Re: WoSign: updated report and discussion

On Monday, October 10, 2016 at 5:04:14 PM UTC-7, Kathleen Wilson wrote: > Based on the information that I have seen regarding WoSign, I believe that > WoSign intentionally bent the rules in order to continue issuing SHA-1 SSL > certs, when they knew full well that was no longer allowed. WoSign

Re: WoSign: updated report and discussion

On Monday, October 10, 2016 at 1:08:24 PM UTC-7, Ryan Sleevi wrote: > On Monday, October 10, 2016 at 11:39:19 AM UTC-7, Kathleen Wilson wrote: > > I would like to remind everyone that when making decisions about what to do > > about CA mis-issuance, it is expressly *not* a goal for me to mete out

Re: WoSign: updated report and discussion

Gerv, Again, this mail represents my own personal beliefs and does not necessarily represent the beliefs of my employer, Google, or Let’s Encrypt where I am an advisor. I agree an appropriate response depends on the facts, so as you say, it depends. I also believe there are a few core

Re: WoSign: updated report and discussion

On Mon, Oct 10, 2016 at 10:33:15AM -0700, Nick Lamb wrote: > Would anybody here _seriously_ be shocked to read next month that a black > hat group is auctioning some StartCom private keys ? On the evidence > available we have to assume that the keys underpinning both WoSign and > StartCom may

Re: WoSign: updated report and discussion

On Monday, October 10, 2016 at 11:39:19 AM UTC-7, Kathleen Wilson wrote: > I would like to remind everyone that when making decisions about what to do > about CA mis-issuance, it is expressly *not* a goal for me to mete out > punishment. Rather, my primary goal is to help keep end-users safe,

Re: WoSign: updated report and discussion

I greatly appreciate the significant amount of effort that you all have been putting into this investigation and discussion. As Gerv pointed out, since I am Mozilla's CA Certificate Module owner, I have the responsibility of making some decisions... I am continuing to mull over all of your

Re: WoSign: updated report and discussion

On Monday, 10 October 2016 12:49:37 UTC+1, Gervase Markham wrote: > I think that's an over-generalisation of my position :-) Whether sacking > people is an acceptable response depends on what has happened. I'm very doubtful that it is ever really relevant to the relying parties or trust stores.

Re: WoSign: updated report and discussion

On 10/10/16 16:47, 谭晓生 wrote: > Yes, the certificate issuance process is performed by each of these > five components, except, TSA is used for code issuance and PDF > issuance, not related with SSL certificates issuance. Right :-) But can you explain what each component does specifically? E.g.:

Re: WoSign: updated report and discussion

Dear Gervase, Yes, the certificate issuance process is performed by each of these five components, except, TSA is used for code issuance and PDF issuance, not related with SSL certificates issuance. Thanks， Xiaosheng Tan 在 2016/10/10 下午7:11，“Gervase Markham” 写入: Hi

Re: WoSign: updated report and discussion

On Mon, 10 Oct 2016 12:11:49 +0100 Gervase Markham wrote: > > During the time that the incidents > > occurred, StartCom and WoSign were for all intents and purposes the > > same company, one wholly owned by the other, both managed by the > > same disgraced CEO, and sharing

Re: WoSign: updated report and discussion

On 07/10/16 17:50, Ryan Sleevi wrote: > One possible issue with this is that there hasn't been a similar > question about StartCom's past practices. I think that, up until the > discussion began, particularly around the backdating of certificates, > it might have been said the same about WoSign -

Re: WoSign: updated report and discussion

On 09/10/16 23:43, Percy wrote: > Tan said, for StartCom and WoSign’s infrastructure, the PKI servers > were/are shared, the CRL/OCSP, TSA code were cloned and the StartCom > and WoSign shared the software development team. > > Also some management team are shared I assume since Richard Wang >

Re: WoSign: updated report and discussion

Hi Ryan, I agree with your five tenets. And you ask a very important question: On 07/10/16 18:43, Ryan Hurst wrote: > The problem is that this sets a dangerous precedent. Let’s assume a > similar situation happens in the future with another CA who owns > multiple brands. Would you ignore the

Re: WoSign: updated report and discussion

I don't believe this aspect of things is worth spending time on. However: On 10/10/16 09:44, i...@matthijsmelissen.nl wrote: > On Saturday, October 8, 2016 at 8:18:09 AM UTC+2, uri...@gmail.com > wrote: >> Did anyone ever determine if "Andy Ligg" is in fact a real person? >> (As discussed here

Re: Incidents involving the CA WoSign

On 10/10/16 08:15, Michael Ströder wrote: > Which "Chrome users"? All of them as a collective body. Standard revocation doesn't hold up in an active attack scenario. If someone has control of your customers' internet connection sufficient that they can direct a request that was meant to go to

Re: WoSign: updated report and discussion

On Saturday, October 8, 2016 at 8:18:09 AM UTC+2, uri...@gmail.com wrote: > Did anyone ever determine if "Andy Ligg" is in fact a real person? > (As discussed here > https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/0pqpLJ_lCJQ/7QRQ7oqGDwAJ > ) I believe Andy Ligg is a pseudonym

Re: Incidents involving the CA WoSign

Gervase Markham wrote: > On 07/10/16 04:21, Peter Gutmann wrote: >> That still doesn't necessarily answer the question, Google have their CRLSets >> but they're more ineffective than effective in dealing with revocations >> (according to GRC, they're 98% ineffective, >>