RE: Incidents involving the CA WoSign

2016-08-25 Thread Richard Wang
Thanks for your friendly reminder. We can post all 2015 issued SSL certificate to CT log server if necessary. For BR auditor, I think this issue is too technical that fewer auditor can find out this problem. We will add the quality control system to PKI system before issuing the certificate,

Re: Incidents involving the CA WoSign

2016-08-25 Thread Matt Palmer
On Thu, Aug 25, 2016 at 04:03:04AM +, Richard Wang wrote: > For transparency, WoSign announced full transparency for all SSL > certificate from July 5th that post all issued SSL certificate to Google > log server, browsers can distrust WoSign issued SSL certificate after that > day if no SCT

StartCom's StartPKI

2016-08-25 Thread rugk
Hi, I stumbled across this service by StartCom: https://startssl.com/StartPKI (archive link: https://archive.is/GRkAK) I got a bit afraid when looking at their nice screenshots (https://archive.is/GRkAK#75%), because they offer intermediate certificates for companies allowing them to issue

Re: Incidents involving the CA WoSign

2016-08-25 Thread Matt Palmer
On Thu, Aug 25, 2016 at 05:15:58PM -0700, Ryan Sleevi wrote: > On Thursday, August 25, 2016 at 4:35:39 PM UTC-7, Matt Palmer wrote: > > I'm after the specifics of the changes to WoSign's policies and procedures > > regarding *notification*, not quality control. What were WoSign's previous > >

Re: FNMT Root Inclusion Request

2016-08-25 Thread Kathleen Wilson
On Thursday, August 11, 2016 at 4:36:02 PM UTC-7, Kathleen Wilson wrote: > >> FNMT has applied to include the “AC RAIZ FNMT-RCM” root certificate > >> and enable the Websites trust bit. > >> > >> Fábrica Nacional de Moneda y Timbre (FNMT) is a government agency > >> that provides services to

Re: Incidents involving the CA WoSign

2016-08-25 Thread Matt Palmer
On Thu, Aug 25, 2016 at 07:11:18AM +, Richard Wang wrote: > We can post all 2015 issued SSL certificate to CT log server if necessary. That doesn't provide any assurance, in the face of misleading notBefore values in certificates. Without strong assurances that whatever failure of systems or

Re: Incidents involving the CA WoSign

2016-08-25 Thread Ryan Sleevi
On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote: > We can post all 2015 issued SSL certificate to CT log server if necessary. Is there any reason not to do that proactively? > For BR auditor, I think this issue is too technical that fewer auditor can > find out this

Re: StartCom's StartPKI

2016-08-25 Thread Ryan Sleevi
On Thursday, August 25, 2016 at 10:11:21 AM UTC-7, rugk wrote: > Hi, > I stumbled across this service by StartCom: > https://startssl.com/StartPKI (archive link: https://archive.is/GRkAK) > I got a bit afraid when looking at their nice screenshots > (https://archive.is/GRkAK#75%), because they

RE: Incidents involving the CA WoSign

2016-08-25 Thread Richard Wang
Yes, sorry for this. As I admitted that this discussion gives us a big lesson that we know when we need to report incident to all browsers. We guarantee we will do it better. Best Regards, Richard -Original Message- From: dev-security-policy