subject:"RE\: wosign and letsencrypt.cn \/ letsencrypt.com.cn"

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-23 Thread Gervase Markham

On 22/12/16 14:30, Tom Delmas wrote:
> There are other mechanisms. But hard to use, especially between
> countries. As a Firefox user,
> I expect that CA trusted by Firefox are clearly identifiable and
> distinguishable from each others.

If CAs ever did something specific to Firefox or the root program, such
as submitting a root cert for inclusion whose common name was
misleading, we may well take action on that.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-22 Thread Richard Wang

In this case, no any CA named as letsencrypt similar name, and no any CA want
to impersonate, most CA program require the root CA have a unique friendly
name in the CA program.


Best Regards,

Richard

-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Tom Delmas
Sent: Thursday, December 22, 2016 10:30 PM
To: Gervase Markham <g...@mozilla.org>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: wosign and letsencrypt.cn / letsencrypt.com.cn

Hi Gerv,

> It's never come up. But I think we would be reluctant to intervene;
Thank you for that answer. I understand it.

> there are other mechanisms for sorting out such disputes, and it's not
> our job to interpret or enforce trademark law or domain name dispute
> resolution law.

There are other mechanisms. But hard to use, especially between countries. As
a Firefox user, I expect that CA trusted by Firefox are clearly identifiable
and distinguishable from each others.

We need CA to avoid website impersonation. In order to achieve that, I feel
that "CA impersonation" must be avoided before all.

And the logical way to do it in my opinion is in the Mozilla CA Certificate
Policy.

Tom
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-22 Thread Tom Delmas

Hi Gerv,

> It's never come up. But I think we would be reluctant to intervene;
Thank you for that answer. I understand it.

> there are other mechanisms for sorting out such disputes, and it's not
> our job to interpret or enforce trademark law or domain name dispute
> resolution law.

There are other mechanisms. But hard to use, especially between
countries. As a Firefox user,
I expect that CA trusted by Firefox are clearly identifiable and
distinguishable from each others.

We need CA to avoid website impersonation. In order to achieve that, I
feel that "CA impersonation" must be avoided before all.

And the logical way to do it in my opinion is in the Mozilla CA
Certificate Policy.

Tom
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-22 Thread Gervase Markham

On 21/12/16 12:42, tdel...@gmail.com wrote:
> I think Mozilla still doesn't answer my first question:what is the
> position of Mozilla regarding CA that act in bad faith regarding the
> usage of the names associated with others CA (like, registering such
> trademarks or domains) ?

It's never come up. But I think we would be reluctant to intervene;
there are other mechanisms for sorting out such disputes, and it's not
our job to interpret or enforce trademark law or domain name dispute
resolution law.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-21 Thread tdelmas

On Monday, December 19, 2016 at 2:45:16 AM UTC+1, Richard Wang wrote:
> I wish everyone can talk about this case friendly and equally.

I'm sorry about the wosing-bashing that followed. It wasn't my intention.

> We know Let's Encrypt is released after the public announcement, but two day 
> later, its .cn domain is still not registered, I think maybe it is caused by 
> the strict registration rule in China, so I registered it for protection that 
> not registered by Cornbug.

Thank you for that and for your prompt response.

I think Mozilla still doesn't answer my first question:what is the position of 
Mozilla regarding CA that act in bad faith regarding the usage of the names 
associated with others CA (like, registering such trademarks or domains) ?

Wosing's answer to my question was positive and in my opinion faithful, but 
it's not the first time a CA engage in such behavior, and I think Mozilla 
should at least makes an official comment.

Best regards
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-20 Thread Lewis Resmond

People here tend to bash WoSign/StartCom the whole time and make them guilty 
for nearly everthing, including the Lindbergh Kidnapping. I also do think 
people are actively searching for anything they can blame, and ignore/tolerate 
incidents of other CAs.


