We released replacement notice in Chinese in our website: https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm
And we have sent broadcast email to our customer, but some customers still don't replace its certificate due to many kind of reasons that this must be cooperated by customers. Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Percy via dev-security-policy Sent: Monday, August 28, 2017 11:34 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Remove old WoSign root certs from NSS On Friday, August 25, 2017 at 4:42:29 PM UTC-7, Kathleen Wilson wrote: > On Friday, August 4, 2017 at 12:01:15 AM UTC-7, Percy wrote: > > I suggest that Mozilla can post an announcement now about the > > complete removal of WoSign/StartCom to alert website developers. I > > suspect that a moderate amount of Chinese websites are still using > > WoSign certs chained to the old roots. Google posted about this > > complete removal here > > https://security.googleblog.com/2017/07/final-removal-of-trust-in-wo > > sign-and.html > > > > And since WoSign has the most presence in China, I suggest Mozilla can > > instruct Mozilla China to post such announcement in Chinese as well. > > > Here's a DRAFT for such an announcement, that I could post to Mozilla's > Security Blog [1]. > > ~~ DRAFT ~~ > > Title: Removing Disabled WoSign and StartCom Certificates from Firefox > 58 > > In October 2016, Mozilla announced[2] that, as of Firefox 51, we would stop > validating new certificates chaining to the below list of root certificates > owned by the companies WoSign and StartCom. > > The announcement also indicated our intent to eventually completely remove > these root certificates from Mozilla’s Root Store[3], so that we would no > longer validate certificates issued even before that date by those roots. > That time has now arrived. We plan to release the relevant changes[4] to > Network Security Services (NSS)[5] in November, and then the changes will be > picked up in Firefox 58[6], due for release in January 2018. Sites using > certificates chaining up to any of the following root certificates need to > migrate to another root certificate. > > This announcement applies to the root certificates with the following names: > > CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN CN=Certification > Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN > CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, > C=CN CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN > CN=StartCom Certification Authority, OU=Secure Digital Certificate > Signing, O=StartCom Ltd., C=IL CN=StartCom Certification Authority G2, > OU=null, O=StartCom Ltd., C=IL > > Mozilla Security Team > ~~ > > As always, I will appreciate your constructive feedback. > > Thanks, > Kathleen > > [1] https://blog.mozilla.org/security/ > [2] > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-an > d-startcom-certificates/ > [3] https://wiki.mozilla.org/CA > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1387260 > https://bugzilla.mozilla.org/show_bug.cgi?id=1392849 > [5] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS > [6] https://wiki.mozilla.org/RapidRelease/Calendar Such an announcement will be great. And Chinese translation posted on Mozilla China will be greatly appreciated too. A Chinese announcement is rather appreciated because some very large companies, for example, OFO which received $450M in funding and currently valued at 1B [1] is still using WoSign certs [2]; Fapiao, which deals with receipts for Starbucks in China, was using the old WoSign cert[3] until two weeks ago. It only changed the cert after customer complaints for months. Those are by far not isolated cases. [1]https://en.wikipedia.org/wiki/Ofo_(bike_sharing) [2]https://common.ofo.so/ [3]https://crt.sh/?q=fapiao.com _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
