Re: Found something I can't understand in these cerificates.

2017-08-02 Thread Jakob Bohm via dev-security-policy

On 02/08/2017 04:28, Han Yuwei wrote:

在 2017年8月1日星期二 UTC+8下午8:47:57,Nick Lamb写道:

On Tuesday, 1 August 2017 08:39:28 UTC+1, Han Yuwei  wrote:

1. the CN of two cerificates are same. So it is not necessary to issue two 
certificates in just 2 minutes.


I think the most likely explanation is the difference in signature algorithm, 
but it is also not uncommon for subscribers to have more than one certificate 
fo the same name for operational reasons, this is not prohibited although it 
can be useful to watch for the rate at which this happens to an issuing system 
as a possible sign of trouble.


2. second one used SHA1, though is consistent with BR, but first one used 
SHA256.


It is possible that a customer ordered a certificate and then, very quickly but 
alas after issuance they realised they had more specific needs, the SHA-256 
algorithm and the longer expiry date. Or maybe even they simply asked for the 
longer expiry and WoSign correctly pointed out that it would silly to use SHA-1 
with the longer expiry as it was to be (and has been) distrusted by that date.


3. first one has 39 month period of validity which is very rare.


Although rare this is permissible, and even, if the subscriber had a previous 
certificate for roughly the same name, a common business practice in order to 
secure customer loyalty.


4. Since they are issued so close they should be logged at CT same time but 
second one are too late.


CT logging was not mandatory at the time, and WoSign subsequently volunteered 
to upload all the extant certificates in mid-2016 during Mozilla's 
investigation of other (serious) problems.

I think these certificates are, though perhaps not entirely regular, not a sign 
of any problem at WoSign.


Thanks for your explanation. So maybe some devices require SHA1 certificate to 
operate normally?



This certificate was issued during the SHA-1 transition, and many
website operators probably wanted to have an SHA-1 certificate in case
some clients (web browsers etc.) were not yet ready.  This often
involved getting matching SHA-256 and SHA-1 certificates before the BR
deadline, then keeping the SHA-1 certificate "in stock" in case it was
needed during 2016 (when new SHA-1 web certs could no longer be issued,
but could still be valid if requested in 2015).

No/Little way of knowing if they ever deployed that SHA-1 certificate,
either generally (for all visitors), or behind some special logic to
only use it for some known-broken client types.


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: Found something I can't understand in these cerificates.

2017-08-01 Thread Nick Lamb via dev-security-policy
On Tuesday, 1 August 2017 08:39:28 UTC+1, Han Yuwei  wrote:
> 1. the CN of two cerificates are same. So it is not necessary to issue two 
> certificates in just 2 minutes.

I think the most likely explanation is the difference in signature algorithm, 
but it is also not uncommon for subscribers to have more than one certificate 
fo the same name for operational reasons, this is not prohibited although it 
can be useful to watch for the rate at which this happens to an issuing system 
as a possible sign of trouble.

> 2. second one used SHA1, though is consistent with BR, but first one used 
> SHA256.

It is possible that a customer ordered a certificate and then, very quickly but 
alas after issuance they realised they had more specific needs, the SHA-256 
algorithm and the longer expiry date. Or maybe even they simply asked for the 
longer expiry and WoSign correctly pointed out that it would silly to use SHA-1 
with the longer expiry as it was to be (and has been) distrusted by that date.

> 3. first one has 39 month period of validity which is very rare.

Although rare this is permissible, and even, if the subscriber had a previous 
certificate for roughly the same name, a common business practice in order to 
secure customer loyalty.

> 4. Since they are issued so close they should be logged at CT same time but 
> second one are too late.

CT logging was not mandatory at the time, and WoSign subsequently volunteered 
to upload all the extant certificates in mid-2016 during Mozilla's 
investigation of other (serious) problems.

I think these certificates are, though perhaps not entirely regular, not a sign 
of any problem at WoSign.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Found something I can't understand in these cerificates.

2017-08-01 Thread Han Yuwei via dev-security-policy
https://crt.sh/?id=7040227
https://crt.sh/?id=30328289

I am confused for those reasons.

1. the CN of two cerificates are same. So it is not necessary to issue two 
certificates in just 2 minutes.
2. second one used SHA1, though is consistent with BR, but first one used 
SHA256.
3. first one has 39 month period of validity which is very rare.
4. Since they are issued so close they should be logged at CT same time but 
second one are too late.

So is there some common parctice I don't know or another mistake made by Wosign?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy