Re: Incidents involving the CA WoSign

involving the CA WoSign On 07/10/16 04:21, Peter Gutmann wrote: > That still doesn't necessarily answer the question, Google have their CRLSets > but they're more ineffective than effective in dealing with revocations > (according to GRC, they're 98% ineffective, > https://www.grc.co

Re: Incidents involving the CA WoSign

On 10/10/16 08:15, Michael Ströder wrote: > Which "Chrome users"? All of them as a collective body. Standard revocation doesn't hold up in an active attack scenario. If someone has control of your customers' internet connection sufficient that they can direct a request that was meant to go to

Re: Incidents involving the CA WoSign

Gervase Markham wrote: > On 07/10/16 04:21, Peter Gutmann wrote: >> That still doesn't necessarily answer the question, Google have their CRLSets >> but they're more ineffective than effective in dealing with revocations >> (according to GRC, they're 98% ineffective, >>

Re: Incidents involving the CA WoSign

On 07/10/16 04:21, Peter Gutmann wrote: > That still doesn't necessarily answer the question, Google have their CRLSets > but they're more ineffective than effective in dealing with revocations > (according to GRC, they're 98% ineffective, > https://www.grc.com/revocation/crlsets.htm). That

Re: Incidents involving the CA WoSign

On Fri, Oct 07, 2016 at 03:21:48AM +, Peter Gutmann wrote: > Kurt Roeckx writes: > > >This is why browsers have something like OneCRL, so that they actually do > >know about it and why Rob added that information to the bug tracker ( >

Re: Incidents involving the CA WoSign

Kurt Roeckx writes: >This is why browsers have something like OneCRL, so that they actually do >know about it and why Rob added that information to the bug tracker ( >https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2). That still doesn't necessarily answer the question,

Re: Incidents involving the CA WoSign

It is an interesting aspect that the Mozilla community has not discussed thoroughly, or at all. Cross-signing a third party intermediate cert is equivalent to sharing of trust, that any CA should only consider it with extreme care. Is it possibly know how many intermediate cert that is

Re: Incidents involving the CA WoSign

On Wed, Oct 05, 2016 at 01:30:37PM +, Peter Gutmann wrote: > Rob Stradling writes: > > >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds > >either. > > What I was really asking, in a tongue-in-cheek way, was whether there was any >

Re: Incidents involving the CA WoSign

Peter Gutmann wrote: > Rob Stradling writes: > >> Easy. It doesn't make a sound. Unrevoked certificates don't make sounds >> either. > > What I was really asking, in a tongue-in-cheek way, was whether there was any > indication of how successfully the information

Re: Incidents involving the CA WoSign

> >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds > >either. > > What I was really asking, in a tongue-in-cheek way, was whether there was any > indication of how successfully the information could be propagated to > browsers. Good question. Regardless of the answer,

Re: Incidents involving the CA WoSign

Rob Stradling writes: >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds >either. What I was really asking, in a tongue-in-cheek way, was whether there was any indication of how successfully the information could be propagated to browsers.

Re: Incidents involving the CA WoSign

On 05/10/16 14:09, Peter Gutmann wrote: > Rob Stradling writes: > >> Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that >> we'd issued to WoSign: > > This allows us to examine the modern Internet variant of an old philosophical > question,

Re: Incidents involving the CA WoSign

Rob Stradling writes: >Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that >we'd issued to WoSign: This allows us to examine the modern Internet variant of an old philosophical question, "If a certificate is revoked in the web PKI and no one

Re: Incidents involving the CA WoSign

On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote: > Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates > that we'd issued to WoSign: > > https://crt.sh/?id=3223853 > https://crt.sh/?id=12716343 > https://crt.sh/?id=12716433 > > See also: >

Re: Incidents involving the CA WoSign

Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that we'd issued to WoSign: https://crt.sh/?id=3223853 https://crt.sh/?id=12716343 https://crt.sh/?id=12716433 See also: https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2 On 06/09/16 11:11, Rob Stradling wrote: > Hi

