On Tuesday, 1 August 2017 08:39:28 UTC+1, Han Yuwei wrote: > 1. the CN of two cerificates are same. So it is not necessary to issue two > certificates in just 2 minutes.
I think the most likely explanation is the difference in signature algorithm, but it is also not uncommon for subscribers to have more than one certificate fo the same name for operational reasons, this is not prohibited although it can be useful to watch for the rate at which this happens to an issuing system as a possible sign of trouble. > 2. second one used SHA1, though is consistent with BR, but first one used > SHA256. It is possible that a customer ordered a certificate and then, very quickly but alas after issuance they realised they had more specific needs, the SHA-256 algorithm and the longer expiry date. Or maybe even they simply asked for the longer expiry and WoSign correctly pointed out that it would silly to use SHA-1 with the longer expiry as it was to be (and has been) distrusted by that date. > 3. first one has 39 month period of validity which is very rare. Although rare this is permissible, and even, if the subscriber had a previous certificate for roughly the same name, a common business practice in order to secure customer loyalty. > 4. Since they are issued so close they should be logged at CT same time but > second one are too late. CT logging was not mandatory at the time, and WoSign subsequently volunteered to upload all the extant certificates in mid-2016 during Mozilla's investigation of other (serious) problems. I think these certificates are, though perhaps not entirely regular, not a sign of any problem at WoSign. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy