Re: Incidents involving the CA WoSign

Got it, thanks. We will reply to you soon. By the way, the link you used in the page to our report is not correct. Regards, Richard > On 7 Sep 2016, at 18:58, Gervase Markham wrote: > > Hi Richard, > >> On 07/09/16 11:06, Richard Wang wrote: >> This discuss has been lasting two weeks, I think

Re: Incidents involving the CA WoSign

Hi Richard, On 07/09/16 11:06, Richard Wang wrote: > This discuss has been lasting two weeks, I think it is time to end > it, it doesn’t worth to waste everybody’s precious time. Unfortunately, I think we may be only beginning. I have prepared a list of the issues we are tracking with WoSign's c

RE: Incidents involving the CA WoSign

[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard Wang Sent: Sunday, September 4, 2016 5:49 PM To: Gervase Markham ; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Hi all, We finished the investigation and

Re: Incidents involving the CA WoSign

On 06/09/16 11:11, Rob Stradling wrote: > "UTN - DATACorp SGC" was also cross-certified by the "AddTrust External > CA Root" root [3], but we revoked the cross-certificates in December > 2015, invited Mozilla to add them to OneCRL [4] and disclosed them as > revoked to Salesforce [5]. (I don't kn

Re: Incidents involving the CA WoSign

On Tue, Sep 6, 2016 at 11:43 AM, Eddy Nigg wrote: > On 09/05/2016 10:54 AM, Gervase Markham wrote: > >> Hi Eddy, >> >> On 04/09/16 09:51, Eddy Nigg wrote: >> >>> I don't want to extend this discussion unnecessarily, but as a side note >>> you don't know which agreements this employee has signed w

RE: Incidents involving the CA WoSign

se Markham ; dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Hi, section 1.4. Impact Analytics in the report contains a list of 72 certificates, for which the domain validation was done on a high port. On 2015-04-20 I have obtained a certificate for a domain n

Re: Incidents involving the CA WoSign

On 06/09/2016 19:49, Jonathan Rudenberg wrote: On Sep 5, 2016, at 16:25, hanyuwe...@gmail.com wrote: I thought Wosign's report is not very convincible. The bug of subdomain have existed for a long time and it made me feel it is a feature not a bug. It's not a secret among the admin of person

Re: Incidents involving the CA WoSign

On 01 Sep 2016, at 18:00, Ryan Sleevi wrote: > > Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this > the only one? I wasn't clear from > https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ > >

Re: Incidents involving the CA WoSign

On 05/09/16 23:58, Peter Bowen wrote: > 1) Should any action be taken against the operators of these CAs due > to the incidents listed? > > My view is that the correct answer is "no, unless it is demonstrated > that the CA operator had knowledge of undisclosed incidents", as I > believe that the i

Re: Incidents involving the CA WoSign

> On Sep 5, 2016, at 16:25, hanyuwe...@gmail.com wrote: > > I thought Wosign's report is not very convincible. The bug of subdomain have > existed for a long time and it made me feel it is a feature not a bug. It's > not a secret among the admin of personal or small sites. I am not very > simi

Re: Incidents involving the CA WoSign

On Saturday, September 3, 2016 at 1:31:17 PM UTC-4, Andy Ligg wrote: > You are completely wrong! > > StartCom not only have office in Israel and in China, but also have > office in UK, welcome to visit our UK office: T05, Castlemead, Lower > Castle Street, Bristol, BS1 3AG, UK. Thanks for point

Re: Incidents involving the CA WoSign

Hello, First of all let me state that I am in no way involved in the operation of a certificate authority, nor am I involved in setting CA policy for any organisation; I am merely an interested observer. I am a user of Mozillas' trust store, both directly through Firefox and Thunderbird, and indir

Re: Incidents involving the CA WoSign

zilla.org] > Sent: Wednesday, August 24, 2016 9:08 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Cc: Richard Wang > Subject: Incidents involving the CA WoSign > > Dear m.d.s.policy, > > Several incidents have come to our attention involving the CA "WoS

Re: Incidents involving the CA WoSign

gt; > -Original Message- > From: Gervase Markham [mailto:ge...@mozilla.org] > Sent: Wednesday, August 24, 2016 9:08 PM > To: mozilla-dev-s...@lists.mozilla.org > Cc: Richard Wang > Subject: Incidents involving the CA WoSign > > Dear m.d.s.policy, > > Several i

Re: Incidents involving the CA WoSign

I thought Wosign's report is not very convincible. The bug of subdomain have existed for a long time and it made me feel it is a feature not a bug. It's not a secret among the admin of personal or small sites. I am not very similar to CA stuff that time,just a subscriber of Wosign's free certifi

Re: Incidents involving the CA WoSign

On 09/05/2016 10:54 AM, Gervase Markham wrote: Hi Eddy, On 04/09/16 09:51, Eddy Nigg wrote: I don't want to extend this discussion unnecessarily, but as a side note you don't know which agreements this employee has signed with StartCom and/or WoSign and hence you can't make a judgement on it ei

Re: [FORGED] Re: Incidents involving the CA WoSign

Yeah, it's almost impossible to distrust all WoSign authority manually from keychain access. WoSign has 28 root certs or intermediate certs signed by other CAs, listed below. (List from https://github.com/chengr28/RevokeChinaCerts/wiki/ReadMe_Online#about-certificates ) Certification Authority of

Re: [FORGED] Re: Incidents involving the CA WoSign

Nick Lamb writes: >On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote: >> Why would a public CA even need cross-certification from other CAs? > >Maybe this question has some subtlety to it that I'm missing? OK, I really meant "that many other CAs". To take one example, the cross-

Re: [FORGED] Re: Incidents involving the CA WoSign

On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote: > Why would a public CA even need cross-certification from other CAs? Maybe this question has some subtlety to it that I'm missing? Acceptance into root trust stores is slow. Glacial in some cases. Mozilla has a published process

Re: [FORGED] Re: Incidents involving the CA WoSign

y-pol...@lists.mozilla.org" Subject: Re: [FORGED] Re: Incidents involving the CA WoSign Message-ID: <1473170991071.38...@cs.auckland.ac.nz> Content-Type: text/plain; charset="iso-8859-1" Peter Bowen writes: >In addition to the direct impact, I note that W

Re: [FORGED] Re: Incidents involving the CA WoSign

On 06/09/2016 16:10, Peter Gutmann wrote: Peter Bowen writes: In addition to the direct impact, I note that WoSign is the subject of cross- signatures from a number of other CAs that chain back to roots in the Mozilla program (or were in the program). This is incredible, it's like a hydra.

Re: [FORGED] Re: Incidents involving the CA WoSign

On 06/09/16 15:10, Peter Gutmann wrote: > Why would a public CA even need cross-certification from other CAs? To inherit trust on legacy platforms that don't have an automatic root update mechanism. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online ___

Re: Incidents involving the CA WoSign

On 06/09/2016 15:58, Peter Gutmann wrote: Matt Palmer writes: Our of curiosity, is anyone keeping a tally of the number of times WoSign has said, "yep, they're all logged now", only to have more unlogged certificates turn up? This is starting to feel like a bit of a repeat of DigiNotar, We

Re: [FORGED] Re: Incidents involving the CA WoSign

Peter Bowen writes: >In addition to the direct impact, I note that WoSign is the subject of cross- >signatures from a number of other CAs that chain back to roots in the Mozilla >program (or were in the program). This is incredible, it's like a hydra. Do the BRs say anything about this type of

Re: Incidents involving the CA WoSign

Matt Palmer writes: >Our of curiosity, is anyone keeping a tally of the number of times WoSign has >said, "yep, they're all logged now", only to have more unlogged certificates >turn up? This is starting to feel like a bit of a repeat of DigiNotar, We apologise for the fault in the CA. Those re

Re: Incidents involving the CA WoSign

Hi Peter. Since you mentioned Comodo's cross-certification of the "Certification Authority of WoSign" root, we thought we should respond... On 05/09/16 23:58, Peter Bowen wrote: > Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > of WoSign by /C=US/ST=UT/L=Salt Lake City/O=T

RE: Incidents involving the CA WoSign

y, September 6, 2016 4:56 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On 2016-09-05 22:37, Percy wrote: > In page 11, you mentioned that "System blocked many illegal request every > day, the following screen shot is the reject order

Re: Incidents involving the CA WoSign

On 2016-09-05 22:37, Percy wrote: In page 11, you mentioned that "System blocked many illegal request every day, the following screen shot is the reject order log", in which you attached a log with Google, Microsoft, QQ domains. Those domains are rejected because of the top domain whitelist. D

Re: Incidents involving the CA WoSign

On 06/09/16 07:20, Henri Sivonen wrote: > In the table on page 13, line 6 looks different from the others. > Should that line be in the table on page 14 instead? Also line 2? Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.o

Re: Incidents involving the CA WoSign

On Sun, Sep 4, 2016 at 12:49 PM, Richard Wang wrote: > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf > > This report has 20 pages, please let me if you still have any questions, > thanks. In the table

RE: Incidents involving the CA WoSign

bject: Re: Incidents involving the CA WoSign On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > Hi all, > > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf In section 2.2 you explain

Re: Incidents involving the CA WoSign

On Monday, September 5, 2016 at 3:58:34 PM UTC-7, Peter Bowen wrote: > On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham wrote: > > Several incidents have come to our attention involving the CA "WoSign". > > Mozilla is considering what action it should take in response to these > > incidents. This

Re: Incidents involving the CA WoSign

On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham wrote: > Several incidents have come to our attention involving the CA "WoSign". > Mozilla is considering what action it should take in response to these > incidents. This email sets out our understanding of the situation. > > Before we begin, we no

Re: Incidents involving the CA WoSign

On Friday, August 26, 2016 at 12:57:56 PM UTC-7, 233sec Team wrote: > Wosign's Issue mechanism is high risking for large enterprise. > This is one prove: > > https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e > > Alicdn.com is the cdn asset domain name of Taobao/tmall who belong

Re: Incidents involving the CA WoSign

Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Wednesday, August 24, 2016 9:08 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Cc: Richard Wang > Subject: Incidents involving the CA WoSign > > Dear m.d.s.policy, > > Several incidents hav

Re: Incidents involving the CA WoSign

On 04/09/16 17:40, Andrew Ayer wrote: > On Sat, 3 Sep 2016 21:50:51 -0700 > Peter Bowen wrote: > >> The log entries for the SM2 certificates are >> https://ctlog.wosign.com/ct/v1/get-entries?start=109239&end=109240; >> crt.sh doesn't have them. x509lint was segfaulting when crt.sh tried to add t

RE: [FORGED] Re: Incidents involving the CA WoSign

Eddy Nigg writes: >On 09/04/2016 09:20 AM, Peter Gutmann wrote: >> This is great stuff, it's like watching a rerun of Diginotar > >.says the audience on the backbenches gleefully Well, it doesn't exactly paint the best picture of a competently-run CA, same as Diginotar, and the progressio

Re: Incidents involving the CA WoSign

Hi Eddy, On 04/09/16 09:51, Eddy Nigg wrote: > On 09/03/2016 11:02 PM, Percy wrote: >> I agree completely that we shouldn't imply fundamental guilt by >> association. However, WoSign threatened legal actions against Itzhak >> Daniel's disclosure compiled purely from public sources. I just want to >

Re: [FORGED] Re: Incidents involving the CA WoSign

On 09/04/2016 09:20 AM, Peter Gutmann wrote: Peter Bowen writes: It was brought to my attention that there is another incident. This is great stuff, it's like watching a rerun of Diginotar .says the audience on the backbenches gleefully but no, what are you talking about?? Even

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > Hi all, > > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf In section 2.2 you explain that there is a mail at 9:01 and 9:38, where I think

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 02:53:01PM +0200, Kurt Roeckx wrote: > On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > > Hi all, > > > > We finished the investigation and released the incidents report today: > > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf > > > >

Re: Incidents involving the CA WoSign

On Sat, 3 Sep 2016 21:50:51 -0700 Peter Bowen wrote: > The log entries for the SM2 certificates are > https://ctlog.wosign.com/ct/v1/get-entries?start=109239&end=109240; > crt.sh doesn't have them. The matching serial numbers are > https://crt.sh/?id=30613201 and https://crt.sh/?id=30613200. Th