Re: Incidents involving the CA WoSign

On 23/09/16 12:38, Richard Wang wrote: > Please check this news (Feb 25th 2015) in OSCCA website: > http://www.oscca.gov.cn/News/201312/News_1254.htm that all China > licensed CA finished the PKI/CA system upgrade that all licensed CA > MUST be able to issue SM2 certificate to subscribers. I have

Re: Incidents involving the CA WoSign

On 23/09/2016 14:12, Kurt Roeckx wrote: On 2016-09-23 13:38, Richard Wang wrote: Hi Gerv, Please check this news (Feb 25th 2015) in OSCCA website: http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA finished the PKI/CA system upgrade that all licensed CA MUST be able

Re: Incidents involving the CA WoSign

On 2016-09-23 13:38, Richard Wang wrote: Hi Gerv, Please check this news (Feb 25th 2015) in OSCCA website: http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA finished the PKI/CA system upgrade that all licensed CA MUST be able to issue SM2 certificate to

RE: Incidents involving the CA WoSign

cy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Gervase Markham Sent: Friday, September 23, 2016 6:55 PM To: Han Yuwei <hanyuwe...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On 23/09/16 11:49, Han Yuwe

Re: Incidents involving the CA WoSign

On 23/09/16 11:49, Han Yuwei wrote: >> http://www.oscca.gov.cn/Column/Column_32.htm > > If anybody want a English version of laws & regulations, Percy and I may help. No-one is denying that SM2 may be a Chinese government standard. What we are saying is the fact that it's a standard does not

Re: Incidents involving the CA WoSign

On 23/09/16 07:55, Richard Wang wrote: > This is the final statement about the incident: > https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in English) Thank you. Gerv ___ dev-security-policy mailing list

Re: Incidents involving the CA WoSign

> > -Original Message- > > From: dev-security-policy [mailto:dev-security-policy-bounces+richard > <javascript:;> > > <javascript:;>=wosign@lists.mozilla.org <javascript:;> > <javascript:;>] On Behalf Of > > Richard Wang >

Re: Incidents involving the CA WoSign

Friday, September 16, 2016 6:05 PM > To: Gervase Markham <g...@mozilla.org <javascript:;>> > Cc: mozilla-dev-security-pol...@lists.mozilla.org <javascript:;> > Subject: RE: Incidents involving the CA WoSign > > Hi Gerv, > > This is the final report: https://

RE: Incidents involving the CA WoSign

Wang Sent: Friday, September 16, 2016 6:05 PM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Hi Gerv, This is the final report: https://www.wosign.com/report/WoSign_Incident_Final_Report_091620

RE: Incidents involving the CA WoSign

1:50 PM To: Peter Bowen <pzbo...@gmail.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham <g...@mozilla.org> Subject: RE: Incidents involving the CA WoSign For security, the notBefore time is not the exact time of signing, random from 20 minutes to 40 minutes a

RE: Incidents involving the CA WoSign

ervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang <rich...@wosign.com> wrote: >> Are you saying out of over 40,000 orders over the last year, only six >

Re: Incidents involving the CA WoSign

On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang wrote: >> Are you saying out of over 40,000 orders over the last year, only six >> "stopped to move forward" for a period of a week or more and these happen to >> all have been ordered on Sunday, December 20, 2015 (China time)? >

RE: Incidents involving the CA WoSign

olicy > [mailto:dev-security-policy-bounces+richard=wosign.com@lists.mozilla.o > rg] On Behalf Of Gervase Markham > Sent: Wednesday, September 21, 2016 9:19 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Incidents involving the

RE: Incidents involving the CA WoSign

gt; Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, I'm having a really hard time reconciling what you describe with what is found in the CT logs and what I observed today when doing as you suggested

Re: Incidents involving the CA WoSign

e, thanks. > > Regards, > > Richard > > -Original Message- > From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On > Behalf Of Gervase Markham > Sent: Wednesday, September 21, 2016 9:19 PM > To: mozilla-dev-

