This is the recent incident from GlobalSign.
Please notice WoSign incident is occurred in 2015 for free DV SSL, not OV or
EV.
Best Regards,
Richard
Begin forwarded message:
From: Doug Beattie
mailto:doug.beat...@globalsign.com>>
Date: September 21, 2016 at 04:48:00 GMT+8
To: CABFPub mailto:
The affected cert has been logged here: https://crt.sh/?id=34242572
Am 24.09.2016 um 02:33 schrieb Richard Wang:
> First, I must make declaration that I don't know "Showfom", and I don't know
> if he/she is a WoSign customer.
>
> As I said in my final statement that I wish all Mozilla trusted CA
First, I must make declaration that I don't know "Showfom", and I don't know if
he/she is a WoSign customer.
As I said in my final statement that I wish all Mozilla trusted CA can post
their issued certificate to CT log server for full transparency, I am sure not
WoSign mis-issued certificate o
First, I must make declaration that I don't know "Showfom", and I don't know if
he/she is a WoSign customer.
As I said in my final statement that I wish all Mozilla trusted CA can post
their issued certificate to CT log server for full trenchancy, I am sure not
WoSign mis-issued certificate, ma
First, let me introduce myself, I'm a famous investor of ccTLD domains from
China.
Recently we get an easy-remember domain www.sb, please note the extension is .sb
I ordered a Comodo Positive SSL for this domain, the common name which I submit
is www.sb
Usually they will give us a certificate
On Fri, Sep 23, 2016 at 10:46 AM, Eddy Nigg wrote:
> On 09/23/2016 05:53 AM, Peter Bowen wrote:
>>
>> Review of StartCom audit reports
>> for the period 1 January 2015 to 31 December 2015
>>
>> Good:
>> - Uses AICPA standards
>> - Uses current criteria versions
>>
>> Bad:
>> - Only covers two root
On 09/23/2016 05:53 AM, Peter Bowen wrote:
Review of StartCom audit reports
for the period 1 January 2015 to 31 December 2015
Good:
- Uses AICPA standards
- Uses current criteria versions
Bad:
- Only covers two roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not p
On Friday, September 23, 2016 at 9:15:48 AM UTC-7, Jakob Bohm wrote:
>they are nowhere as bad as proponents of
> extreme centralization schemes claim.
Citation needed. It would seem that you're not familiar with the somewhat
well-accepted industry state of the art.
It would perhaps be useful if
On Friday, September 23, 2016 at 9:31:14 AM UTC-7, Jakob Bohm wrote:
> 2.2: Mozilla also makes an e-mail client (Thunderbird) which uses the
> same CA root list and the same NSS security library to check e-mail
> certificates. E-mail trust bits are still part of the Mozilla CA root
> database.
Th
On 23/09/2016 17:18, Rob Stradling wrote:
On 22/09/16 18:48, Jakob Bohm wrote:
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
Hi Jakob. I wasn't looking for this sort of thing, because Gerv was
only interested in "unique base
On 23/09/2016 17:27, Ryan Sleevi wrote:
On Friday, September 23, 2016 at 6:03:01 AM UTC-7, Peter Kurrasch wrote:
* Revocation: If a particular cert has been revoked for any reason, I should
be able to find that out so that I will know not to use it. Ideally this is
handled automatically in
On Friday, September 23, 2016 at 6:03:01 AM UTC-7, Peter Kurrasch wrote:
> * Revocation: If a particular cert has been revoked for any reason, I should
> be able to find that out so that I will know not to use it. Ideally this is
> handled automatically in software but for various reasons it d
On Fri, Sep 23, 2016 at 6:22 AM, Jakob Bohm wrote:
> On 23/09/2016 14:29, Kurt Roeckx wrote:
>>
>> On 2016-09-23 00:57, Peter Bowen wrote:
>>>
>>> Kathleen, Gerv, Richard and m.d.s.p,
>>>
>>> In reviewing the WebTrust audit documentation submitted by various CA
>>> program members and organization
What about subordinate CAs created after the audit letter is published? If
both WebTrust and ETSI audit schemes assume ongoing audit reporting
responsibilities, I'd assume that you wouldn't need a new audit letter
every time you create a subordinate CA, which might be weekly. The list of
subord
On 22/09/16 18:48, Jakob Bohm wrote:
> While you are at it:
>
> 1. How many WoSign/StartCom certificates did you find with domains not
> on that IANA list?
Hi Jakob. I wasn't looking for this sort of thing, because Gerv was
only interested in "unique base domains (PSL+1)".
I think there were
On Fri, Sep 23, 2016 at 5:29 AM, Kurt Roeckx wrote:
> On 2016-09-23 00:57, Peter Bowen wrote:
>>
>> Kathleen, Gerv, Richard and m.d.s.p,
>>
>> In reviewing the WebTrust audit documentation submitted by various CA
>> program members and organizations wishing to be members, it seems
>> there is poss
On 23/09/16 12:38, Richard Wang wrote:
> Please check this news (Feb 25th 2015) in OSCCA website:
> http://www.oscca.gov.cn/News/201312/News_1254.htm that all China
> licensed CA finished the PKI/CA system upgrade that all licensed CA
> MUST be able to issue SM2 certificate to subscribers.
