On 07/09/16 17:02, Gervase Markham wrote: > On 07/09/16 13:52, Rob Stradling wrote: >> Hi Thijs. I agree that this pattern is interesting (and it'd be nice to >> see an explanation), but I'm not convinced that it proves everything you >> think it proves. > > Hi Rob, > > My digest of Thijs's work (and that of others investigating the same > issues) is here: > https://wiki.mozilla.org/CA:WoSign_Issues#Issue_S:_Backdated_SHA-1_Certs_.28January_2016.29 > > Is every conclusion I draw justified from the data?
Hi Gerv. I'd like to discuss this particular conclusion: "...up to ID 109149...But after that follow 64 certificates which are all dated on December 20, 2015 (CST, UTC+8). This suggests that these were logged at the actual time of issuance but that time is not reflected in their notBefore date - i.e. they were backdated." ID 109153 (https://crt.sh/?id=30629275) is the first such certificate, not 109150. Also, these 64 certificates were not logged consecutively. I've just posted details of the relevant range of log entries here: https://gist.github.com/robstradling/129729531779dab448ca88049c49307c These log entries were only created 5 or 6 days ago, and the majority don't have corresponding precertificates. Consider https://crt.sh/?id=30629293, for example. Are you really suggesting that this was issued on 2nd September 2016 but backdated to 20th December 2015? The entry timestamps up to ID 109221 are all very close together (several entries per second). We know that WoSign were at that time submitting all of the certs they issued in 2015, so this is not surprising. I think it's unreasonable to assume that WoSign attempted to log the certs they issued in 2015 in the order in which they were issued. I look forward to reading WoSign's response to Issue S. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy