Re: Incidents involving the CA WoSign

2016-08-29 Thread Percy
"Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks" WoSign seems to lack the basic understanding of how a certificate is used in authentication,

Re: Incidents involving the CA WoSign

2016-08-29 Thread Percy
On Monday, August 29, 2016 at 10:26:20 AM UTC-7, Gervase Markham wrote: > On 29/08/16 09:48, 蓝小灰 wrote: > > Of course I have private key of this certificate > > I have asked 蓝小灰 for cryptographic proof of this. > > Gerv Gerv, I've notified the security team in Alibaba about this possible fake

Re: Incidents involving the CA WoSign

2016-08-29 Thread Gervase Markham
On 26/08/16 06:12, 233sec Team wrote: > https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e > > Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to > alibaba, which are Chinese biggest online shopping websites. > With the fake cert's middle man attack, password

Re: Incidents involving the CA WoSign

2016-08-29 Thread Richard Wang
As I explained, we use same script using API, different parameter point to different API post URL for different CA, no any PKI hosting related. Regards, Richard > On 29 Aug 2016, at 16:25, Gervase Markham wrote: > >> On 24/08/16 17:44, Peter Bowen wrote: >> I think you are

Re: Incidents involving the CA WoSign

2016-08-29 Thread Gervase Markham
On 26/08/16 04:33, Richard Wang wrote: > As I admitted that this discussion gives us a big lesson that we know > when we need to report incident to all browsers. We guarantee we will > do it better. Richard, You have been involved in this (Mozilla) discussion group and in the CAB Forum for

Re: Incidents involving the CA WoSign

2016-08-29 Thread Richard Wang
Yes, we plan to revoke all after getting confirmation from subscriber. We are doing this. Regards, Richard > On 29 Aug 2016, at 16:38, Gervase Markham wrote: > >> On 29/08/16 05:46, Richard Wang wrote: >> For incident 1 - mis-issued certificate with un-validated subdomain,

Re: Incidents involving the CA WoSign

2016-08-29 Thread Richard Wang
Sure, all issued cert is passed the domain control validations. Regards, Richard > On 29 Aug 2016, at 16:30, Gervase Markham wrote: > >> On 25/08/16 04:38, Richard Wang wrote: >> R: NOT this case you think. Due to root inclusion problem, WoSign >> root is cross signed by

Re: Incidents involving the CA WoSign

2016-08-29 Thread 233sec Team
Not vulnerabilities mentioned in this thread, but a Human-Audit weak process. Detail you can see the reply content i send to Mr.Wang 在 2016年8月27日星期六 UTC+8上午4:24:44,Jonathan Rudenberg: > Here’s the crt.sh link for this certificate: https://crt.sh/?id=29884704 > > Can you provide more details

Re: Incidents involving the CA WoSign

2016-08-29 Thread xcrailfans
On Friday, August 26, 2016 at 4:26:26 PM UTC+8, Richard Wang wrote: > This is the standard way in China Internet, if a west company say something > to China company, all will support the west company. -- especially when local CAs are losing credibility to end-users. Microsoft Azure's Chinese

Re: Next CA Communication -- September?

2016-08-29 Thread Nick Lamb
On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote: > Are there any other topics that I should include in this upcoming CA > Communication? It can be worth following-up on date-in-time commitments from those CAs in replies to the previous communication this year. Each CA should

Re: Incidents involving the CA WoSign

2016-08-29 Thread Patrick Figel
Richard, the problem with this approach is that the *subscriber* might not be authorized to make this decision for the parent domain. To go back to the GitHub case, the "owner" of a github.io subdomain telling you that they are authorized to own a certificate that covers github.io is irrelevant,

Re: Next CA Communication -- September?

2016-08-29 Thread Nick Lamb
On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote: > Are there any other topics that I should include in this upcoming CA > Communication? Also, I think that the SHA-1 topic should be brought up again. Some CA folks will be tired of reading about this, having managed the issue

Re: Incidents involving the CA WoSign

2016-08-29 Thread Richard Wang
OK, revoke all at tomorrow morning since our time is 22:22 now. The cloudapp.net is revoked at the issuance time. Thanks. Regards, Richard > On 29 Aug 2016, at 21:53, Patrick Figel wrote: > > Richard, > > the problem with this approach is that the *subscriber* might not

Re: Incidents involving the CA WoSign

2016-08-29 Thread Gervase Markham
On 29/08/16 09:48, 蓝小灰 wrote: > Of course I have private key of this certificate I have asked 蓝小灰 for cryptographic proof of this. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org