So if I understand correctly, you've published all certificates issued in 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is that correct?

As noted in , this thread has turned up which was mississued and had a notBefore of June 23, 2016.

In addition to that, there was discussion about backdated SHA1 certs ( , ) that were issued in 2016 but backdated to 2015.

When explicitly asked if you were publishing all the certs with a notBefore after 20150101000000Z in you responded with:

On 02/09/2016 16:11, Richard Wang wrote:
> Yes, we posted all 2015 issued SSL from WoSign trusted root.

It has already been established that you issued certificates in 2016 that were backdated to 2015, and so we have no reason to even assume that when you say "all 2015 issued SSL [certs]", that this will include any other such hypothetical backdated certs. It has also been established that certs were mississued in 2016 outside of the July 5th and later period. So it seems that it would be in your own interest to be as transparent as possible for the 2016 certs as well, and to simply log any and every cert with a notBefore after 20150101000000Z.

Why have you not done so?

~ Gijs

On 04/09/2016 09:05, Richard Wang wrote:

This certificate is issued at July 1st 2016, that our promised SCT data is July 
5th, 2016.

Best Regards,


-----Original Message-----
From: Peter Bowen []
Sent: Sunday, September 4, 2016 5:19 AM
To: Richard Wang <>
Cc: Ryan Sleevi <>;
Subject: Re: Incidents involving the CA WoSign


Can you also please check the following two certificates?  It looks like they 
were missed when logging all the 2015 certs.

Additionally, it looks like there may be a gap in logging for 2016.
For example,
does not show up in any log.


On Fri, Sep 2, 2016 at 8:31 AM, Richard Wang <> wrote:
We will check this tomorrow.
Now our time is 23:32 at night.



On 2 Sep 2016, at 23:20, Peter Bowen <> wrote:

On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <> wrote:
Yes, we posted all 2015 issued SSL from WoSign trusted root.

On 2 Sep 2016, at 22:55, Peter Bowen <> wrote:
Based on CT logs, I have seen certificates from the CAs below, all
of which have "WoSign" in the name.  Have you logged all
certificates which are signed by these CAs and have a notBefore
date of 20150101000000Z or later to the WoSign CT log?


It seems then there is a newly exposed bug.
1edbe9d78f9cada8f1d702d5e340ad shows a certificate issued by your CA
that has a notBefore in March 2015.  It does not appear in the CT
log.  However another certificate with identical serial number and
subject, but different Validity, does appear in the log.

Are you aware of a bug where you were issuing certificates identical
except for validity period?


dev-security-policy mailing list

Reply via email to