> On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: >> >> Please note this email topic is just for releasing the news that WoSign new >> system passed the security audit, just for demonstration that we finished >> item 5: >> " 5. Provide auditor[3] attestation that a full security audit of the CA’s >> issuing infrastructure has been successfully completed. " >> " [3] The auditor must be an external company, and approved by Mozilla. " > > It also seems a bit strange to report item 5 "successfully completed" before > we hear anything about the other items. How about starting with item 1? What > are your plans voor fixing the problems?
It’s worth noting that the problems have not stopped yet. There are a bunch of certificates issued over the past few months that do not comply with the Baseline Requirements issued from the new "StartCom BR SSL ICA”, for example: https://crt.sh/?opt=cablint&q=8BDFE4A526BFB35C8A417B10F4D0ABE9E1D60D28A412539D5BC71C19B46FEF21 https://crt.sh/?opt=cablint&q=124AAD38DAAC6B694D65F45226AB5152FC46D229CBC203E0814D175F39977FF3 https://crt.sh/?opt=cablint&q=9B78C78B32F4AC717B3DEFDABDACC4FEFA61BFD17782B83F75ADD82241147721 https://crt.sh/?opt=cablint&q=AAB0B5A08F106639A5C9D720CD37FDB30E7F337AEBAF9407FD854B5726303F7B https://crt.sh/?opt=cablint&q=9DCE6A924CE837328D379CE9B7CDF4A2BA8A0E8EC01018B9DE736EBC64442361 https://crt.sh/?opt=cablint&q=62A9A9FDCDC04A043CF2CB1A5EAFE33CF9ED8796245DE4BD5250267ADEFF005A https://crt.sh/?opt=cablint&q=6A72FA5DCC253D2EE07921898B9A9BB263FD1D20FE61B1F52F939C0C1C0DCFEE https://crt.sh/?opt=cablint&q=238E2E96665748D2A05BAAEEC8BAE6AFE7B7EF4B1ADA4908354C855C385ECD81 https://crt.sh/?opt=cablint&q=C11C00EB0E14EEB30567D749FFD30445E0B490D1DCA7B7E082FD1CB0A40A71C0 https://crt.sh/?opt=cablint&q=4DEF4CFD21A969E8349E4428FDEC73767C01DE6127843312511B71029F4E3836 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy