Re: Remove old WoSign root certs from NSS
On 30/08/17 18:50, Kathleen Wilson wrote: > https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/ > > I will look into getting this translated and published in China. Here are the links to the post in Chinese, kindly supplied by our colleagues: http://mozilla.com.cn/thread-389981-1-1.html http://www.toutiao.com/i6460694823383876110/ http://weibo.com/1663337394/FjOcBkk6e?type=repost#_rnd1504260080825 https://mp.weixin.qq.com/s?__biz=MTc0MDM5MjUwMQ===2651082547=1=ca6759cd7a0a035028579e7705b59e6f=547350696304d97fad4eaab40cf1d933f794525e358afc6ae40bcc1c47ff6e3007c407e0ccf0#rd Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remove old WoSign root certs from NSS
On Wednesday, August 30, 2017 at 11:15:04 AM UTC-7, Kathleen Wilson wrote: > Posted: > > https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/ > > I will look into getting this translated and published in China. > > Thanks, > Kathleen Thank you so much for taking Chinese users into consideration! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remove old WoSign root certs from NSS
Posted: https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/ I will look into getting this translated and published in China. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remove old WoSign root certs from NSS
links to all of WoSign's announcement in case anyone want to verify. https://www.wosign.com/news/index.htm year 2017 https://www.wosign.com/news/index2016.htm year 2016 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remove old WoSign root certs from NSS
In fact, can you tell us, when was the first time WoSign started to notify users about replacing certs? I've dig through all of WoSign's announcement and the first and in fact the ONLY announcement regarding replacing certs is dated July 10th, 2017 , titled Announcement regarding Google's decision on July 7th". During Sept 19, 2016 to July 10th 2017, WoSign posted a total of 19 announcements, including announcements like mountain hiking competition in Youth Day, trips to Yangtze River Delta, Wosign's professional services won customers' acknowledgment. Of course your customers might be unable to replace certs in time if you only notified them July this year while browser announcement such decisions in Oct last year! ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remove old WoSign root certs from NSS
It's true that the first post has a link to that second post. However, the related sentence is To learn more, please visit "Announcement regarding Google's decision on July 7th", with a hyperlink to the second post. And only the second post mentions anything about replacing certs. I hardly think users would understand they are risking being blocked by major browsers from such a benign looking sentence. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Remove old WoSign root certs from NSS
Please stop to misleading the audience, the first news has link that refer to second news. We have provided best service for our customer more than 10 years that we are continue as always, to provide high quality pre-sale and after-sales service for our customers. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Percy via dev-security-policy Sent: Wednesday, August 30, 2017 3:54 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Remove old WoSign root certs from NSS On Sunday, August 27, 2017 at 10:59:48 PM UTC-7, Richard Wang wrote: > We released replacement notice in Chinese in our website: > https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm > https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm > https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm > > And we have sent broadcast email to our customer, but some customers still > don't replace its certificate due to many kind of reasons that this must be > cooperated by customers. > > > Best Regards, > > Richard I have to point out that of all the above 3 post, only one, namely https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm mentions anything about replacing the certs. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remove old WoSign root certs from NSS
On Sunday, August 27, 2017 at 10:59:48 PM UTC-7, Richard Wang wrote: > We released replacement notice in Chinese in our website: > https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm > https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm > https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm > > And we have sent broadcast email to our customer, but some customers still > don't replace its certificate due to many kind of reasons that this must be > cooperated by customers. > > > Best Regards, > > Richard I have to point out that of all the above 3 post, only one, namely https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm mentions anything about replacing the certs. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Remove old WoSign root certs from NSS
We released replacement notice in Chinese in our website: https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm And we have sent broadcast email to our customer, but some customers still don't replace its certificate due to many kind of reasons that this must be cooperated by customers. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Percy via dev-security-policy Sent: Monday, August 28, 2017 11:34 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Remove old WoSign root certs from NSS On Friday, August 25, 2017 at 4:42:29 PM UTC-7, Kathleen Wilson wrote: > On Friday, August 4, 2017 at 12:01:15 AM UTC-7, Percy wrote: > > I suggest that Mozilla can post an announcement now about the > > complete removal of WoSign/StartCom to alert website developers. I > > suspect that a moderate amount of Chinese websites are still using > > WoSign certs chained to the old roots. Google posted about this > > complete removal here > > https://security.googleblog.com/2017/07/final-removal-of-trust-in-wo > > sign-and.html > > > > And since WoSign has the most presence in China, I suggest Mozilla can > > instruct Mozilla China to post such announcement in Chinese as well. > > > Here's a DRAFT for such an announcement, that I could post to Mozilla's > Security Blog [1]. > > ~~ DRAFT ~~ > > Title: Removing Disabled WoSign and StartCom Certificates from Firefox > 58 > > In October 2016, Mozilla announced[2] that, as of Firefox 51, we would stop > validating new certificates chaining to the below list of root certificates > owned by the companies WoSign and StartCom. > > The announcement also indicated our intent to eventually completely remove > these root certificates from Mozilla’s Root Store[3], so that we would no > longer validate certificates issued even before that date by those roots. > That time has now arrived. We plan to release the relevant changes[4] to > Network Security Services (NSS)[5] in November, and then the changes will be > picked up in Firefox 58[6], due for release in January 2018. Sites using > certificates chaining up to any of the following root certificates need to > migrate to another root certificate. > > This announcement applies to the root certificates with the following names: > > CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN CN=Certification > Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN > CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, > C=CN CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN > CN=StartCom Certification Authority, OU=Secure Digital Certificate > Signing, O=StartCom Ltd., C=IL CN=StartCom Certification Authority G2, > OU=null, O=StartCom Ltd., C=IL > > Mozilla Security Team > ~~ > > As always, I will appreciate your constructive feedback. > > Thanks, > Kathleen > > [1] https://blog.mozilla.org/security/ > [2] > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-an > d-startcom-certificates/ > [3] https://wiki.mozilla.org/CA > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1387260 > https://bugzilla.mozilla.org/show_bug.cgi?id=1392849 > [5] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS > [6] https://wiki.mozilla.org/RapidRelease/Calendar Such an announcement will be great. And Chinese translation posted on Mozilla China will be greatly appreciated too. A Chinese announcement is rather appreciated because some very large companies, for example, OFO which received $450M in funding and currently valued at 1B [1] is still using WoSign certs [2]; Fapiao, which deals with receipts for Starbucks in China, was using the old WoSign cert[3] until two weeks ago. It only changed the cert after customer complaints for months. Those are by far not isolated cases. [1]https://en.wikipedia.org/wiki/Ofo_(bike_sharing) [2]https://common.ofo.so/ [3]https://crt.sh/?q=fapiao.com ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remove old WoSign root certs from NSS
On Friday, August 25, 2017 at 4:42:29 PM UTC-7, Kathleen Wilson wrote: > On Friday, August 4, 2017 at 12:01:15 AM UTC-7, Percy wrote: > > I suggest that Mozilla can post an announcement now about the complete > > removal of WoSign/StartCom to alert website developers. I suspect that a > > moderate amount of Chinese websites are still using WoSign certs chained to > > the old roots. Google posted about this complete removal here > > https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html > > > > > > And since WoSign has the most presence in China, I suggest Mozilla can > > instruct Mozilla China to post such announcement in Chinese as well. > > > Here's a DRAFT for such an announcement, that I could post to Mozilla's > Security Blog [1]. > > ~~ DRAFT ~~ > > Title: Removing Disabled WoSign and StartCom Certificates from Firefox 58 > > In October 2016, Mozilla announced[2] that, as of Firefox 51, we would stop > validating new certificates chaining to the below list of root certificates > owned by the companies WoSign and StartCom. > > The announcement also indicated our intent to eventually completely remove > these root certificates from Mozilla’s Root Store[3], so that we would no > longer validate certificates issued even before that date by those roots. > That time has now arrived. We plan to release the relevant changes[4] to > Network Security Services (NSS)[5] in November, and then the changes will be > picked up in Firefox 58[6], due for release in January 2018. Sites using > certificates chaining up to any of the following root certificates need to > migrate to another root certificate. > > This announcement applies to the root certificates with the following names: > > CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN > CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN > CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN > CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN > CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, > O=StartCom Ltd., C=IL > CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL > > Mozilla Security Team > ~~ > > As always, I will appreciate your constructive feedback. > > Thanks, > Kathleen > > [1] https://blog.mozilla.org/security/ > [2] > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ > [3] https://wiki.mozilla.org/CA > [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1387260 > https://bugzilla.mozilla.org/show_bug.cgi?id=1392849 > [5] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS > [6] https://wiki.mozilla.org/RapidRelease/Calendar Such an announcement will be great. And Chinese translation posted on Mozilla China will be greatly appreciated too. A Chinese announcement is rather appreciated because some very large companies, for example, OFO which received $450M in funding and currently valued at 1B [1] is still using WoSign certs [2]; Fapiao, which deals with receipts for Starbucks in China, was using the old WoSign cert[3] until two weeks ago. It only changed the cert after customer complaints for months. Those are by far not isolated cases. [1]https://en.wikipedia.org/wiki/Ofo_(bike_sharing) [2]https://common.ofo.so/ [3]https://crt.sh/?q=fapiao.com ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remove old WoSign root certs from NSS
On Friday, August 4, 2017 at 12:01:15 AM UTC-7, Percy wrote: > I suggest that Mozilla can post an announcement now about the complete > removal of WoSign/StartCom to alert website developers. I suspect that a > moderate amount of Chinese websites are still using WoSign certs chained to > the old roots. Google posted about this complete removal here > https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html > > > And since WoSign has the most presence in China, I suggest Mozilla can > instruct Mozilla China to post such announcement in Chinese as well. Here's a DRAFT for such an announcement, that I could post to Mozilla's Security Blog [1]. ~~ DRAFT ~~ Title: Removing Disabled WoSign and StartCom Certificates from Firefox 58 In October 2016, Mozilla announced[2] that, as of Firefox 51, we would stop validating new certificates chaining to the below list of root certificates owned by the companies WoSign and StartCom. The announcement also indicated our intent to eventually completely remove these root certificates from Mozilla’s Root Store[3], so that we would no longer validate certificates issued even before that date by those roots. That time has now arrived. We plan to release the relevant changes[4] to Network Security Services (NSS)[5] in November, and then the changes will be picked up in Firefox 58[6], due for release in January 2018. Sites using certificates chaining up to any of the following root certificates need to migrate to another root certificate. This announcement applies to the root certificates with the following names: CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL Mozilla Security Team ~~ As always, I will appreciate your constructive feedback. Thanks, Kathleen [1] https://blog.mozilla.org/security/ [2] https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ [3] https://wiki.mozilla.org/CA [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1387260 https://bugzilla.mozilla.org/show_bug.cgi?id=1392849 [5] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS [6] https://wiki.mozilla.org/RapidRelease/Calendar ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remove old WoSign root certs from NSS
On Thursday, August 3, 2017 at 3:55:34 PM UTC-7, Kathleen Wilson wrote: > On Monday, July 10, 2017 at 12:47:31 PM UTC-7, Kathleen Wilson wrote: > > I also think we should remove the old WoSign root certs from NSS. > > > > Reference: > > https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign > > ~~ > > Mozilla currently recommends not trusting any certificates issued by this > > CA after October 21st, 2016. That recommendation covers the following roots: > > > > CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN > > CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN > > CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, > > C=CN > > CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN > > > > This restriction has been implemented in both in the Mozilla platform > > security code (PSM), which is shared by the Mozilla applications (Firefox, > > Thunderbird, etc.), and in addition, in the NSS library code, which is used > > by applications that use the NSS certificate verification APIs. > > ~~ > > > > Please let me know if you foresee any problems with removing these root > > certs from NSS. > > > > Thanks, > > Kathleen > > > I have filed Bug #1387260 to remove the old WoSign root certificates. This > will likely happen in the October batch of root changes. > > Kathleen I suggest that Mozilla can post an announcement now about the complete removal of WoSign/StartCom to alert website developers. I suspect that a moderate amount of Chinese websites are still using WoSign certs chained to the old roots. Google posted about this complete removal here https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html And since WoSign has the most presence in China, I suggest Mozilla can instruct Mozilla China to post such announcement in Chinese as well. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Remove old WoSign root certs from NSS
On Monday, July 10, 2017 at 12:47:31 PM UTC-7, Kathleen Wilson wrote: > I also think we should remove the old WoSign root certs from NSS. > > Reference: > https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign > ~~ > Mozilla currently recommends not trusting any certificates issued by this CA > after October 21st, 2016. That recommendation covers the following roots: > > CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN > CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN > CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, > C=CN > CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN > > This restriction has been implemented in both in the Mozilla platform > security code (PSM), which is shared by the Mozilla applications (Firefox, > Thunderbird, etc.), and in addition, in the NSS library code, which is used > by applications that use the NSS certificate verification APIs. > ~~ > > Please let me know if you foresee any problems with removing these root certs > from NSS. > > Thanks, > Kathleen I have filed Bug #1387260 to remove the old WoSign root certificates. This will likely happen in the October batch of root changes. Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Remove old WoSign root certs from NSS
I also think we should remove the old WoSign root certs from NSS. Reference: https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign ~~ Mozilla currently recommends not trusting any certificates issued by this CA after October 21st, 2016. That recommendation covers the following roots: CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN This restriction has been implemented in both in the Mozilla platform security code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, etc.), and in addition, in the NSS library code, which is used by applications that use the NSS certificate verification APIs. ~~ Please let me know if you foresee any problems with removing these root certs from NSS. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy