On 07/09/16 17:02, Gervase Markham wrote:
> On 07/09/16 13:52, Rob Stradling wrote:
>> Hi Thijs.  I agree that this pattern is interesting (and it'd be nice to
>> see an explanation), but I'm not convinced that it proves everything you
>> think it proves.
> 
> Hi Rob,
> 
> My digest of Thijs's work (and that of others investigating the same
> issues) is here:
> https://wiki.mozilla.org/CA:WoSign_Issues#Issue_S:_Backdated_SHA-1_Certs_.28January_2016.29
> 
> Is every conclusion I draw justified from the data?

Hi Gerv.  I'd like to discuss this particular conclusion:

  "...up to ID 109149...But after that follow 64 certificates which are
   all dated on December 20, 2015 (CST, UTC+8). This suggests that
   these were logged at the actual time of issuance but that time is
   not reflected in their notBefore date - i.e. they were backdated."

ID 109153 (https://crt.sh/?id=30629275) is the first such certificate,
not 109150.  Also, these 64 certificates were not logged consecutively.
I've just posted details of the relevant range of log entries here:
https://gist.github.com/robstradling/129729531779dab448ca88049c49307c

These log entries were only created 5 or 6 days ago, and the majority
don't have corresponding precertificates.
Consider https://crt.sh/?id=30629293, for example.  Are you really
suggesting that this was issued on 2nd September 2016 but backdated to
20th December 2015?

The entry timestamps up to ID 109221 are all very close together
(several entries per second).  We know that WoSign were at that time
submitting all of the certs they issued in 2015, so this is not surprising.

I think it's unreasonable to assume that WoSign attempted to log the
certs they issued in 2015 in the order in which they were issued.

I look forward to reading WoSign's response to Issue S.

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to