Re: Incidents involving the CA WoSign

2016-08-26 Thread percyalpha
In most Chinese institutions, most checks and verifications are just formality. Contracting to the case of CNNIC CA, I'm not advocating for an outright removal of WoSign (even though I revoked the CA personally). But the incorrect notBefore date suggests that a mandatory inclusion of CT of all

RE: Incidents involving the CA WoSign

2016-08-26 Thread Richard Wang
This is the standard way in China Internet, if a west company say something to China company, all will support the west company. PLEASE don’t move this technical problem to political issue, thanks. Best Regards, Richard -Original Message- From: dev-security-policy

Re: Incidents involving the CA WoSign

2016-08-26 Thread percyalpha
The news about possible sanction against WoSign was reported by Solidot http://www.solidot.org/story?sid=49448 (the Chinese version of Slashdot). Out of 12 comments in total (at the time of writing), 8 of them call for revocation of WoSign, the rest talks about the general bad security

Re: Incidents involving the CA WoSign

2016-08-26 Thread 233sec Team
Wosign's Issue mechanism is high risking for large enterprise. This is one prove: https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to alibaba, which are Chinese biggest online shopping websites. With the fake

Re: Incidents involving the CA WoSign

2016-08-26 Thread Jonathan Rudenberg
Here’s the crt.sh link for this certificate: https://crt.sh/?id=29884704 Can you provide more details about where this certificate came from? Did you issue it using one of the vulnerabilities discussed in this thread? > On Aug 26, 2016, at 01:12, 233sec Team wrote: > >

Added columns to Revoked Intermediate Certs reports

2016-08-26 Thread Kathleen Wilson
We've added two columns to the Revoked Intermediate CA Certificates reports that are available here: https://wiki.mozilla.org/CA:RevokedSubCAcerts The reports are: https://mozillacaprogram.secure.force.com/CA/PublicIntermediateCertsRevoked and

Re: Incidents involving the CA WoSign

2016-08-26 Thread Richard Wang
I checked our system that this is a standard order in our system that passes the website control validation. We issued more than 300K certificates for worldwide customers including many famous company. For Aliyun, it's our reseller partner, see this news: