This certificate is issued at July 1st 2016, that our promised SCT data is July 
5th, 2016.

Best Regards,


-----Original Message-----
From: Peter Bowen [] 
Sent: Sunday, September 4, 2016 5:19 AM
To: Richard Wang <>
Cc: Ryan Sleevi <>;
Subject: Re: Incidents involving the CA WoSign


Can you also please check the following two certificates?  It looks like they 
were missed when logging all the 2015 certs.

Additionally, it looks like there may be a gap in logging for 2016.
For example,
does not show up in any log.


On Fri, Sep 2, 2016 at 8:31 AM, Richard Wang <> wrote:
> We will check this tomorrow.
> Now our time is 23:32 at night.
> Regards,
> Richard
>> On 2 Sep 2016, at 23:20, Peter Bowen <> wrote:
>>> On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <> wrote:
>>> Yes, we posted all 2015 issued SSL from WoSign trusted root.
>>>> On 2 Sep 2016, at 22:55, Peter Bowen <> wrote:
>>>> Based on CT logs, I have seen certificates from the CAs below, all 
>>>> of which have "WoSign" in the name.  Have you logged all 
>>>> certificates which are signed by these CAs and have a notBefore 
>>>> date of 20150101000000Z or later to the WoSign CT log?
>> Richard,
>> It seems then there is a newly exposed bug.
>> 1edbe9d78f9cada8f1d702d5e340ad shows a certificate issued by your CA 
>> that has a notBefore in March 2015.  It does not appear in the CT 
>> log.  However another certificate with identical serial number and 
>> subject, but different Validity, does appear in the log.
>> Are you aware of a bug where you were issuing certificates identical 
>> except for validity period?
>> Thanks,
>> Peter
dev-security-policy mailing list

Reply via email to