Re: New SHA-1 certificates issued in 2016

On 28/10/16 16:11, Patrick Figel wrote: > #7 > Some non-TLS-Server-Auth SHA-1 certificates chaining up to "Certum CA" > (Asseco Data Systems S.A.). Most appear to be S/MIME or TLS client auth > certificates, but I don't think the intermediates have any relevant > technical constraints. I'm not

Re: New SHA-1 certificates issued in 2016

On 28/10/16 16:11, Patrick Figel wrote: > I found a number of SHA-1 certificates chaining up to CAs trusted by > Mozilla that have not been brought up on this list or on Bugzilla yet. > Apologies in case I missed prior discussion for any of these, and kudos > to censys for making this search

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

> On Oct 29, 2016, at 2:23 PM, Han Yuwei wrote: > > 在 2016年10月28日星期五 UTC+8下午9:23:01，wangs...@gmail.com写道： >> We are not intended to cover-up anything since we had disclosed every change >> to the Chinese version CP/CPS at once after the auditor reviewed. >> The

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

在 2016年10月28日星期五 UTC+8下午9:23:01，wangs...@gmail.com写道： > We are not intended to cover-up anything since we had disclosed every change > to the Chinese version CP/CPS at once after the auditor reviewed. > The “ROOTCA(SM2)” CA in $1.1.3 of CPS ver4.3 is equivalent to the “SM2 ROOT > Certificate” CA

Re: StartCom & Qihoo Incidents

On Sat, Oct 29, 2016 at 2:29 PM, Percy wrote: > So 400 million Chinese users[1] are left vulnerable to MITM by even a casual > attacker and we cannot do anything about it!? As stated previously, it is not for one browser to tell another how to behave and the CA/Browser

Re: WoSign: updated report and discussion

Gerv, I believe I found the new updated report still has intentional deception. Issue P: Use of SM2 Algorithm (Nov 2015) WoSign stated that it's only used for testing purposes. However, on the official website (https://www.wosign.com/about/Why_WoSign.htm) WoSign stated that

Re: StartCom & Qihoo Incidents

So 400 million Chinese users[1] are left vulnerable to MITM by even a casual attacker and we cannot do anything about it!? [1]: http://se.360.cn/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: StartCom & Qihoo Incidents

Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the entire company into question. And such trust, in my view, should be evaluated when WoSign/StartCom submit their re-inclusion requests in the future. Percy Alpha(PGP

Re: StartCom & Qihoo Incidents

On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the > entire company into question. And such trust, in my view, should be > evaluated when WoSign/StartCom submit their re-inclusion requests in the > future. You can

Re: StartCom & Qihoo Incidents

On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the > > entire company into question. And such trust, in my view, should be > > evaluated when

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

On 27/10/16 23:43, Han Yuwei wrote: > Since Mozilla's working language is English (Not sure about this), That is true. > it's your responsibility to provide an accurate translation of CPS. That is also true. However, we don't require that the English version be the master copy. Gerv