Sorry, the random apart time is from 20 minutes to 60 minutes, not to 40 

Best Regards,


-----Original Message-----
From: dev-security-policy 
[] On 
Behalf Of Richard Wang
Sent: Thursday, September 22, 2016 1:50 PM
To: Peter Bowen <>
Cc:; Gervase Markham 
Subject: RE: Incidents involving the CA WoSign

For security, the notBefore time is not the exact time of signing, random from 
20 minutes to 40 minutes ahead.

For 6 long delta time, we said it is a CT Post System bug; For 2016-07-30 
between 05:20 and 07:40 (CST), it is caused by the Internet connection problem 
from China to Google CT log server that need to resign after the internet 
connection is ok.
For normal case, it is OK, good.


Best Regards,


-----Original Message-----
From: Peter Bowen []
Sent: Thursday, September 22, 2016 12:32 PM
To: Richard Wang <>
Cc: Gervase Markham <>;
Subject: Re: Incidents involving the CA WoSign

On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang <> wrote:
>> Are you saying out of over 40,000 orders over the last year, only six 
>> "stopped to move forward" for a period of a week or more and these happen to 
>> all have been ordered on Sunday, December 20, 2015 (China time)?
> You mean we issued 40,000 certificates at Dec 20, 2015?

No, there slightly over 40418 certificates issued by CAs under the WoSign roots 
which have embedded Signed Certificate Timestamps.  They were issued over the 
course of approximately one year; the earliest notBefore date is 
2015-08-20T09:40:48Z and my CT data set was up to date as of 2015-09-05.

Of these 40418 certificates, 40394 had a delta between notBefore and the 
earliest SCT is less than 3 hours. Eighteen certificates have a delta between 5 
hours and 51 hours; all 18 of these have a notBefore on 2016-07-30 between 
05:20 and 07:40 (CST). The remaining 6 certificates have a delta of between 
262.3 hours (10.9 days) and 693.7 hours (28.9 days).  All six of these have a 
notBefore on 2015-12-20 (CST).

For with it is worth, the largest difference between the earliest embedded 
timestamp and the latest is less than 15 minutes in all certificates.

> We issued SHA-1 certificate at every day, Dec 20 is not a special day, why 
> you care about this day is Computest get the SHA-1 certificate used this date 
> that we still don't know how he get this, so we closed this API completely, 
> even deleted the API domain resolution.

I'm looking at all WoSign issued certificates, ignoring the hash algorithm used 
in the signature.  Two dates have certificates that are clear outliers when 
measuring the difference between notBefore and the timestamps.  I'm wondering 
what is special about these dates or these certificates.

dev-security-policy mailing list
dev-security-policy mailing list

Reply via email to