Audit requirements

Kathleen, Gerv, Richard and m.d.s.p, In reviewing the WebTrust audit documentation submitted by various CA program members and organizations wishing to be members, it seems there is possibly some confusion on what is required by Mozilla. I suspect this might also span to ETSI audit

WoSign and StartCom audit reports

As hinted at in my earlier email about what is expected in audit reports, I've been looking at WebTrust audit reports from many CAs in the Mozilla program and those applying to be in the program. Since there has been lots of discussion about WoSign and Startcom recently, I took a look at their

RE: WoSign and StartCom audit reports

Thanks for your hard work. I wish you can finish check for all other CA's report ASAP. For WoSign, the report covered all 4 roots, not 3 roots. For StartCom, Eddy can say something about it, StartCom is 1000% independent for everything at 2015. Best Regards, Richard -Original

RE: Incidents involving the CA WoSign

Sorry, the random apart time is from 20 minutes to 60 minutes, not to 40 minutes. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard Wang Sent: Thursday, September 22, 2016

Re: Taiwan GRCA Root Renewal Request

Peter Bowen於 2016年9月20日星期二 UTC+8下午11時53分29秒寫道： > On Fri, Sep 16, 2016 at 2:00 PM, Kathleen Wilson wrote: > > > > * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/ > > All subordinate CAs are operated by Taiwan Government organizations. > > GCA is responsible

Re: Time to distrust

On 22/09/16 03:00, Peter Kurrasch wrote: > Well, well. Here we are again, Ryan, with you launching into a bullying, > personal attack on me instead of seeking to understand where I'm coming > from and why I say the things I say. Er, no. I am entirely comfortable with saying that if you found

Removing Government of France root certificate -- issuance of SHA-1 certs detected

All, In https://bugzilla.mozilla.org/show_bug.cgi?id=1301731 it was reported that SHA-1 SSL certs have recently been issued in the IGC/A CA Hierarchy that is owned by Government of France (ANSSI,DCSSI). This root cert was already name constrained via

Re: Sanctions short of distrust

On Wed, Sep 21, 2016 at 6:18 PM, Richard Wang wrote: > > > Do we trust that WoSign will not collect information on hits to any OCSP > responders they have set up and share that info with...whomever? > > Yes, any CA can do this if need. But you can use OCSP Stapling in your

Re: Sanctions short of distrust

On 21/09/2016 21:40, Rob Stradling wrote: On 21/09/16 15:06, Rob Stradling wrote: I ran some queries earlier today on the crt.sh DB, to find all CNs, dNSNames and iPAddresses in all unexpired certs whose issuer names include either "WoSign" or "StartCom". Then I cross-referenced that with the

Re: OpenSSL OCSP serious vulnerability

On 22/09/2016 14:16, Richard Wang wrote: OpenSSL OCSP Status Request extension unbounded memory growth (CVE-2016-6304) http://security.360.cn/cve/CVE-2016-6304/index.html?from=timeline=0 Best Regards, Richard Let me take this opportunity to thank your parent company Qihoo 360 for

OpenSSL OCSP serious vulnerability

OpenSSL OCSP Status Request extension unbounded memory growth (CVE-2016-6304) http://security.360.cn/cve/CVE-2016-6304/index.html?from=timeline=0 Best Regards, Richard ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Sanctions short of distrust

Ha. I was the OP of that email. Richard's reply was " From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now. " On Thursday, September 22, 2016 at 11:55:43 AM UTC-7, Eric Mill wrote: > On Wed, Sep 21, 2016 at 6:18 PM, Richard Wang