Re: Incidents involving the CA WoSign

Not this case. Gerv ask why the order is placed at Aug. 12th 2015, why it is issued at Dec. 20th 2015, since he finished the domain validation at Dec 20th. Best Regards, Richard On Sep 21, 2016, at 22:54, Kurt Roeckx > wrote: On 2016-09-21 16:26,

Re: Incidents involving the CA WoSign

On 2016-09-21 16:26, Richard Wang wrote: R: You can place order there and don't do the domain validation, 4 months later, you finished the domain control validation, then issue the certificate. Please try it by yourself here: https://buy.wosign.com/free/ So the date in the certificate is

Re: Incidents involving the CA WoSign

On 24/08/16 14:08, Gervase Markham wrote: > Several incidents have come to our attention involving the CA "WoSign". > Mozilla is considering what action it should take in response to these > incidents. I have recently updated https://wiki.mozilla.org/CA:WoSign_Issues to draw some conclusions for

RE: Incidents involving the CA WoSign

...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Hi Richard, Thanks for the additional information. On 21/09/16 11:11, Richard Wang wrote: > Some SHA-1 certificate is free SSL certificate that no any reason for > us to help them get the SHA-1 certificate if we are inten

Re: Incidents involving the CA WoSign

Hi Richard, Thanks for the additional information. On 21/09/16 11:11, Richard Wang wrote: > Some SHA-1 certificate is free SSL certificate that no any reason > for us to help them get the SHA-1 certificate if we are intentional, > and some certificate is even never used or even not retrieved

RE: Incidents involving the CA WoSign

See below inline, thanks. Best Regards, Richard -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, September 20, 2016 7:37 PM To: Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>> Subject: Re: Incidents involving the CA

Re: Incidents involving the CA WoSign

; > > > > Best Regards, > > > > Richard > > > > -Original Message- > > From: Peter Bowen [mailto:pzbo...@gmail.com <javascript:;>] > > Sent: Tuesday, September 20, 2016 10:18 AM >

Re: Incidents involving the CA WoSign

On 21/09/16 11:10, Kurt Roeckx wrote: > I didn't read it like that, and that the assets they have in WoSign > should be more than 10% of the total assets. So that WoSign would be > more than 10% of the USD$9.99B. Oops. You are right. My apologies! I thought the benchmark was the size of the

Re: Incidents involving the CA WoSign

On 2016-09-21 12:11, Richard Wang wrote: Please check the first 313 certificate serial is “56D1570DA645BF6B44C0A7077CC6769” and the second 27 certificate is “D3BBDC3A0175E38F9D0070CD050986A” that only 31 bytes. But our serial number rule is 32 bytes. This is a little misleading. The hex

RE: Incidents involving the CA WoSign

See below inline, thanks. Best Regards, Richard -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, September 20, 2016 7:37 PM To: Richard Wang <mailto:rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign Hi Richard, On 16/09/16

Re: Incidents involving the CA WoSign

On 2016-09-21 11:16, Gervase Markham wrote: Hi Xiaosheng, On 20/09/16 16:31, 谭晓生 wrote: Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th 2016, we have invested in more than 200 companies across the world, Wosign is just a very small one and we even do

Re: Incidents involving the CA WoSign

Hi Xiaosheng, On 20/09/16 16:31, 谭晓生 wrote: > Qihoo 360 is a company valued at USD$9.99B as it finished the > privatization on July 15th 2016, we have invested in more than 200 > companies across the world, Wosign is just a very small one and we > even do not have any people sent to this company

Re: Incidents involving the CA WoSign

hanks， > Xiaosheng Tan > Sent from 360 Q5 Mobile Phone > > 发件人： Kurt Roeckx <k...@roeckx.be> > 发送时间： 2016年9月20日 23:45 > 收件人： mozilla-dev-security-pol...@lists.mozilla.org > 主题： Re: Incidents involving the CA WoSign > > On 2016-09-20

Re: Incidents involving the CA WoSign

la.org 主题： Re: Incidents involving the CA WoSign On 2016-09-20 17:31, 谭晓生 wrote: > Dear Gerv and all, > > Qihoo 360 is a company valued at USD$9.99B as it finished the privatization > on July 15th 2016, we have invested in more than 200 companies across the > world, Wosign is

