This case is in the BR report:


Best Regards,


-----Original Message-----
From: Peter Bowen [] 
Sent: Wednesday, August 31, 2016 10:45 AM
To: Gervase Markham <>
Cc:; Richard Wang 
Subject: Re: Incidents involving the CA WoSign

On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <> wrote:
> Dear m.d.s.policy,
> Several incidents have come to our attention involving the CA "WoSign".
> Mozilla is considering what action it should take in response to these 
> incidents. This email sets out our understanding of the situation.
> Before we begin, we note that Section 1 of the Mozilla CA Certificate 
> Enforcement Policy[0] says: "When a serious security concern is 
> noticed, such as a major root compromise, it should be treated as a 
> security-sensitive bug, and the Mozilla Policy for Handling Security 
> Bugs should be followed." It is clear to us, and appears to be clear 
> to other CAs based on their actions, that misissuances where domain 
> control checks have failed fall into the category of "serious security 
> concern".

I have run into another bug that appears to be fixed in WoSign's infrastructure 
but is worth noting.

In April 2015, two different WoSign CAs issued multiple certificates to 
distinct subjects using the same serial number.  The CT logs have picked up two 
instances of this occuring: shows eight distinct 
certificates with the same serial number, all with notBefore dates of 
2015-04-14. shows dozens of 
distinct certificates with the same serial number, with notBefore dates between 
2015-04-10 and 2015-04-14.

I have not examined their management assertions to see if this was documented 
and I do not know if this was reported to Mozilla at the time.  These 
certificates do not appear to meet RFC 5280's requirements, which say:

   "The serial number MUST be a positive integer assigned by the CA to
   each certificate.  It MUST be unique for each certificate issued by a
   given CA (i.e., the issuer name and serial number identify a unique

Was Mozilla advised of this issue?

dev-security-policy mailing list

Reply via email to