Am Freitag, 16. Dezember 2016 19:18:27 UTC+1 schrieb tde...@gmail.com:
> It seams that wosign has registered the domains letsencrypt.cn and 
> letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt :
> 
> whois letsencrypt.cn
> Domain Name: letsencrypt.cn
> ROID: 20141120s10001s72911711-cn
> Domain Status: clientTransferProhibited
> Registrant ID: k35-n2041486_00
> Registrant: 深圳市沃通电子商务服务有限公司
> Registrant Contact Email: d...@wosign.com
> Sponsoring Registrar: 厦门三五互联科技股份有限公司
> Name Server: ns3.dns-diy.com
> Name Server: ns4.dns-diy.com
> Registration Time: 2014-11-20 09:57:27
> Expiration Time: 2017-11-20 09:57:27
> DNSSEC: unsigned
> 
> whois letsencrypt.com.cn
> Domain Name: letsencrypt.com.cn
> ROID: 20141120s10011s84227837-cn
> Domain Status: clientTransferProhibited
> Registrant ID: k35-n2041486_00
> Registrant: 深圳市沃通电子商务服务有限公司
> Registrant Contact Email: d...@wosign.com
> Sponsoring Registrar: 厦门三五互联科技股份有限公司
> Name Server: ns3.dns-diy.com
> Name Server: ns4.dns-diy.com
> Registration Time: 2014-11-20 09:57:28
> Expiration Time: 2017-11-20 09:57:28
> 
> Let's Encrypt was announced publicly on November 18, 2014 ( 
> http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm
>  ). That domain appear to be registered two days after.
> 
> Certificate authorities are about trust. I don't feel comfortable about a CA 
> registering a domain matching the name of another CA. What is the position of 
> Mozilla about that?
> Maybe Let's Encrypt or wosign have more information about these domains?
> 
> https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786
> 
> Other relevant thread: Comodo Legal Phishing attack against ISRG?
> https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-20 Thread Han Yuwei

在 2016年12月20日星期二 UTC+8下午8:21:33，Tom写道：
> According to The Uniform Domain-Name Dispute-Resolution Policy, 
> letsencrypt.cn seem use in bad faith.
> 
> On December 20, 2016 2:45:47 PM GMT+08:00, "谭晓生"  wrote:
> >It is ICP license you talked about, you can find some information here:
> >https://support.cloudflare.com/hc/en-us/articles/209714777-ICP-FAQ
> >
> >It is almost impossible to register a .cn or .com.cn domain in China
> >for a foreign company which do not have a legal entity in China,
> >legally.
> >The websites will be blocked for access by the ISP/Telco if the
> >websites were hosted in China but do not have valid ICP licenses or
> >even the IPs have not been registered to the government. if it is not
> >that hard before, but it has more and more regulatory polices.
> 
> Yep. As far as I known, it must use the service of one of Chinese hosting 
> providers. Therefore, .cn domain name must point to Chinese IP adress.
> 
> On December 19, 2016 3:54:43 PM GMT+08:00, Han Yuwei  
> wrote:
> >Since letsencrypt.org is very famous, I think the best way is to
> >redirect letsencrypt.com.cn and letsencrypt.cn to letsencrypt.org
> 
> And, It is disallowed redirecting to the website which haven't ICP license.
> 
> tanxiaosh...@360.cn wrote:
> >For Letsencrypt, if you want to own the .cn or .com.cn domain legally,
> >think of to set a legal entity in China.
> 
> I don't think it's a good idea. It may will take much time and money for 
> organization. And I think that Chinese government is not friendly to foreign 
> companies/organizations.

.cn can use CNAME redirect and don't required to point to a Chinese IP address. 
ICP is for *host* not for domain.

I think this is out of m.d.s.p's scope. Maybe we can leave this to Letsencrypt 
and Wosign.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-20 Thread Tom

According to The Uniform Domain-Name Dispute-Resolution Policy, letsencrypt.cn 
seem use in bad faith.

On December 20, 2016 2:45:47 PM GMT+08:00, "谭晓生"  wrote:
>It is ICP license you talked about, you can find some information here:
>https://support.cloudflare.com/hc/en-us/articles/209714777-ICP-FAQ
>
>It is almost impossible to register a .cn or .com.cn domain in China
>for a foreign company which do not have a legal entity in China,
>legally.
>The websites will be blocked for access by the ISP/Telco if the
>websites were hosted in China but do not have valid ICP licenses or
>even the IPs have not been registered to the government. if it is not
>that hard before, but it has more and more regulatory polices.

Yep. As far as I known, it must use the service of one of Chinese hosting 
providers. Therefore, .cn domain name must point to Chinese IP adress.

On December 19, 2016 3:54:43 PM GMT+08:00, Han Yuwei  
wrote:
>Since letsencrypt.org is very famous, I think the best way is to
>redirect letsencrypt.com.cn and letsencrypt.cn to letsencrypt.org

And, It is disallowed redirecting to the website which haven't ICP license.

tanxiaosh...@360.cn wrote:
>For Letsencrypt, if you want to own the .cn or .com.cn domain legally,
>think of to set a legal entity in China.

