Re: Something About CFCA (China Financial Certification Authority)

2016-10-31 Thread Eric Mill
On Mon, Oct 31, 2016 at 8:29 PM, Percy wrote: > On Sunday, October 30, 2016 at 4:19:12 AM UTC-7, Han Yuwei wrote: > > According to their CPS (Chinese version 3.2 Jul.2016), > > > > 1. All CAs can issue SM2 certificates and uses SM3 Hash. > > > > 2. There is a "signing key"

Re: Something About CFCA (China Financial Certification Authority)

2016-10-31 Thread Percy
On Sunday, October 30, 2016 at 4:19:12 AM UTC-7, Han Yuwei wrote: > According to their CPS (Chinese version 3.2 Jul.2016), > > 1. All CAs can issue SM2 certificates and uses SM3 Hash. > > 2. There is a "signing key" generated by subscriber and "encryption key" > generated by CFCA which

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

2016-10-31 Thread Ryan Sleevi
On Monday, October 31, 2016 at 4:40:49 PM UTC-7, Percy wrote: > Ryan, > It's great Chrome will distrust WoSign and StartCom. Google's blog post > stated that "Due to a number of technical limitations and concerns, Google > Chrome is unable to trust all pre-existing certificates while ensuring our

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

2016-10-31 Thread Ryan Sleevi
On Monday, October 31, 2016 at 5:07:06 PM UTC-7, nessun...@gmail.com wrote: > I see that Google's response (and Apple's) is harsher than Mozilla, by > caterogically distrusts WoSign and StartCom without granting the option, as > Mozilla does, to resubmit a new CA application after a set period

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

2016-10-31 Thread nessuno . acasa
I see that Google's response (and Apple's) is harsher than Mozilla, by caterogically distrusts WoSign and StartCom without granting the option, as Mozilla does, to resubmit a new CA application after a set period of time through which they work to correct their flawed procedures.

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

2016-10-31 Thread Percy
Ryan, It's great Chrome will distrust WoSign and StartCom. Google's blog post stated that "Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance.". Could you

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

2016-10-31 Thread Ryan Sleevi
On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote: > The security blog about Distrusting New WoSign and StartCom Certificates has > been published: > > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ > > Chinese translations of

Re: WoSign: updated report and discussion

2016-10-31 Thread Percy
According to http://se.360.cn/event/gmzb.html, the browser needs to send a http header Accept-Protocal: SM-SSL. Perhaps someone can do an Internet scan against Chinese sites (especially gov) to observe SM2 certs Percy Alpha(PGP ) On

Adding column to revoked intermediate cert reports

2016-10-31 Thread Kathleen Wilson
Just FYI... We will be adding a new column to the revoked intermediate cert reports that are available here: https://wiki.mozilla.org/CA:RevokedSubCAcerts It will be called "Alternate CRL" and will be between the current "CRL URL(s)" and "OCSP URL(s)" columns. The "Alternate CRL" field will

Re: WoSign: updated report and discussion

2016-10-31 Thread Han Yuwei
在 2016年10月31日星期一 UTC+8下午11:50:46,Gervase Markham写道: > On 30/10/16 19:47, Han Yuwei wrote: > > SM2 is widely used in Chinese government websites. There is a openssl > > branch (https://github.com/guanzhi/GmSSL) who implemented > > SM2/SM3/SM4. And I don't see any other depolyment in HTTPS. > >

Re: WoSign: updated report and discussion

2016-10-31 Thread Gervase Markham
On 30/10/16 19:47, Han Yuwei wrote: > SM2 is widely used in Chinese government websites. There is a openssl > branch (https://github.com/guanzhi/GmSSL) who implemented > SM2/SM3/SM4. And I don't see any other depolyment in HTTPS. Right, but my question remains: can you find a site with a WoSign

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-10-31 Thread Peter Bowen
On Sun, Oct 30, 2016 at 11:34 PM, wrote: > wangs...@gmail.com於 2016年10月31日星期一 UTC+8下午2時22分05秒寫道: >> 在 2016年10月28日星期五 UTC+8上午8:19:43,Percy写道: >> > "When facing any requirements of laws and regulations or any demands for >> > undergoing legal >> > process of court and

help

2016-10-31 Thread chun . yin . cheung
Help. My previous email account (cheungchun...@gmail.com) Is blocked. I want to subscribe to the mailgroup using my company account (chun.yin.che...@cn.pwc.com). Regards CY > 在 2016年10月28日,下午11:28,Chun Yin Cheung 写道: > > help > > Regards > > CY

Re: Something About CFCA (China Financial Certification Authority)

2016-10-31 Thread jonathansshn
在 2016年10月31日星期一 UTC+8上午11:28:04,Han Yuwei写道: > 在 2016年10月31日星期一 UTC+8上午9:35:04,jonath...@gmail.com写道: > > Please see 6.1.7 which describes these content. > > In version 3.2 I see that "证书最长期限(年)" (maxium validity period) about > "SSL服务器证书" (SSL Server Certficates) is 5. > > And I don't see any

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-10-31 Thread wangsn1206
在 2016年10月30日星期日 UTC+8下午9:13:32,Gervase Markham写道: > On 29/10/16 22:23, Han Yuwei wrote: > > Is SM2 acceptable in publicy-trusted CAs? I don't think so. > > No; the BRs list the permitted algorithms, and SM2 is not one of them. > > > Maybe Gerv could explain more about this. And I am wondering

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-10-31 Thread wangsn1206
在 2016年10月28日星期五 UTC+8上午8:19:43,Percy写道: > "When facing any requirements of laws and regulations or any demands for > undergoing legal > process of court and other agencies, GDCA must provide confidential > information in this CP" > > Can GDCA specify what other agencies are included? In China,