Re: Incidents involving the CA WoSign

On 2016-09-20 17:31, 谭晓生 wrote: Dear Gerv and all, Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th 2016, we have invested in more than 200 companies across the world, Wosign is just a very small one and we even do not have any people sent to this

Re: Incidents involving the CA WoSign

; > Sent: Tuesday, September 20, 2016 10:18 AM > > To: Richard Wang <rich...@wosign.com <javascript:;>> > > Cc: Nick Lamb <tialara...@gmail.com <javascript:;>>; > > mozilla-dev-security-pol...@lists.mozilla.org <javascript:;> &

Re: Incidents involving the CA WoSign

Dear Gerv and all, Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th 2016, we have invested in more than 200 companies across the world, Wosign is just a very small one and we even do not have any people sent to this company after the investment, the

Re: Incidents involving the CA WoSign

Hi Richard, On 16/09/16 11:05, Richard Wang wrote: > Hi Gerv, > > This is the final report: > https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf > > Please let me if you have any questions about the report, thanks. Thank you for this report. I have a few follow-up

Re: Incidents involving the CA WoSign

Hello Xiaosheng, Welcome to our discussion forum :-) It may help you to know that participants in this forum come from a wide range of backgrounds and companies, and the only ones who represent Mozilla are the ones listed here: http://wiki.mozilla.org/CA:Policy_Participants as doing so. On

Re: [FORGED] Re: Incidents involving the CA WoSign

Peter Bowen writes: >As someone pointed out on Twitter this morning, it seems that the PSC >notification for Startcom UK was filed recently: >https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf So if I'm

Re: Incidents involving the CA WoSign

0, 2016 10:18 AM > To: Richard Wang <rich...@wosign.com <javascript:;>> > Cc: Nick Lamb <tialara...@gmail.com <javascript:;>>; > mozilla-dev-security-pol...@lists.mozilla.org <javascript:;> > Subject: Re: Incidents involving the CA WoSign > > Richard,

RE: Incidents involving the CA WoSign

d > > -Original Message- > From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign.com@lists.mozilla.o > rg] On Behalf Of Nick Lamb > Sent: Tuesday, September 20, 2016 9:06 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Inciden

Re: Incidents involving the CA WoSign

ity-policy > [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On > Behalf Of Nick Lamb > Sent: Tuesday, September 20, 2016 9:06 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Incidents involving the CA WoSign > > On Tuesday, 20 Sept

RE: Incidents involving the CA WoSign

Lamb Sent: Tuesday, September 20, 2016 9:06 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: > This case is WoSign problem, you found out all related subordinate companies > a

Re: Incidents involving the CA WoSign

On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: > This case is WoSign problem, you found out all related subordinate companies > and all related parent companies that up to nine generations! I think this is > NOT the best practice in the modern law-respect society. It seems

RE: Incidents involving the CA WoSign

Bonsoir Richard, This info should probably be added to the thread "WoSign's ownership of StartCom", and then Peter's complementary questions are legitimate ones, being in line with Mozilla's concerns. ___ dev-security-policy mailing list

RE: Incidents involving the CA WoSign

r Bowen [mailto:pzbo...@gmail.com] Sent: Monday, September 19, 2016 10:31 PM To: Richard Wang <rich...@wosign.com> Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, I'm still somewhat confuse

Re: Incidents involving the CA WoSign

PM > To: Gervase Markham <g...@mozilla.org> > Cc: mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Incidents involving the CA WoSign > > Hi Gerv, > > This is the final report: > https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf > &

RE: Incidents involving the CA WoSign

@lists.mozilla.org] On Behalf Of Richard Wang Sent: Friday, September 16, 2016 6:05 PM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Hi Gerv, This is the final report: https://www.wosign.com/

Re: Incidents involving the CA WoSign

* Richard Wang: >> Thus, do you believe it was faithful and accurate for Management to >> warrant that the CA was operated in compliance with the BRs, given >> that Management was aware of incidents of non-compliance? > > This is my fault that I think it is not serious enough to state in > the