Re: Incidents involving the CA WoSign

On Sat, Sep 3, 2016 at 10:11 PM, Richard Wang wrote: > It is posted, just Peter not find it that I told him the Log id. Richard, Thank you for providing the log ids. I am glad to see these are now logged, but I will point out the log timestamps for these two certificates are both later than t

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 10:05:11AM +0100, Gijs Kruitbosch wrote: > So if I understand correctly, you've published all certificates issued in > 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is that > correct? > > > As noted in > https://groups.google.com/d/msg/mozilla.dev.secu

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > Hi all, > > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf > > This report has 20 pages, please let me if you still have any questions, >

RE: Incidents involving the CA WoSign

involving the CA WoSign Dear m.d.s.policy, Several incidents have come to our attention involving the CA "WoSign". Mozilla is considering what action it should take in response to these incidents. This email sets out our understanding of the situation. Before we begin, we note that Sectio

Re: Incidents involving the CA WoSign

5th, 2016. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Sunday, September 4, 2016 5:19 AM To: Richard Wang Cc: Ryan Sleevi ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, Can you als

Re: Incidents involving the CA WoSign

On 09/03/2016 11:02 PM, Percy wrote: I agree completely that we shouldn't imply fundamental guilt by association. However, WoSign threatened legal actions against Itzhak Daniel's disclosure compiled purely from public sources. I just want to make sure the disclosure was not buried after the conte

RE: Incidents involving the CA WoSign

: Sunday, September 4, 2016 5:19 AM To: Richard Wang Cc: Ryan Sleevi ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, Can you also please check the following two certificates? It looks like they were missed when logging all the 2015 certs

RE: [FORGED] Re: Incidents involving the CA WoSign

Peter Bowen writes: >It was brought to my attention that there is another incident. This is great stuff, it's like watching a rerun of Diginotar. Definitely the best web soap in the last few weeks... Peter. ___ dev-security-policy mailing list dev-s

Re: Incidents involving the CA WoSign

It is posted, just Peter not find it that I told him the Log id. We are also checking system again to double check if we missed some. Please be patient for our full 20 pages report, thanks, Regards, Richard > On 4 Sep 2016, at 12:12, Matt Palmer wrote: > >> On Sat, Sep 03, 2016 at 02:18:44

Re: Incidents involving the CA WoSign

This is another case that we will include it in our report. We issued two test cert using SM2 algorithm that used the same serial number as the RSA cert (same subject) to test if we can setup a gateway that install this two type cert, it can shake hand automatically using different cert based on

Re: Incidents involving the CA WoSign

On Thu, Sep 1, 2016 at 9:00 AM, Ryan Sleevi wrote: > On Wed, August 31, 2016 10:09 pm, Richard Wang wrote: >> Thanks for your so detail instruction. >> Yes, we are improved. The two case is happened in 2015 and the mis-issued >> certificate period is only 5 months that we fixed 3 big bugs durin

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 02:18:44PM -0700, Peter Bowen wrote: > Can you also please check the following two certificates? It looks > like they were missed when logging all the 2015 certs. > > https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2 > http

RE: Incidents involving the CA WoSign

: Sunday, September 4, 2016 5:19 AM To: Richard Wang Cc: Ryan Sleevi ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, Can you also please check the following two certificates? It looks like they were missed when logging all the 2015 certs

Re: Incidents involving the CA WoSign

Richard, Can you also please check the following two certificates? It looks like they were missed when logging all the 2015 certs. https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2 https://www.censys.io/certificates/d99309f071141454f805c13551a827

Re: Incidents involving the CA WoSign

Trust me, the disclosure was not buried, and the factual details are being sorted. However, it would be better for the tone and focus of the thread that we make sure to focus on the factual elements, which, as you note, can be publicly obtained easily, than to try to imply there's something wron

Re: Incidents involving the CA WoSign

Ryan, I agree completely that we shouldn't imply fundamental guilt by association. However, WoSign threatened legal actions against Itzhak Daniel's disclosure compiled purely from public sources. I just want to make sure the disclosure was not buried after the content was taken down. Richard, the