I don't think it's a good idea. It may will take much time and money for 
organization. And I think that Chinese government is not friendly to foreign 
companies/organizations.

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-19 Thread Samuel Pinder

As far as I know, transferring by entering the name and address of the
person to transfer to would work via your registrar. But then CNNIC
will want to see a photo of a passport showing the name of the person
in full within a certain deadline, otherwise the domain would be
suspended. A registrar gathers this from the intended registrant and
they send it to CNNIC on your behalf, you don't send it directly to
CNNIC. Of course there is distinction between a person and a company,
if you're transferring to a company, you'll need business documents
showing registration details.
See this FAQ: https://cnnic.com.cn/IS/CNym/cnymyhfaq/#8_1
One more thing to be aware of not listed in the FAQ there: CNNIC will
want to know if you will be using the domain within China, as that
requires an ACP licence for any website hosted on port 80, 8080, or
443. Choosing "no" would mean the domain would resolve, but any
website on it would be inaccessible within China and would only work
abroad, since ACP licences *apparently* are only available to Chinese
companies. What this effectively means for Let's Encrypt, you'd have
the domain name to protect it, but wouldn't be able to use it within
China unless you had an actual presence there and acquired an ACP
licence. I registered a .cn domain some time ago, so just thought I'd
share my knowledge. Good luck, and sorry it kinda goes outside the
scope of this thread.
Sam

On Tue, Dec 20, 2016 at 2:28 AM, Richard Wang <rich...@wosign.com> wrote:
> I got the email from Josh, this is my reply:
>
> Hi Josh,
>
> Glad to receive your formal request email.
>
> Yes, it is hard to register a domain for foreigner, I also don't know how to 
> transfer to you. What I can do now is to resolute it to your website.
>
> As I said we can transfer to you at any time.
>
>
> Best Regards,
>
> Richard
>
> -Original Message-
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
> Behalf Of j...@letsencrypt.org
> Sent: Monday, December 19, 2016 12:36 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: wosign and letsencrypt.cn / letsencrypt.com.cn
>
> We had some trouble figuring out how to purchase a Chinese domain name before
> we launched, so we didn't purchase it then. We've never talked to wosign about
> this before, and we haven't seen the domain used for anything confusing so
> far. This is our first interaction about it and we're happy to hear that
> Richard would like to help us out by transferring the domains.
>
> Thanks Richard, I'll be in touch.
>
> On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote:
>> I wish everyone can talk about this case friendly and equally.
>>
>> It is very common that everyone can register any domain based on the first
>> come and first service rule.
>>
>> We know Let's Encrypt is released after the public announcement, but two day
>> later, its .cn domain is still not registered, I think maybe it is caused by
>> the strict registration rule in China, so I registered it for protection
>> that not registered by Cornbug.
>>
>> We don’t use those domains for any WoSign's services that we provide
>> similar service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt)
>>
>> Now, if Mozilla or Let’s Encrypt contact me officially and request to
>> transfer the two domains to them, no any problem, we can transfer to them
>> for FREE!
>>
>> But please notice that this arrangement is for friendship, not for others
>> ..
>>
>>
>> Best Regards,
>>
>> Richard
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-19 Thread Richard Wang

I got the email from Josh, this is my reply:

Hi Josh,

Glad to receive your formal request email.

Yes, it is hard to register a domain for foreigner, I also don't know how to 
transfer to you. What I can do now is to resolute it to your website.

As I said we can transfer to you at any time.

Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of j...@letsencrypt.org
Sent: Monday, December 19, 2016 12:36 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: wosign and letsencrypt.cn / letsencrypt.com.cn

We had some trouble figuring out how to purchase a Chinese domain name before 
we launched, so we didn't purchase it then. We've never talked to wosign about 
this before, and we haven't seen the domain used for anything confusing so 
far. This is our first interaction about it and we're happy to hear that 
Richard would like to help us out by transferring the domains.

Thanks Richard, I'll be in touch.

On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote:
> I wish everyone can talk about this case friendly and equally.
>
> It is very common that everyone can register any domain based on the first 
> come and first service rule.
>
> We know Let's Encrypt is released after the public announcement, but two day 
> later, its .cn domain is still not registered, I think maybe it is caused by 
> the strict registration rule in China, so I registered it for protection 
> that not registered by Cornbug.
>
> We don’t use those domains for any WoSign's services that we provide 
> similar service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt)
>
> Now, if Mozilla or Let’s Encrypt contact me officially and request to 
> transfer the two domains to them, no any problem, we can transfer to them 
> for FREE!
>
> But please notice that this arrangement is for friendship, not for others 
> ..
>
>
> Best Regards,
>
> Richard
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-19 Thread Percy

On Sunday, December 18, 2016 at 5:45:16 PM UTC-8, Richard Wang wrote:
> I wish everyone can talk about this case friendly and equally.
> 
> It is very common that everyone can register any domain based on the first 
> come and first service rule.
> 
> We know Let's Encrypt is released after the public announcement, but two day 
> later, its .cn domain is still not registered, I think maybe it is caused by 
> the strict registration rule in China, so I registered it for protection that 
> not registered by Cornbug.
> 
> We don’t use those domains for any WoSign's services that we provide similar 
> service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt)
> 
> Now, if Mozilla or Let’s Encrypt contact me officially and request to 
> transfer the two domains to them, no any problem, we can transfer to them for 
> FREE!
> 
> But please notice that this arrangement is for friendship, not for others 
> ..
> 
> 
> Best Regards,
> 
> Richard
> 
> -Original Message-
> From: dev-security-policy 
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
> Behalf Of tdel...@gmail.com
> Sent: Saturday, December 17, 2016 1:34 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: wosign and letsencrypt.cn / letsencrypt.com.cn
> 
> It seams that wosign has registered the domains letsencrypt.cn and 
> letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt :
> 
> whois letsencrypt.cn
> Domain Name: letsencrypt.cn
> ROID: 20141120s10001s72911711-cn
> Domain Status: clientTransferProhibited
> Registrant ID: k35-n2041486_00
> Registrant: 深圳市沃通电子商务服务有限公司
> Registrant Contact Email: d...@wosign.com Sponsoring Registrar: 厦门三五互联科技股份有限公司
> Name Server: ns3.dns-diy.com
> Name Server: ns4.dns-diy.com
> Registration Time: 2014-11-20 09:57:27
> Expiration Time: 2017-11-20 09:57:27
> DNSSEC: unsigned
> 
> whois letsencrypt.com.cn
> Domain Name: letsencrypt.com.cn
> ROID: 20141120s10011s84227837-cn
> Domain Status: clientTransferProhibited
> Registrant ID: k35-n2041486_00
> Registrant: 深圳市沃通电子商务服务有限公司
> Registrant Contact Email: d...@wosign.com Sponsoring Registrar: 厦门三五互联科技股份有限公司
> Name Server: ns3.dns-diy.com
> Name Server: ns4.dns-diy.com
> Registration Time: 2014-11-20 09:57:28
> Expiration Time: 2017-11-20 09:57:28
> 
> Let's Encrypt was announced publicly on November 18, 2014 ( 
> http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm
>  ). That domain appear to be registered two days after.
> 
> Certificate authorities are about trust. I don't feel comfortable about a CA 
> registering a domain matching the name of another CA. What is the position of 
> Mozilla about that?
> Maybe Let's Encrypt or wosign have more information about these domains?
> 
> https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786
> 
> Other relevant thread: Comodo Legal Phishing attack against ISRG?
> https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

I found WoSign's explanation completely incredulous.  

WoSign has been sending **unsolicited** marketing emails to websites that use 
Let's Encrypt cert essentially saying Let's Encrypt might revoke cert at will 
and ask users to switch to WoSign (Email attached). After I posted on the forum 
about this, WoSign stated "From the screenshot, we know why Percy hate WoSign 
so deeply, we know he represent which CA[Let's Encrypt], everything[about all 
those incidents surrounding WoSign that led to its distrust] is clear now. " 
(https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/IxnAbfFGDQAJ)

I find it hard to believe that if WoSign thought Let's Encrypt is a company 
that will send troll to undermine WoSign, WoSign would register Let's Encrypt's 
domain to protect Let's Encrypt's trademark. (Admittedly, WoSign's accusation 
of me came later but I'm assuming his attitudes towards Let's Encrypt is the 
same over the years). 

-
This is a typical unsolicited marketing email they sent to Let's Encrypt users. 
 https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg:large Translated below.
---
Dear friend:
I'm *** from WoSign CA. WoSign is the first SSL cert company in China. Your 
website *'s SSL cert is from Let's Encrypt, expiring at Oct, 2016. If you 
switch to WoSign before the expiration you can enjoy buy one year get one year 
free.

