We will check this tomorrow.
Now our time is 23:32 at night.

Regards,

Richard

> On 2 Sep 2016, at 23:20, Peter Bowen <pzbo...@gmail.com> wrote:
> 
>> On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <rich...@wosign.com> wrote:
>> Yes, we posted all 2015 issued SSL from WoSign trusted root.
>> 
>>> On 2 Sep 2016, at 22:55, Peter Bowen <pzbo...@gmail.com> wrote:
>>> Based on CT logs, I have seen certificates from the CAs below, all of
>>> which have "WoSign" in the name.  Have you logged all certificates
>>> which are signed by these CAs and have a notBefore date of
>>> 20150101000000Z or later to the WoSign CT log?
> 
> Richard,
> 
> It seems then there is a newly exposed bug.
> https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad
> shows a certificate issued by your CA that has a notBefore in March
> 2015.  It does not appear in the CT log.  However another certificate
> with identical serial number and subject, but different Validity, does
> appear in the log.
> 
> Are you aware of a bug where you were issuing certificates identical
> except for validity period?
> 
> Thanks,
> Peter

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to