Re: Incidents involving the CA WoSign

Thank you very much for helping us. For SM2 algorithm, this is out of this thread, I can discuss with you off list. Regards, Richard > On Sep 16, 2016, at 22:32, Vincent Lynch wrote: > >> On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang wrote: >> Hi Gerv, >>

Re: Incidents involving the CA WoSign

Please read the report carefully that it is NOT the validation system is hijacked. Regards, Richard > On Sep 16, 2016, at 21:31, Han Yuwei wrote: > > 在 2016年9月16日星期五 UTC+8下午6:07:56，Richard Wang写道： >> Hi Gerv, >> >> This is the final report: >>

Re: Incidents involving the CA WoSign

On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang wrote: > Hi Gerv, > > This is the final report: > https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf > > Please let me if you have any questions about the report, thanks. > > > Best Regards, > > Richard

Re: Incidents involving the CA WoSign

t; Richard Wang > CEO > WoSign CA Limited > > > -Original Message- > From: Gervase Markham > Sent: Wednesday, September 7, 2016 7:00 PM > To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Incidents involving the CA WoSign

RE: Incidents involving the CA WoSign

, September 7, 2016 7:00 PM To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Hi Richard, On 07/09/16 11:06, Richard Wang wrote: > This discuss has been lasting two weeks, I think it is time to end it, > it doesn’t worth to

Re: Incidents involving the CA WoSign

On Sat, Sep 10, 2016 at 6:43 PM, Richard Wang wrote: > We will publish a more comprehensive report in the next several days that > will attempt to cover most / all issues. > Thanks for your patience. Richard, Thank you in advance for working on a comprehensive report. I

Re: Incidents involving the CA WoSign

Hi all, We will publish a more comprehensive report in the next several days that will attempt to cover most / all issues. Thanks for your patience. Regards, Richard > On 7 Sep 2016, at 18:58, Gervase Markham wrote: > > Hi Richard, > >> On 07/09/16 11:06, Richard Wang

Re: Incidents involving the CA WoSign

> From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On > Behalf Of Richard Wang > Sent: Sunday, September 4, 2016 5:49 PM > To: Gervase Markham <g...@mozilla.org>; > mozilla-dev-security-pol...@lists.moz

Re: Incidents involving the CA WoSign

On 07/09/2016 16:01, Thijs Alkemade wrote: On 07 Sep 2016, at 14:52, Rob Stradling wrote: On 06/09/16 19:12, Thijs Alkemade wrote: Hello, We obtained 2 certificates from the StartEncrypt API which had SHA-1 signatures and which were backdated to December 20,

Re: Incidents involving the CA WoSign

gt; better after getting this so big lesson. >> Thank you. >> >> >> Best Regards, >> >> Richard Wang >> CEO >> WoSign CA Limited >> >> >> -Original Message- >> From: dev-security-policy >> [m

Re: Incidents involving the CA WoSign

Of Richard Wang > Sent: Sunday, September 4, 2016 5:49 PM > To: Gervase Markham <g...@mozilla.org>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Incidents involving the CA WoSign > > Hi all, > > We finished the investigation and rel

Re: Incidents involving the CA WoSign

On Wednesday, September 7, 2016 at 7:00:54 AM UTC-4, Gervase Markham wrote: > Hi Richard, > > On 07/09/16 11:06, Richard Wang wrote: > > This discuss has been lasting two weeks, I think it is time to end > > it, it doesn’t worth to waste everybody’s precious time. > > Unfortunately, I think we

Re: Incidents involving the CA WoSign

On 08/09/16 11:39, Rob Stradling wrote: > Consider https://crt.sh/?id=30629293, for example. Are you really > suggesting that this was issued on 2nd September 2016 but backdated to > 20th December 2015? For simplicity, I've removed this section from Issue S. I think the evidence related there

Re: Incidents involving the CA WoSign

On 07/09/16 17:02, Gervase Markham wrote: > On 07/09/16 13:52, Rob Stradling wrote: >> Hi Thijs. I agree that this pattern is interesting (and it'd be nice to >> see an explanation), but I'm not convinced that it proves everything you >> think it proves. > > Hi Rob, > > My digest of Thijs's

Re: Incidents involving the CA WoSign

osign@lists.mozilla.org] On > Behalf Of Richard Wang > Sent: Sunday, September 4, 2016 5:49 PM > To: Gervase Markham <g...@mozilla.org>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Incidents involving the CA WoSign > > Hi all, > > We fin

Re: Incidents involving the CA WoSign

On Wed, Sep 07, 2016 at 02:08:24PM +0200, Kurt Roeckx wrote: > On 2016-09-07 13:00, Gervase Markham wrote: > > Hi Richard, > > > > On 07/09/16 11:06, Richard Wang wrote: > > > This discuss has been lasting two weeks, I think it is time to end > > > it, it doesn’t worth to waste everybody’s

Re: Incidents involving the CA WoSign

et] > Sent: Wednesday, September 7, 2016 12:06 AM > To: Richard Wang <rich...@wosign.com>; Gervase Markham <g...@mozilla.org>; > dev-security-policy@lists.mozilla.org > Subject: Re: Incidents involving the CA WoSign > > Hi, > > section 1.4. Impact Analyti

Re: Incidents involving the CA WoSign

On Tuesday, September 6, 2016 at 10:10:44 PM UTC-4, Richard Wang wrote: > ... we can't find the info what port is used, our CMS system just record this > order is validated by website control validation method, not record the used > port at that time. > > Why we can find out other 72

Re: Incidents involving the CA WoSign

On 07/09/16 13:52, Rob Stradling wrote: > Hi Thijs. I agree that this pattern is interesting (and it'd be nice to > see an explanation), but I'm not convinced that it proves everything you > think it proves. Hi Rob, My digest of Thijs's work (and that of others investigating the same issues) is

Re: Incidents involving the CA WoSign

On 07/09/16 15:01, Thijs Alkemade wrote: > What is suspicious is: > > - Twice as many SHA-1 certificates being issued on a specific Sunday in > December than the daily average that month. (Which also happens to be the > date on the certificates which I personally got from the StartEncrypt

Re: Incidents involving the CA WoSign

On 06/09/16 19:12, Thijs Alkemade wrote: > Hello, > > We obtained 2 certificates from the StartEncrypt API which had SHA-1 > signatures and which were backdated to December 20, 2015. > > After WoSign announced that all certificates issued in 2015 were logged to > their Certificate

Re: Incidents involving the CA WoSign

We posted all 2015 certificates, total 109,405 We almost finished 2016 certificates, till now, 129,426, not finished. All 392 cert is not from one serial number, it is from several serial numbers. Regards, Richard > On 7 Sep 2016, at 20:07, Kurt Roeckx wrote: > >> On

Re: Incidents involving the CA WoSign

On 2016-09-07 13:00, Gervase Markham wrote: Hi Richard, On 07/09/16 11:06, Richard Wang wrote: This discuss has been lasting two weeks, I think it is time to end it, it doesn’t worth to waste everybody’s precious time. Unfortunately, I think we may be only beginning. I have prepared a list

Re: Incidents involving the CA WoSign

Got it, thanks. We will reply to you soon. By the way, the link you used in the page to our report is not correct. Regards, Richard > On 7 Sep 2016, at 18:58, Gervase Markham wrote: > > Hi Richard, > >> On 07/09/16 11:06, Richard Wang wrote: >> This discuss has been lasting

Re: Incidents involving the CA WoSign

Hi Richard, On 07/09/16 11:06, Richard Wang wrote: > This discuss has been lasting two weeks, I think it is time to end > it, it doesn’t worth to waste everybody’s precious time. Unfortunately, I think we may be only beginning. I have prepared a list of the issues we are tracking with WoSign's

RE: Incidents involving the CA WoSign

[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard Wang Sent: Sunday, September 4, 2016 5:49 PM To: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Hi all, We fi

Re: Incidents involving the CA WoSign

On 06/09/16 11:11, Rob Stradling wrote: > "UTN - DATACorp SGC" was also cross-certified by the "AddTrust External > CA Root" root [3], but we revoked the cross-certificates in December > 2015, invited Mozilla to add them to OneCRL [4] and disclosed them as > revoked to Salesforce [5]. (I don't

