WoSign's official website stated that "For Free SSL Certificate, it support 20 domain names for 3 years period" (https://buy.wosign.com/free/freeEmailcert.html). In order to identify possible backdated certs in the future, I suggest that WoSign/StartCom be mandated to upload all unexpired certs (especially those in 2014) to CT, so that we can have a complete list of domains.
On Monday, September 26, 2016 at 7:21:13 AM UTC-7, Gervase Markham wrote: > Today, Mozilla is publishing an additional document containing further > research into the back-dating of SHA-1 certificates, in violation of the > CAB Forum Baseline Requirements, to avoid browser blocks. It also > contains some conclusions we have drawn from the recent investigations, > and a proposal for discussion regarding the action that Mozilla's root > program should take in response. > > Because this document is extensive and contains embedded images, links > and formatting, I have published it on Google Docs instead of as an > email message here: > > https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit > > However, this forum is the appropriate place for discussing it. Please > feel free to cut and paste any parts you wish to quote and comment on. > > Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