I have
On 23/09/2016 14:12, Kurt Roeckx wrote:
On 2016-09-23 13:38, Richard Wang wrote:
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China
licensed CA finished the PKI/CA system upgrade that all licensed CA
MUST be able to
On 23/09/2016 14:29, Kurt Roeckx wrote:
On 2016-09-23 00:57, Peter Bowen wrote:
Kathleen, Gerv, Richard and m.d.s.p,
In reviewing the WebTrust audit documentation submitted by various CA
program members and organizations wishing to be members, it seems
there is possibly some confusion on what i
On 23/09/2016 12:51, Peter Gutmann wrote:
Jakob Bohm writes:
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
2. How many WoSign/StartCom certificates did you find for other uses
than https://www.example.tld:
2.1 Certificates
It's a fair criticism to say that I've not said anything on the implications of distrust but that does not mean I've not considered that at great length. More on that in a moment, but first let me say a few words about my style. Generally I prefer not to waste time on matters that are of little i
On 2016-09-23 00:57, Peter Bowen wrote:
Kathleen, Gerv, Richard and m.d.s.p,
In reviewing the WebTrust audit documentation submitted by various CA
program members and organizations wishing to be members, it seems
there is possibly some confusion on what is required by Mozilla. I
suspect this mi
On 2016-09-23 13:38, Richard Wang wrote:
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA
finished the PKI/CA system upgrade that all licensed CA MUST be able to issue
SM2 certificate to subscribers.
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA
finished the PKI/CA system upgrade that all licensed CA MUST be able to issue
SM2 certificate to subscribers.
As I said in last year CABF face to face
On 23/09/16 11:49, Han Yuwei wrote:
>> http://www.oscca.gov.cn/Column/Column_32.htm
>
> If anybody want a English version of laws & regulations, Percy and I may help.
No-one is denying that SM2 may be a Chinese government standard. What we
are saying is the fact that it's a standard does not comp
Jakob Bohm writes:
>While you are at it:
>
>1. How many WoSign/StartCom certificates did you find with domains not
> on that IANA list?
>
>2. How many WoSign/StartCom certificates did you find for other uses
> than https://www.example.tld:
>
>2.1 Certificates for "odd" subdomains such as "ext
在 2016年9月23日星期五 UTC+8下午6:44:29,Han Yuwei写道:
> 在 2016年9月23日星期五 UTC+8下午3:57:12,Percy写道:
> > WoSign stated in the report that "Due to foreign companies to China's
> > technology blockade, WoSign decided to research and develop all systems by
> > ourselves in 2009, including BUY system (Online certific
在 2016年9月23日星期五 UTC+8下午3:57:12,Percy写道:
> WoSign stated in the report that "Due to foreign companies to China's
> technology blockade, WoSign decided to research and develop all systems by
> ourselves in 2009, including BUY system (Online certificate store), CMS
> (Certificate Management System, in
For StartCom issues, I think Eddy and Inigo can answer your question that I
represent WoSign only.
As I know the new buy website: www.startssl.com is developed by StartCom China
R&D team, it posts the order to PKI system that still in Israeli office
equipment room.
The website is hosed in USA,
On 23/09/16 10:56, Richard Wang wrote:
> Yes, 100% independent in 2015. So please don't tie two companies
> together for anything happened in 2015, thanks.
Oh, I see what you mean. :-)
> From Dec. 20th - 22nd 2015, the StartCom new website -
> www.startssl.com moved to USA IDC that designed by St
Yes, 100% independent in 2015. So please don't tie two companies together for
anything happened in 2015, thanks.
>From Dec. 20th - 22nd 2015, the StartCom new website - www.startssl.com moved
>to USA IDC that designed by StartCom Chinese R&D team. From that time StartCom
>shared many facilities
On 22/09/16 23:57, Peter Bowen wrote:
> Kathleen, Gerv, Richard and m.d.s.p,
Hi Peter,
These are good points. I know Kathleen and some other root program
owners have been discussing whether a document giving best practice
guidance for the authorship of audit reports might be a good thing.
These i
On 23/09/16 06:35, Richard Wang wrote:
> For StartCom, Eddy can say something about it, StartCom is 1000% independent
> for everything at 2015.
You've said this or something very similar twice now, both times saying
"at 2015". This is probably a language thing, because native English
speakers wou
On 23/09/16 07:55, Richard Wang wrote:
> This is the final statement about the incident:
> https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in English)
Thank you.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mo
WoSign stated in the report that "Due to foreign companies to China's
technology blockade, WoSign decided to research and develop all systems by
ourselves in 2009, including BUY system (Online certificate store), CMS
(Certificate Management System, internal work flow), PKI/CA (Certificate
issuing s
Richard,
On behalf of most Chinese Internet users who do not speak English, I'm
asking why WoSign is only making the final statement available in Chinese,
but not the incident report. WoSign doesn't even have any statement,
announcement or press release in Chinese regarding any of the incidents
(ex
36 matches
Mail list logo
