We can separate the 2015 incident from 2016, and separate report incident from un-reported, then all clear:
In 2015 reported: Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 certificates Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers In 2015 un-reported: Incident -1: April 4, 2015 - WoSign is informed it's routinely violating its CPS for issued certificates. Incident 0: April 23, 2015 - 72 potentially dangerous port-validated certificates Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain certificates In 2016 un-reported: Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate We give Google detail information after receiving your email instantly, and we also replied Mozilla email instantly that all details are reported to Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=1293366 I said " Yes, we are improved", you can see from the timeline that from June 2015 to July 2016, over one-year period that we don't have any incident, this means we fixed system bug in time and do more validation and check, we blocked many illegal order for famous domains. Best Regards, Richard -----Original Message----- From: Ryan Sleevi [mailto:[email protected]] Sent: Friday, September 2, 2016 12:01 AM To: Richard Wang <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]> Subject: Re: Incidents involving the CA WoSign On Wed, August 31, 2016 10:09 pm, Richard Wang wrote: > Thanks for your so detail instruction. > Yes, we are improved. The two case is happened in 2015 and the > mis-issued certificate period is only 5 months that we fixed 3 big > bugs during the 5 months. > For CT, we will improve the posting system. I had a little trouble parsing this, but let's make sure we're on the same page. I've continued Gerv's original numbering: Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 certificates ( https://cert.webtrust.org/SealFile?seal=2019&file=pdf ) Incident -1: April 4, 2015 - WoSign is informed it's routinely violating its CPS for issued certificates ( https://www.wosign.com/policy/wosign-policy-1-2-10.pdf ) Incident X: April 9 - April 14, 2015 - 392 duplicate serial numbers Incident 0: April 23, 2015 - 72 potentially dangerous port-validated certificates Incident 1: June, 2015 - 33 unvalidated base-domain from sub-domain certificates Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this the only one? I wasn't clear from https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ ) Just making sure we're in agreement about the facts and timelines surrounding these, so that it's easier than debating 2 or 3 or 5 or more. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
