So if I understand correctly, you've published all certificates issued
in 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is
As noted in
, this thread has turned up https://crt.sh/?id=29884704 which was
mississued and had a notBefore of June 23, 2016.
In addition to that, there was discussion about backdated SHA1 certs (
, https://bugzilla.mozilla.org/show_bug.cgi?id=1293366 ) that were
issued in 2016 but backdated to 2015.
When explicitly asked if you were publishing all the certs with a
notBefore after 20150101000000Z in
you responded with:
On 02/09/2016 16:11, Richard Wang wrote:
> Yes, we posted all 2015 issued SSL from WoSign trusted root.
It has already been established that you issued certificates in 2016
that were backdated to 2015, and so we have no reason to even assume
that when you say "all 2015 issued SSL [certs]", that this will include
any other such hypothetical backdated certs. It has also been
established that certs were mississued in 2016 outside of the July 5th
and later period. So it seems that it would be in your own interest to
be as transparent as possible for the 2016 certs as well, and to simply
log any and every cert with a notBefore after 20150101000000Z.
Why have you not done so?
On 04/09/2016 09:05, Richard Wang wrote:
This certificate is issued at July 1st 2016, that our promised SCT data is July
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Sunday, September 4, 2016 5:19 AM
To: Richard Wang <rich...@wosign.com>
Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Can you also please check the following two certificates? It looks like they
were missed when logging all the 2015 certs.
Additionally, it looks like there may be a gap in logging for 2016.
does not show up in any log.
On Fri, Sep 2, 2016 at 8:31 AM, Richard Wang <rich...@wosign.com> wrote:
We will check this tomorrow.
Now our time is 23:32 at night.
On 2 Sep 2016, at 23:20, Peter Bowen <pzbo...@gmail.com> wrote:
On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <rich...@wosign.com> wrote:
Yes, we posted all 2015 issued SSL from WoSign trusted root.
On 2 Sep 2016, at 22:55, Peter Bowen <pzbo...@gmail.com> wrote:
Based on CT logs, I have seen certificates from the CAs below, all
of which have "WoSign" in the name. Have you logged all
certificates which are signed by these CAs and have a notBefore
date of 20150101000000Z or later to the WoSign CT log?
It seems then there is a newly exposed bug.
1edbe9d78f9cada8f1d702d5e340ad shows a certificate issued by your CA
that has a notBefore in March 2015. It does not appear in the CT
log. However another certificate with identical serial number and
subject, but different Validity, does appear in the log.
Are you aware of a bug where you were issuing certificates identical
except for validity period?
dev-security-policy mailing list