RE: Incidents involving the CA WoSign

For security, the notBefore time is not the exact time of signing, random from 20 minutes to 40 minutes ahead. For 6 long delta time, we said it is a CT Post System bug; For 2016-07-30 between 05:20 and 07:40 (CST), it is caused by the Internet connection problem from China to Google CT log

Re: Incidents involving the CA WoSign

On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang wrote: >> Are you saying out of over 40,000 orders over the last year, only six >> "stopped to move forward" for a period of a week or more and these happen to >> all have been ordered on Sunday, December 20, 2015 (China time)? >

RE: Incidents involving the CA WoSign

> Are you saying out of over 40,000 orders over the last year, only six > "stopped to move forward" for a period of a week or more and these happen to > all have been ordered on Sunday, December 20, 2015 (China time)? You mean we issued 40,000 certificates at Dec 20, 2015? Here is the last two

Re: Second Discussion of LuxTrust Root Inclusion Request

On Friday, September 16, 2016 at 1:13:38 PM UTC-7, Kathleen Wilson wrote: > On Thursday, September 8, 2016 at 9:07:33 AM UTC-7, Kathleen Wilson wrote: > > Does anyone have comments, questions, or concerns about this request from > > LuxTrust to include the "LuxTrust Global Root 2" certificate,

RE: Incidents involving the CA WoSign

Thanks for your good test to have an experience to know more how we work. What I told Gerv that you can place an order at our site today -- Sept. 22nd 2016, but DON'T do the domain validation, leave it here. Four months later, you login your account to finish the domain validation, then system

Re: Incidents involving the CA WoSign

Richard, I'm having a really hard time reconciling what you describe with what is found in the CT logs and what I observed today when doing as you suggested and getting a cert from https://buy.wosign.com/free/. I pulled all the WoSign certificates from CT logs that have embedded SCTs. There are

Re: Time to distrust (was: Sanctions short of distrust)

Well, well. Here we are again, Ryan, with you launching into a bullying, personal attack on me instead of seeking to understand where I'm coming from and why I say the things I say. You may have noticed that I do

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

> Dear Peter, Thanks for your comments! We think that there are some good > suggestions for our work. We’ll take notes and do better in our future work. > >> We have discussed these questions with our auditor. Here are our reply to > your comments: > > - The basic WebTrust for CA Report does

Sanctions short of distrust

I know WoSign make some mistakes in 2015, and I accept any reasonable fair enough sanction. But WoSign will continue to do our best to provide best products and best service to worldwide customers, no matter what the sanction is. Here is the answer for your questions: > Do we trust that WoSign

Re: Sanctions short of distrust

On 21/09/16 15:06, Rob Stradling wrote: > I ran some queries earlier today on the crt.sh DB, to find all CNs, > dNSNames and iPAddresses in all unexpired certs whose issuer names > include either "WoSign" or "StartCom". Then I cross-referenced that > with the latest PSL data to discover the

Re: Time to distrust (was: Sanctions short of distrust)

On Wednesday, September 21, 2016 at 12:05:49 PM UTC-7, Peter Kurrasch wrote: > I have a hard time seeing how any sort of white list solution will actually > mitigate any of the bad behavior exhibited by WoSign. This doesn't help understand where your disconnect is, or how we might educate and

Time to distrust (was: Sanctions short of distrust)

I have a hard time seeing how any sort of white list solution will actually mitigate any of the bad behavior exhibited by WoSign. From my perspective, I think we can make a pretty clear case that WoSign is a

Re: Incidents involving the CA WoSign

Not this case. Gerv ask why the order is placed at Aug. 12th 2015, why it is issued at Dec. 20th 2015, since he finished the domain validation at Dec 20th. Best Regards, Richard On Sep 21, 2016, at 22:54, Kurt Roeckx > wrote: On 2016-09-21 16:26,

Re: Incidents involving the CA WoSign

On 2016-09-21 16:26, Richard Wang wrote: R: You can place order there and don't do the domain validation, 4 months later, you finished the domain control validation, then issue the certificate. Please try it by yourself here: https://buy.wosign.com/free/ So the date in the certificate is

Re: Incidents involving the CA WoSign

On 24/08/16 14:08, Gervase Markham wrote: > Several incidents have come to our attention involving the CA "WoSign". > Mozilla is considering what action it should take in response to these > incidents. I have recently updated https://wiki.mozilla.org/CA:WoSign_Issues to draw some conclusions for

RE: Incidents involving the CA WoSign

Hi Gerv, See below inline, thanks. Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Gervase Markham Sent: Wednesday, September 21, 2016 9:19 PM To:

Re: Incidents involving the CA WoSign

Hi Richard, Thanks for the additional information. On 21/09/16 11:11, Richard Wang wrote: > Some SHA-1 certificate is free SSL certificate that no any reason > for us to help them get the SHA-1 certificate if we are intentional, > and some certificate is even never used or even not retrieved

RE: Incidents involving the CA WoSign

See below inline, thanks. Best Regards, Richard -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, September 20, 2016 7:37 PM To: Richard Wang > Subject: Re: Incidents involving the CA WoSign Hi

Re: Incidents involving the CA WoSign

On Tue, Sep 20, 2016 at 12:23 AM, 谭晓生 wrote: > I’m Xiaosheng Tan, the Chief Security Officer of Qihoo 360, on the inquiry of > the disclosure of Wosign deal, we are not obligated to disclose it under the > SEC regulation I apologize if I implied that you were. I am sure

Re: Incidents involving the CA WoSign

On 21/09/16 11:10, Kurt Roeckx wrote: > I didn't read it like that, and that the assets they have in WoSign > should be more than 10% of the total assets. So that WoSign would be > more than 10% of the USD$9.99B. Oops. You are right. My apologies! I thought the benchmark was the size of the

Re: Incidents involving the CA WoSign

On 2016-09-21 12:11, Richard Wang wrote: Please check the first 313 certificate serial is “56D1570DA645BF6B44C0A7077CC6769” and the second 27 certificate is “D3BBDC3A0175E38F9D0070CD050986A” that only 31 bytes. But our serial number rule is 32 bytes. This is a little misleading. The hex

RE: Incidents involving the CA WoSign

See below inline, thanks. Best Regards, Richard -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, September 20, 2016 7:37 PM To: Richard Wang Subject: Re: Incidents involving the CA WoSign Hi Richard, On 16/09/16 11:05,

Re: Incidents involving the CA WoSign

On 2016-09-21 11:16, Gervase Markham wrote: Hi Xiaosheng, On 20/09/16 16:31, 谭晓生 wrote: Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th 2016, we have invested in more than 200 companies across the world, Wosign is just a very small one and we even do

Re: Incidents involving the CA WoSign

Hi Xiaosheng, On 20/09/16 16:31, 谭晓生 wrote: > Qihoo 360 is a company valued at USD$9.99B as it finished the > privatization on July 15th 2016, we have invested in more than 200 > companies across the world, Wosign is just a very small one and we > even do not have any people sent to this company