On Tuesday, November 15, 2016 at 12:37:56 AM UTC-8, Thijs Alkemade wrote: > On 13 Nov 2016, at 10:08, Percy <percyal...@gmail.com> wrote: > > > > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA > > even though Apple limited "WoSign CA Free SSL Certificate G2" intermediate > > CA. An example of site signed by"CA 沃通免费SSL证书 G2" intermediate CA is > > https://www.chelenet.com/ > > > > Those two intermediate certs are treated by WoSign the same way and the > > translation of "CA 沃通免费SSL证书 G2" is "WoSign CA Free SSL Certificate G2". > > Users can select whether the end cert is signed by "CA 沃通免费SSL证书 G2" or > > "WoSign CA Free SSL Certificate G2". All control measures are the same and > > the only difference is the language for marketing reasons. > > > > Hence, because Apple has chose to blocked "WoSign CA Free SSL Certificate > > G2", it makes sense to apply the same sanction on "CA 沃通免费SSL证书 G2", as > > they're in all senses the same. > > Hi Percy, > > I’ve been following Apple’s security updates to determine when the announced > block becomes active and how it is implemented. Using 10.11.6, with no > updates available, it appears this block is not yet active for me. There are > no errors when I try to visit https://inow.ua in Safari > (https://crt.sh/?id=43120524 appears to be the last certificate issued by > "WoSign CA Free SSL Certificate G2” which is currently still in use). In the > file > /System/Library/Security/Certificates.bundle/Contents/Resources/Allowed.plist > I only see two CINNIC roots listed. > > Could you tell us what OS and version you used to determine that Apple has > limited "WoSign CA Free SSL Certificate G2”? > > Best regards, > Thijs Alkemade
You can also check this thread https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/ZFOZCFW4K-s Ryan pointed out that the whitelist has been implemented in the newest version _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy