Re: Incidents involving the CA WoSign

2016-08-24 Thread sjw
Of course, adding the affected certs to OneCRL should be done immediately. WoSign also has to be transparent about all (mis) issued certs in the past and have to provide this info in the future. If they can't, I think we may consider if the current certs that are valid for 3 years should be

RE: Incidents involving the CA WoSign

2016-08-24 Thread Richard Wang
Yes, correct. Due to root inclusion problem, WoSign root is cross signed by StartCom since 2011. And we shared some facility with StartCom like CRL and OCSP distribution etc. But not this case, as I declared in the previous email, this is a API parameter option that can post data to any server

RE: Incidents involving the CA WoSign

2016-08-24 Thread Richard Wang
this cert is revoked in the same once it is issued. Thanks for posting to CT. Best Regards, Richard From: Eric Mill [mailto:e...@konklone.com] Sent: Thursday, August 25, 2016 12:08 AM To: Gervase Markham Cc: mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang

RE: Incidents involving the CA WoSign

2016-08-24 Thread Richard Wang
See below inline, thanks. Best Regards, Richard -Original Message- From: Jeremy Rowley [mailto:jeremy.row...@digicert.com] Sent: Thursday, August 25, 2016 3:50 AM To: Jeremy Rowley ; Peter Bowen ; Gervase Markham

RE: Incidents involving the CA WoSign

2016-08-24 Thread Richard Wang
See previous reply, thanks. Best Regards, Richard -Original Message- From: Jeremy Rowley [mailto:jeremy.row...@digicert.com] Sent: Thursday, August 25, 2016 3:41 AM To: Peter Bowen ; Gervase Markham Cc:

RE: Incidents involving the CA WoSign

2016-08-24 Thread Richard Wang
We revoked this certificate, and we know this certificate is for test only. For transparency, WoSign announced full transparency for all SSL certificate from July 5th that post all issued SSL certificate to Google log server, browsers can distrust WoSign issued SSL certificate after that day if

RE: Incidents involving the CA WoSign

2016-08-24 Thread Jeremy Rowley
Gerv, On incident 0, its unclear whether a cert was actually mis-issued. Although they used a higher level port, did the researcher successfully bypass WoSign's domain validation process? Is the only concern that WoSign permitted higher level ports? On incident 1, I agree this was a bad

Re: Incidents involving the CA WoSign

2016-08-24 Thread Gervase Markham
Hi Jeremy, On 24/08/16 17:12, Jeremy Rowley wrote: > On incident 0, its unclear whether a cert was actually mis-issued. > Although they used a higher level port, did the researcher > successfully bypass WoSign's domain validation process? Is the only > concern that WoSign permitted higher level

RE: Incidents involving the CA WoSign

2016-08-24 Thread Jeremy Rowley
That's true. I think WoSign should chime in and provide clarity about what happened. There's far too many innocent explanations to start crying foul. However, the fact a researcher was able to obtain a cert without proper domain validation is pretty serious. I'd like to hear more details about

RE: Incidents involving the CA WoSign

2016-08-24 Thread Jeremy Rowley
Also, I think the biggest concern is the mis issuance issues were not reported to Mozilla but were reported to Google. A failure to report a problem in domain validation creates a question of whether the CA can be trusted in the future. Could we boil these incidents down to the following

Re: Incidents involving the CA WoSign

2016-08-24 Thread Ryan Sleevi
On Wed, Aug 24, 2016 at 12:40 PM, Jeremy Rowley wrote: > However, the fact a researcher was able to obtain a cert without proper domain > validation is pretty serious. I'd like to hear more details about how this was > accomplished. Ports 8080 and 8443 aren't that