"Some certificates are revoked after getting report from subscriber, but some
still valid, if any subscriber think it must be revoked and replaced new one,
please contact us in the system, thanks"
WoSign seems to lack the basic understanding of how a certificate is used in
authentication, conse
On Monday, August 29, 2016 at 10:26:20 AM UTC-7, Gervase Markham wrote:
> On 29/08/16 09:48, 蓝小灰 wrote:
> > Of course I have private key of this certificate
>
> I have asked 蓝小灰 for cryptographic proof of this.
>
> Gerv
Gerv, I've notified the security team in Alibaba about this possible fake ce
On 29/08/16 09:48, 蓝小灰 wrote:
> Of course I have private key of this certificate
I have asked 蓝小灰 for cryptographic proof of this.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-s
On Friday, August 26, 2016 at 4:26:26 PM UTC+8, Richard Wang wrote:
> This is the standard way in China Internet, if a west company say something
> to China company, all will support the west company.
-- especially when local CAs are losing credibility to end-users. Microsoft
Azure's Chinese web
On Monday, August 29, 2016 at 5:41:06 PM UTC+9, Gervase Markham wrote:
> On 29/08/16 05:46, Richard Wang wrote:
> > For incident 1 - mis-issued certificate with un-validated subdomain,
> > total 33 certificates. We have posted to CT log server and listed in
> > crt.sh, here is the URL. Some certifi
Is there any plan to revoke the certificate in OneCRL soon? And how we could
speed this up? @ Kathleen Wilson
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Of course I have private key of this certificate
Gervase Markham 于2016年8月29日 周一16:42写道:
> On 26/08/16 06:12, 233sec Team wrote:
> > https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e
> >
> > Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to
> alibaba, which are
Not vulnerabilities mentioned in this thread, but a Human-Audit weak process.
Detail you can see the reply content i send to Mr.Wang
在 2016年8月27日星期六 UTC+8上午4:24:44,Jonathan Rudenberg:
> Here’s the crt.sh link for this certificate: https://crt.sh/?id=29884704
>
> Can you provide more details about
OK, revoke all at tomorrow morning since our time is 22:22 now.
The cloudapp.net is revoked at the issuance time.
Thanks.
Regards,
Richard
> On 29 Aug 2016, at 21:53, Patrick Figel wrote:
>
> Richard,
>
> the problem with this approach is that the *subscriber* might not be
> authorized to ma
On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote:
> Are there any other topics that I should include in this upcoming CA
> Communication?
Also, I think that the SHA-1 topic should be brought up again. Some CA folks
will be tired of reading about this, having managed the issue wi
Richard,
the problem with this approach is that the *subscriber* might not be
authorized to make this decision for the parent domain. To go back to
the GitHub case, the "owner" of a github.io subdomain telling you that
they are authorized to own a certificate that covers github.io is
irrelevant, a
On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote:
> Are there any other topics that I should include in this upcoming CA
> Communication?
It can be worth following-up on date-in-time commitments from those CAs in
replies to the previous communication this year. Each CA should be
As I explained, we use same script using API, different parameter point to
different API post URL for different CA, no any PKI hosting related.
Regards,
Richard
> On 29 Aug 2016, at 16:25, Gervase Markham wrote:
>
>> On 24/08/16 17:44, Peter Bowen wrote:
>> I think you are missing the most li
Sure, all issued cert is passed the domain control validations.
Regards,
Richard
> On 29 Aug 2016, at 16:30, Gervase Markham wrote:
>
>> On 25/08/16 04:38, Richard Wang wrote:
>> R: NOT this case you think. Due to root inclusion problem, WoSign
>> root is cross signed by StartCom since 2011.
Yes, I am so sorry for this, it is my fault that I guarantee never happen in
the future.
If something don't happen to you, you can't get impressed lesson. I know some
CA mis-issuance case that reported to Mozilla and CABF.
Regards,
Richard
> On 29 Aug 2016, at 16:35, Gervase Markham wrote:
>
Yes, we plan to revoke all after getting confirmation from subscriber. We are
doing this.
Regards,
Richard
> On 29 Aug 2016, at 16:38, Gervase Markham wrote:
>
>> On 29/08/16 05:46, Richard Wang wrote:
>> For incident 1 - mis-issued certificate with un-validated subdomain,
>> total 33 certifi
On 26/08/16 06:12, 233sec Team wrote:
> https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e
>
> Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to
> alibaba, which are Chinese biggest online shopping websites.
> With the fake cert's middle man attack, password s
On 29/08/16 05:46, Richard Wang wrote:
> For incident 1 - mis-issued certificate with un-validated subdomain,
> total 33 certificates. We have posted to CT log server and listed in
> crt.sh, here is the URL. Some certificates are revoked after getting
> report from subscriber, but some still valid,
On 26/08/16 04:33, Richard Wang wrote:
> As I admitted that this discussion gives us a big lesson that we know
> when we need to report incident to all browsers. We guarantee we will
> do it better.
Richard,
You have been involved in this (Mozilla) discussion group and in the CAB
Forum for severa
On 25/08/16 04:38, Richard Wang wrote:
> R: NOT this case you think. Due to root inclusion problem, WoSign
> root is cross signed by StartCom since 2011. And we shared some
> facility with StartCom like CRL and OCSP distribution etc. But not
> this case, as I declared in the previous email, this is
On 24/08/16 17:44, Peter Bowen wrote:
> I think you are missing the most likely option: CA hosting. My
> understanding is that it is not uncommon that one CA operator
> contracts with another CA operator to run a CA on behalf of the first
> operator. I don't think it has been clear what disclosur
21 matches
Mail list logo