On Wednesday, September 7, 2016 at 7:00:54 AM UTC-4, Gervase Markham wrote: > Hi Richard, > > On 07/09/16 11:06, Richard Wang wrote: > > This discuss has been lasting two weeks, I think it is time to end > > it, it doesn’t worth to waste everybody’s precious time. > > Unfortunately, I think we may be only beginning. > > I have prepared a list of the issues we are tracking with WoSign's > certificate issuance process and business: > > https://wiki.mozilla.org/CA:WoSign_Issues > > Please can you provide a response to issues F, P, S and T at your > earliest convenience? > > In addition, if you have further things to say about issues D, H, J, L, > N or V we would be happy to hear them. > > Thank you for your suggestions, but once Mozilla has a full > understanding of what has gone on we will be in a better position to > decide what next actions are appropriate. > > With best wishes, > > Gerv
Richard, When you provide additional details about Issue P, can you specifically comment on why two of the certificates were issued for 4 years (48 months)? Section 6.3.2 of the BRs states "Subscriber Certificates issued after 1 April 2015 MUST have a Validity Period no greater than 39 months." That section DID allow for an exception to that 39 month maximum if the CA documents that the certificate is being used in a case that satisfies a set of 5 requirements (too lengthy to provide here). If this was the case, this would have been allowable until 30 June 2016 and these certificates' validity period would not be a violation. Can you comment on if these certificates satisfied the exception? And if so, can you provide WoSign's documentation of this? In my opinion, this is one of the more concerning violations because it may show that it is trivially easy for WoSign's issuance software to issue certificates that violate the BRs. (My understanding is that these certificates qualify as a Subscriber Certificate, the fact that the subject CN = wosign.net is irrelevant.) Citation: https://wiki.mozilla.org/CA:WoSign_Issues#Issue_P:_Use_of_SM2_Algorithm_.28Nov_2015.29 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