Re: Incidents involving the CA WoSign

Percy, As I suggested in the other thread, this does not seem a productive or fruitful line of inquiry, nor does it seem relevant to the issue at hand, nor does it seem to be done respectfully. That is, the extent of the country of origin of a CA is not itself a fundamental issue of trust, nor

Re: Incidents involving the CA WoSign

Andy, are you from the UK office? Can you explain why your office in UK fails to identify even the most obvious mistakes on the StartCom website as outlined in http://www.percya.com/2016/09/startcom-operated-solely-in-china.html ? E.g Start to sell, make big money! Setup your own website, start t

Re: Incidents involving the CA WoSign

You are completely wrong! StartCom not only have office in Israel and in China, but also have office in UK, welcome to visit our UK office: T05, Castlemead, Lower Castle Street, Bristol, BS1 3AG, UK. And We will setup office in Bilbao, Spain in this month, Inigo Barreia is the general manage

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 11:45:21AM +0200, Kurt Roeckx wrote: > On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote: > > On 02/09/16 16:21, Peter Bowen wrote: > > > It seems then there is a newly exposed bug. > > > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edb

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote: > On 02/09/16 16:21, Peter Bowen wrote: > > It seems then there is a newly exposed bug. > > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad > > shows a certificate issued by your CA

Re: Incidents involving the CA WoSign

On 02/09/16 16:21, Peter Bowen wrote: > It seems then there is a newly exposed bug. > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad > shows a certificate issued by your CA that has a notBefore in March > 2015. It does not appear in the CT log.

Re: Incidents involving the CA WoSign

I did an analysis of the new StartCom website and determined that it was designed and implemented solely in China. http://www.percya.com/2016/09/startcom-operated-solely-in-china.html I'm further concerned with the security of "StartResell - Setup your own website, start to sell your brand SS

Re: Incidents involving the CA WoSign

On 02/09/16 18:00, Andrew Ayer wrote: > I don't think relying on the notBefore date is a viable option. > WoSign seems to have such a poor handle on their operations that I > think it would be inevitable that someone would find a certificate in > the wild with a notBefore date in the past that had

Re: Incidents involving the CA WoSign

On Friday, September 2, 2016 at 9:57:24 PM UTC-7, Percy wrote: > Richard, > You claimed on weibo (https://pbs.twimg.com/media/CrZ1Oc6WIAABtrg.jpg:large > )that "WoSign has been oppressed by large American companies over the years > but has been growing steadily over the past 10 years and is now

Re: Incidents involving the CA WoSign

Richard, You claimed on weibo (https://pbs.twimg.com/media/CrZ1Oc6WIAABtrg.jpg:large )that "WoSign has been oppressed by large American companies over the years but has been growing steadily over the past 10 years and is now the 8th largest CA in the world". Is EFF one of your so called oppres

Re: Incidents involving the CA WoSign

Percy Alpha(PGP ) On Fri, Sep 2, 2016 at 5:04 PM, Richard Wang wrote: > From the screenshot, we know why Percy hate WoSign so deeply, we know he > represent which CA, everything is clear now. > Are you f**king kidding me? I cu

Re: Incidents involving the CA WoSign

On Fri, Sep 2, 2016 at 5:04 PM, Richard Wang wrote: > From the screenshot, we know why Percy hate WoSign so deeply, we know he > represent which CA, everything is clear now. Richard, With all due respect, many of the people who participate in this dev-security-policy group work for companies th

Re: Incidents involving the CA WoSign

From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now. BTW, as I said that the two related pages in our website are deleted. Regards, Richard > On 3 Sep 2016, at 02:16, Percy wrote: > >> On Friday, September 2, 2016 at 3:07:46 A

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 01:31:39AM +0200, Kurt Roeckx wrote: > On Sat, Sep 03, 2016 at 09:24:33AM +1000, Matt Palmer wrote: > > On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote: > > > Do you also plan to submit these to at least one Google-operated log? > > > > Did you mean "non-Google-

