WoSign didn't even understand BR to begin with due to BR written in English? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
