Hello Lewis and all WoSign, as our Partner, is entitled to sell Asseco Data Systems (Certum) products through its own distribution network. While recently issued intermediate CAs certificates are dedicated to WoSign as our reseller, so that WoSign can sell certificates under its own brand, they (private keys and HSMs) remain under the exclusive control of Certum. As you may see and as Richard ammended previously, all certificates are being issued under Certum policy (as well as BR policy). This means that the verification of each end-entity certificate is implemented within the Certum's systems and procedures. In addition, the entire infrastructure is under the supervision of Certum.
-- Arkadiusz Ławniczak Analyst Security and Trust Services Division Asseco Data Systems S.A. Biuro w Szczecinie ul. Królowej Korony Polskiej 21 70-486 Szczecin phone + 48 91 480 12 32 mob. +48 669992104 [email protected] assecods.pl Asseco Data Systems S.A. Headquarters: Żwirki i Wigury 15, 81-387 Gdynia/Poland. Tax Identification Number (NIP): 517-035-94-58. Statistical ID number (REGON): 180853177. National Court Register: 0000421310 District Court in Gdańsk, VIII Commercial Department of the National Court Register. Share capital: PLN 83.425.170 This information is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Unauthorised use of this information by person or entity other than the intended recipient is prohibited by law. If you received this by mistake, please immediately contact the sender by e-mail or by telephone and delete this information from any computer. Thank you. Asseco Data Systems S.A -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+arkadiusz.lawniczak=assecods...@lists.mozilla.org] On Behalf Of Tobias Sachs Sent: Tuesday, November 22, 2016 10:57 PM To: [email protected] Subject: Re: WoSign has new roots? Am Dienstag, 22. November 2016 21:37:08 UTC+1 schrieb Lewis Resmond: > Hello, > > I just noticed following announcement by WoSign: > > https://www.wosign.com/english/News/certificate_pre.htm > > If I understand correctly, they now have new root certificates which chain up > to Certum, which is in the root storage. > > What does that mean in particular? Are the previously taken sanctions now > useless? According to this comment [1] I think yes. But this means also that the new ca is now the target. You can find the cert mentioned there here [2] and the intermediate here [3] which is not in the CT logs... [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1309707#c11 [2] https://crt.sh/?id=53689359 [3] https://censys.io/certificates/c0ab07d9071a4cc1d34409178f8bca058310a8b111ddcfa655658760226f50f9 _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