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 10:27:04AM +, Richard Wang wrote: > (2) What I mean is please think about the current users if any action; 10% > from government website, 6 customers is the top 10 eCommerce website in > China; I'm reminded of a line from an old episode of a rather crass TV show, which

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 09:24:33AM +1000, Matt Palmer wrote: > On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote: > > Do you also plan to submit these to at least one Google-operated log? > > Did you mean "non-Google-operated log"? I was under the impression that we > didn't want everyt

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote: > Do you also plan to submit these to at least one Google-operated log? Did you mean "non-Google-operated log"? I was under the impression that we didn't want everything being stuffed into just Google logs. - Matt -- I really didn't

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 09:01:47AM +, Richard Wang wrote: > You mean if a Chinese, a Chinese company own a USA CA, then the USA CA become > un-trustworthiness? If the Chinese company or US CA are making legal threats to try and suppress disclosure of the ownership, and the Chinese company is

Re: Incidents involving the CA WoSign

Le vendredi 2 septembre 2016 19:45:37 UTC+2, Percy a écrit : > Some facts for Mozilla to consider. WoSign Root is never trusted by Apple > https://support.apple.com/en-ca/HT205205 > https://support.apple.com/en-ca/HT205204 > > However, all WoSign leaf certs are trusted on Apple devices becaus

Re: Incidents involving the CA WoSign

On Friday, September 2, 2016 at 3:07:46 AM UTC-7, Gervase Markham wrote: > Hi Richard, > > On 01/09/16 04:04, Richard Wang wrote: > > First, please treat WoSign as a global trusted CA, DON'T stamp as > > China CA. We need a fair treatment as other worldwide CAs that I am > > sure WoSign is not the

Re: Incidents involving the CA WoSign

Some facts for Mozilla to consider. WoSign Root is never trusted by Apple https://support.apple.com/en-ca/HT205205 https://support.apple.com/en-ca/HT205204 However, all WoSign leaf certs are trusted on Apple devices because WoSign intermediate authority is signed by StartCom. __

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 07:27:13PM +0200, Kurt Roeckx wrote: > On Fri, Sep 02, 2016 at 10:00:28AM -0700, Andrew Ayer wrote: > > 2. A certificate has already been found which they didn't log to CT > > despite their assertion that they had logged all certificates, > > Can you please point to those t

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 10:00:28AM -0700, Andrew Ayer wrote: > 2. A certificate has already been found which they didn't log to CT > despite their assertion that they had logged all certificates, Can you please point to those that weren't logged? Kurt ___

Re: Incidents involving the CA WoSign

On Fri, 2 Sep 2016 11:19:18 +0100 Gervase Markham wrote: > On 31/08/16 19:13, Ryan Sleevi wrote: > > A) Remove the CA. Users may manually trust it if they re-add it, > > but it will not be trusted by default. > > > F) Distrust all certs with a notBefore date after date X, and require > the

Re: Incidents involving the CA WoSign

We will check this tomorrow. Now our time is 23:32 at night. Regards, Richard > On 2 Sep 2016, at 23:20, Peter Bowen wrote: > >> On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang wrote: >> Yes, we posted all 2015 issued SSL from WoSign trusted root. >> >>> On 2 Sep 2016, at 22:55, Peter Bowen w

Re: Incidents involving the CA WoSign

On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang wrote: > Yes, we posted all 2015 issued SSL from WoSign trusted root. > > On 2 Sep 2016, at 22:55, Peter Bowen wrote: >> Based on CT logs, I have seen certificates from the CAs below, all of >> which have "WoSign" in the name. Have you logged all cert

Re: Incidents involving the CA WoSign

Yes, we plan to post to one of the Google log server tommorrow. Regards, Richard > On 2 Sep 2016, at 22:54, Peter Bowen wrote: > >> On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang wrote: >> We finished the CT posting, all 2015 issued SSL certificate is posted to >> WoSign CT log server: https:

Re: Incidents involving the CA WoSign

Yes, we posted all 2015 issued SSL from WoSign trusted root. Your list -- ims root is our test root that not trusted by any browser, we don't post the test cert. And some intermediate ca in the list is for client certificate like CN=沃通 Email 客户端根证书, CN=CA 沃通 Email 客户端证书 G2; And some is the cod