The risks associated with foreign CA:
1. Cert revocation
If foreign CA is influenced by politics and revoke certs for important Chinese 
organizations, the entire system will be paralyzed.

2. Information security risks
If the website uses foreign certs, users need to send information to foreign 
servers in every visit. Time of the visit, the location

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-19 Thread Howard Xiao

On Sunday, December 18, 2016 at 5:45:16 PM UTC-8, Richard Wang wrote:
> We know Let's Encrypt is released after the public announcement, but two day 
> later, its .cn domain is still not registered, I think maybe it is caused by 
> the strict registration rule in China, so I registered it for protection that 
> not registered by Cornbug.

I found it really hard to comprehend why you believe you should be registering 
a domain name, "for protection", that belongs to another brand, especially 
where there is definitely conflict of interests involved.

> We don’t use those domains for any WoSign's services
Until a few days ago, letsencrypt.cn points to a Microsoft/21vianet Azure China 
server 211.151.125.110 [1][2]. A reverse lookup on this IP [3] yields hostnames 
implying services of WoSign (pkiclick.net, wosigncode.net, etc.). As of the 
time of this email, DNS lookup of this domain name yields NXDOMAIN, which means 
WoSign has made the effort to remove the record. Why bother to add the DNS 
record in the first place then?

[1] http://whois.domaintools.com/letsencrypt.cn
[2] http://viewdns.info/iphistory/?domain=letsencrypt.cn
[3] http://bgp.he.net/ip/211.151.125.110#_dns
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-18 Thread Han Yuwei

在 2016年12月19日星期一 UTC+8下午12:36:10，jo...@letsencrypt.org写道：
> We had some trouble figuring out how to purchase a Chinese domain name before 
> we launched, so we didn't purchase it then. We've never talked to wosign 
> about this before, and we haven't seen the domain used for anything confusing 
> so far. This is our first interaction about it and we're happy to hear that 
> Richard would like to help us out by transferring the domains.
> 
> Thanks Richard, I'll be in touch.
> 
> On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote:
> > I wish everyone can talk about this case friendly and equally.
> > 
> > It is very common that everyone can register any domain based on the first 
> > come and first service rule.
> > 
> > We know Let's Encrypt is released after the public announcement, but two 
> > day later, its .cn domain is still not registered, I think maybe it is 
> > caused by the strict registration rule in China, so I registered it for 
> > protection that not registered by Cornbug.
> > 
> > We don’t use those domains for any WoSign's services that we provide 
> > similar service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt)
> > 
> > Now, if Mozilla or Let’s Encrypt contact me officially and request to 
> > transfer the two domains to them, no any problem, we can transfer to them 
> > for FREE!
> > 
> > But please notice that this arrangement is for friendship, not for others 
> > ..
> > 
> > 
> > Best Regards,
> > 
> > Richard

Register a domain in China is much more different from International common 
partice. For further advice I suggest LE should contact with their lawyer.

Since letsencrypt.org is very famous, I think the best way is to redirect 
letsencrypt.com.cn and letsencrypt.cn to letsencrypt.org
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-18 Thread josh

We had some trouble figuring out how to purchase a Chinese domain name before 
we launched, so we didn't purchase it then. We've never talked to wosign about 
this before, and we haven't seen the domain used for anything confusing so far. 
This is our first interaction about it and we're happy to hear that Richard 
would like to help us out by transferring the domains.

Thanks Richard, I'll be in touch.

On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote:
> I wish everyone can talk about this case friendly and equally.
> 
> It is very common that everyone can register any domain based on the first 
> come and first service rule.
> 
> We know Let's Encrypt is released after the public announcement, but two day 
> later, its .cn domain is still not registered, I think maybe it is caused by 
> the strict registration rule in China, so I registered it for protection that 
> not registered by Cornbug.
> 
> We don’t use those domains for any WoSign's services that we provide similar 
> service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt)
> 
> Now, if Mozilla or Let’s Encrypt contact me officially and request to 
> transfer the two domains to them, no any problem, we can transfer to them for 
> FREE!
> 
> But please notice that this arrangement is for friendship, not for others 
> ..
> 
> 
> Best Regards,
> 
> Richard
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-18 Thread Richard Wang

I wish everyone can talk about this case friendly and equally.

It is very common that everyone can register any domain based on the first come 
and first service rule.