Re: Incidents involving the CA WoSign

On 06/09/2016 19:49, Jonathan Rudenberg wrote: On Sep 5, 2016, at 16:25, hanyuwe...@gmail.com wrote: I thought Wosign's report is not very convincible. The bug of subdomain have existed for a long time and it made me feel it is a feature not a bug. It's not a secret among the admin of

Re: Incidents involving the CA WoSign

On 01 Sep 2016, at 18:00, Ryan Sleevi wrote: > > Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this > the only one? I wasn't clear from > https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ > >

Re: Incidents involving the CA WoSign

On 05/09/16 23:58, Peter Bowen wrote: > 1) Should any action be taken against the operators of these CAs due > to the incidents listed? > > My view is that the correct answer is "no, unless it is demonstrated > that the CA operator had knowledge of undisclosed incidents", as I > believe that the

Re: Incidents involving the CA WoSign

> On Sep 5, 2016, at 16:25, hanyuwe...@gmail.com wrote: > > I thought Wosign's report is not very convincible. The bug of subdomain have > existed for a long time and it made me feel it is a feature not a bug. It's > not a secret among the admin of personal or small sites. I am not very >

Re: Incidents involving the CA WoSign

On Saturday, September 3, 2016 at 1:31:17 PM UTC-4, Andy Ligg wrote: > You are completely wrong! > > StartCom not only have office in Israel and in China, but also have > office in UK, welcome to visit our UK office: T05, Castlemead, Lower > Castle Street, Bristol, BS1 3AG, UK. Thanks for

Re: Incidents involving the CA WoSign

Hello, First of all let me state that I am in no way involved in the operation of a certificate authority, nor am I involved in setting CA policy for any organisation; I am merely an interested observer. I am a user of Mozillas' trust store, both directly through Firefox and Thunderbird, and

Re: Incidents involving the CA WoSign

For page 19 of the report, I have one question: If the subscriber MUST transfer the payment from his company bank account, why subscriber fake the company seal as figure 20? And from figure 21's information, one fraud company transfered the payment from alipay, NOT his company bank! 在

Re: Incidents involving the CA WoSign

Hi, section 1.4. Impact Analytics in the report contains a list of 72 certificates, for which the domain validation was done on a high port. On 2015-04-20 I have obtained a certificate for a domain name that I validated using port 8080 but that certificate is not listed in the report. This is

Re: Incidents involving the CA WoSign

I thought Wosign's report is not very convincible. The bug of subdomain have existed for a long time and it made me feel it is a feature not a bug. It's not a secret among the admin of personal or small sites. I am not very similar to CA stuff that time,just a subscriber of Wosign's free

Re: Incidents involving the CA WoSign

On 09/05/2016 10:54 AM, Gervase Markham wrote: Hi Eddy, On 04/09/16 09:51, Eddy Nigg wrote: I don't want to extend this discussion unnecessarily, but as a side note you don't know which agreements this employee has signed with StartCom and/or WoSign and hence you can't make a judgement on it

Re: [FORGED] Re: Incidents involving the CA WoSign

Yeah, it's almost impossible to distrust all WoSign authority manually from keychain access. WoSign has 28 root certs or intermediate certs signed by other CAs, listed below. (List from https://github.com/chengr28/RevokeChinaCerts/wiki/ReadMe_Online#about-certificates ) Certification Authority of

Re: [FORGED] Re: Incidents involving the CA WoSign

Nick Lamb writes: >On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote: >> Why would a public CA even need cross-certification from other CAs? > >Maybe this question has some subtlety to it that I'm missing? OK, I really meant "that many other CAs". To take

Re: [FORGED] Re: Incidents involving the CA WoSign

On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote: > Why would a public CA even need cross-certification from other CAs? Maybe this question has some subtlety to it that I'm missing? Acceptance into root trust stores is slow. Glacial in some cases. Mozilla has a published

  1   2   3   >