Re: Incidents involving the CA WoSign

(forgot the list) On Fri, Sep 2, 2016 at 7:55 AM, Peter Bowen wrote: > On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang wrote: >> We finished the CT posting, all 2015 issued SSL certificate is posted to >> WoSign CT log server: https://ctlog.wosign.com, total 101,410 certificates. > > Richard, > >

Re: Incidents involving the CA WoSign

On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang wrote: > We finished the CT posting, all 2015 issued SSL certificate is posted to > WoSign CT log server: https://ctlog.wosign.com, total 101,410 certificates. Richard, Based on CT logs, I have seen certificates from the CAs below, all of which have

RE: Incidents involving the CA WoSign

-Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Friday, September 2, 2016 6:07 PM To: Richard Wang ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign > And, as others have pointed out in this thread, WoSign is v

RE: Incidents involving the CA WoSign

- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Friday, September 2, 2016 6:07 PM To: Richard Wang ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Hi Richard, On 01/09/16 04:04, Richard Wang wrote: > First, please treat WoSign as a glob

Re: Incidents involving the CA WoSign

On 31/08/16 19:13, Ryan Sleevi wrote: > A) Remove the CA. Users may manually trust it if they re-add it, but it will > not be trusted by default. F) Distrust all certs with a notBefore date after date X, and require the CA to apply for re-inclusion to get the distrust lifted. (I.e. what happ

Re: Incidents involving the CA WoSign

Hi Richard, On 02/09/16 06:59, Richard Wang wrote: > 1. Eddy told me that this guy is the former employee of StartCom, he > violates the signed NDA that he must shutdown the site within the > limit time. Every re-distribution the wrong information will heavy > his penalty (including site cache or

Re: Incidents involving the CA WoSign

Hi Richard, On 01/09/16 04:04, Richard Wang wrote: > First, please treat WoSign as a global trusted CA, DON'T stamp as > China CA. We need a fair treatment as other worldwide CAs that I am > sure WoSign is not the first CA that have incident and not the > serious one; We are keen to treat WoSign

RE: Incidents involving the CA WoSign

@lists.mozilla.org] On Behalf Of Matt Palmer Sent: Friday, September 2, 2016 4:51 PM To: dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Fri, Sep 02, 2016 at 06:53:23AM +, Richard Wang wrote: > I think we are out of topic. On the contrary, the trustworthin

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 06:53:23AM +, Richard Wang wrote: > I think we are out of topic. On the contrary, the trustworthiness of CAs is *entirely* on topic. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://l

Re: Incidents involving the CA WoSign

On 2016-09-02 05:59, Peter Gutmann wrote: Vincent Lynch writes: I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign) should make a statement about this. +1. I'd already asked for something like this earlier and got silence as a response, which isn't inspiring confidence.

Re: Incidents involving the CA WoSign

Just wrote a blog post on this. WoSign's secret purchase of StartCom; WoSign threatened legal actions over the disclosure http://www.percya.com/2016/09/wosigns-secret-purchase-of-startcom.html ___ dev-security-policy mailing list dev-security-policy@lis

RE: Incidents involving the CA WoSign

: Richard Wang Cc: Ryan Sleevi ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Wed, Aug 31, 2016 at 8:04 PM, Richard Wang wrote: > (1) WoSign totally issued 100K SSL certificates in 2015 that we are > posting to CT log server (not 115K, So

Re: Incidents involving the CA WoSign

On Thursday, September 1, 2016 at 11:36:13 PM UTC-7, Richard Wang wrote: > Please remember this sentence: > Every re-distribution the wrong information will heavy his penalty (including > site cache or mirror site). > > You are harming him! You stated that he was a former employee of StartCom

RE: Incidents involving the CA WoSign

-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Fri, Sep 02, 2016 at 05:59:19AM +, Richard Wang wrote: > 1. Eddy told me that this guy is the former employee of StartCom, he > violates the signed NDA that he must shutdown the site within the > l

<    1   2   3   >