We know Let's Encrypt is released after the public announcement, but two day 
later, its .cn domain is still not registered, I think maybe it is caused by 
the strict registration rule in China, so I registered it for protection that 
not registered by Cornbug.

We don’t use those domains for any WoSign's services that we provide similar 
service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt)

Now, if Mozilla or Let’s Encrypt contact me officially and request to transfer 
the two domains to them, no any problem, we can transfer to them for FREE!

But please notice that this arrangement is for friendship, not for others ..


Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of tdel...@gmail.com
Sent: Saturday, December 17, 2016 1:34 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: wosign and letsencrypt.cn / letsencrypt.com.cn

It seams that wosign has registered the domains letsencrypt.cn and 
letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt :

whois letsencrypt.cn
Domain Name: letsencrypt.cn
ROID: 20141120s10001s72911711-cn
Domain Status: clientTransferProhibited
Registrant ID: k35-n2041486_00
Registrant: 深圳市沃通电子商务服务有限公司
Registrant Contact Email: d...@wosign.com Sponsoring Registrar: 厦门三五互联科技股份有限公司
Name Server: ns3.dns-diy.com
Name Server: ns4.dns-diy.com
Registration Time: 2014-11-20 09:57:27
Expiration Time: 2017-11-20 09:57:27
DNSSEC: unsigned

whois letsencrypt.com.cn
Domain Name: letsencrypt.com.cn
ROID: 20141120s10011s84227837-cn
Domain Status: clientTransferProhibited
Registrant ID: k35-n2041486_00
Registrant: 深圳市沃通电子商务服务有限公司
Registrant Contact Email: d...@wosign.com Sponsoring Registrar: 厦门三五互联科技股份有限公司
Name Server: ns3.dns-diy.com
Name Server: ns4.dns-diy.com
Registration Time: 2014-11-20 09:57:28
Expiration Time: 2017-11-20 09:57:28

Let's Encrypt was announced publicly on November 18, 2014 ( 
http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm
 ). That domain appear to be registered two days after.

Certificate authorities are about trust. I don't feel comfortable about a CA 
registering a domain matching the name of another CA. What is the position of 
Mozilla about that?
Maybe Let's Encrypt or wosign have more information about these domains?

https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786

Other relevant thread: Comodo Legal Phishing attack against ISRG?
https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-16 Thread Percy

Well, based on the previous deception of WoSign before, during and after 
Mozilla's investigation, I'm not remotely surprised to see this. 


On Friday, December 16, 2016 at 10:18:27 AM UTC-8, tde...@gmail.com wrote:
> It seams that wosign has registered the domains letsencrypt.cn and 
> letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt :
> 
> whois letsencrypt.cn
> Domain Name: letsencrypt.cn
> ROID: 20141120s10001s72911711-cn
> Domain Status: clientTransferProhibited
> Registrant ID: k35-n2041486_00
> Registrant: 深圳市沃通电子商务服务有限公司
> Registrant Contact Email: d...@wosign.com
> Sponsoring Registrar: 厦门三五互联科技股份有限公司
> Name Server: ns3.dns-diy.com
> Name Server: ns4.dns-diy.com
> Registration Time: 2014-11-20 09:57:27
> Expiration Time: 2017-11-20 09:57:27
> DNSSEC: unsigned
> 
> whois letsencrypt.com.cn
> Domain Name: letsencrypt.com.cn
> ROID: 20141120s10011s84227837-cn
> Domain Status: clientTransferProhibited
> Registrant ID: k35-n2041486_00
> Registrant: 深圳市沃通电子商务服务有限公司
> Registrant Contact Email: d...@wosign.com
> Sponsoring Registrar: 厦门三五互联科技股份有限公司
> Name Server: ns3.dns-diy.com
> Name Server: ns4.dns-diy.com
> Registration Time: 2014-11-20 09:57:28
> Expiration Time: 2017-11-20 09:57:28
> 
> Let's Encrypt was announced publicly on November 18, 2014 ( 
> http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm
>  ). That domain appear to be registered two days after.
> 
> Certificate authorities are about trust. I don't feel comfortable about a CA 
> registering a domain matching the name of another CA. What is the position of 
> Mozilla about that?
> Maybe Let's Encrypt or wosign have more information about these domains?
> 
> https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786
> 
> Other relevant thread: Comodo Legal Phishing attack against ISRG?
> https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

16 matches

Site Navigation

Mail list logo

Footer information