Richard,

Can you also please check the following two certificates?  It looks
like they were missed when logging all the 2015 certs.

https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2
https://www.censys.io/certificates/d99309f071141454f805c13551a827aa116bb53daefd8609e296c06b0dcdf720

Additionally, it looks like there may be a gap in logging for 2016.
For example, 
https://www.censys.io/certificates/06797f8095ba4d9c9ec5b9475cff7df3b258069cc89f303cd91dc329eaf0c08f
does not show up in any log.

Thanks,
Peter

On Fri, Sep 2, 2016 at 8:31 AM, Richard Wang <rich...@wosign.com> wrote:
> We will check this tomorrow.
> Now our time is 23:32 at night.
>
>
> Regards,
>
> Richard
>
>> On 2 Sep 2016, at 23:20, Peter Bowen <pzbo...@gmail.com> wrote:
>>
>>> On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <rich...@wosign.com> wrote:
>>> Yes, we posted all 2015 issued SSL from WoSign trusted root.
>>>
>>>> On 2 Sep 2016, at 22:55, Peter Bowen <pzbo...@gmail.com> wrote:
>>>> Based on CT logs, I have seen certificates from the CAs below, all of
>>>> which have "WoSign" in the name.  Have you logged all certificates
>>>> which are signed by these CAs and have a notBefore date of
>>>> 20150101000000Z or later to the WoSign CT log?
>>
>> Richard,
>>
>> It seems then there is a newly exposed bug.
>> https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad
>> shows a certificate issued by your CA that has a notBefore in March
>> 2015.  It does not appear in the CT log.  However another certificate
>> with identical serial number and subject, but different Validity, does
>> appear in the log.
>>
>> Are you aware of a bug where you were issuing certificates identical
>> except for validity period?
>>
>> Thanks,
>> Peter
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to