Kathleen, Gerv, Richard and m.d.s.p,
In reviewing the WebTrust audit documentation submitted by various CA
program members and organizations wishing to be members, it seems
there is possibly some confusion on what is required by Mozilla. I
suspect this might also span to ETSI audit
As hinted at in my earlier email about what is expected in audit
reports, I've been looking at WebTrust audit reports from many CAs in
the Mozilla program and those applying to be in the program.
Since there has been lots of discussion about WoSign and Startcom
recently, I took a look at their
Thanks for your hard work. I wish you can finish check for all other CA's
report ASAP.
For WoSign, the report covered all 4 roots, not 3 roots.
For StartCom, Eddy can say something about it, StartCom is 1000% independent
for everything at 2015.
Best Regards,
Richard
-Original
Sorry, the random apart time is from 20 minutes to 60 minutes, not to 40
minutes.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Richard Wang
Sent: Thursday, September 22, 2016
Peter Bowen於 2016年9月20日星期二 UTC+8下午11時53分29秒寫道:
> On Fri, Sep 16, 2016 at 2:00 PM, Kathleen Wilson wrote:
> >
> > * CA Hierarchy: Diagram of CA Hierarchy: http://grca.nat.gov.tw/
> > All subordinate CAs are operated by Taiwan Government organizations.
> > GCA is responsible
On 22/09/16 03:00, Peter Kurrasch wrote:
> Well, well. Here we are again, Ryan, with you launching into a bullying,
> personal attack on me instead of seeking to understand where I'm coming
> from and why I say the things I say.
Er, no. I am entirely comfortable with saying that if you found
All,
In https://bugzilla.mozilla.org/show_bug.cgi?id=1301731 it was reported that
SHA-1 SSL certs have recently been issued in the IGC/A CA Hierarchy that is
owned by Government of France (ANSSI,DCSSI).
This root cert was already name constrained via
On Wed, Sep 21, 2016 at 6:18 PM, Richard Wang wrote:
>
> > Do we trust that WoSign will not collect information on hits to any OCSP
> responders they have set up and share that info with...whomever?
>
> Yes, any CA can do this if need. But you can use OCSP Stapling in your
On 21/09/2016 21:40, Rob Stradling wrote:
On 21/09/16 15:06, Rob Stradling wrote:
I ran some queries earlier today on the crt.sh DB, to find all CNs,
dNSNames and iPAddresses in all unexpired certs whose issuer names
include either "WoSign" or "StartCom". Then I cross-referenced that
with the
On 22/09/2016 14:16, Richard Wang wrote:
OpenSSL OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
http://security.360.cn/cve/CVE-2016-6304/index.html?from=timeline=0
Best Regards,
Richard
Let me take this opportunity to thank your parent company Qihoo 360 for
OpenSSL OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
http://security.360.cn/cve/CVE-2016-6304/index.html?from=timeline=0
Best Regards,
Richard
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
Ha. I was the OP of that email. Richard's reply was " From the screenshot, we
know why Percy hate WoSign so deeply, we know he represent which CA, everything
is clear now. "
On Thursday, September 22, 2016 at 11:55:43 AM UTC-7, Eric Mill wrote:
> On Wed, Sep 21, 2016 at 6:18 PM, Richard Wang
12 matches
Mail list logo