Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

2016-08-31 Thread Nick Lamb
On Wednesday, 31 August 2016 19:32:43 UTC+1, Kathleen Wilson wrote: > Thanks to all of you who have provided thoughtful and constructive input into > this discussion. > > I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1299579 to request > that the "Hongkong Post e-Cert CA 1 - 10"

Sanctions short of distrust

2016-08-31 Thread Nick Lamb
A recurring theme of m.d.s.policy is that a CA behaves in a way that falls short, sometimes far short of the reasonable expectations of relying parties and yet in the end Mozilla doesn't end up distrusting that CA because of the direct impact on relying parties, the indirect impact on

Re: Reuse of serial numbers by StartCom

2016-08-31 Thread Matt Palmer
On Wed, Aug 31, 2016 at 07:57:02PM +0300, Eddy Nigg wrote: > On 08/31/2016 03:19 PM, Matt Palmer wrote: > >That bug appears to pre-date *all* of the certificates listed above. > >Further, the last communication on that bug (2014-09-22), from Eddy Nigg > >(of StartCom), said: > >>It's a hard and

RE: Incidents involving the CA WoSign

2016-08-31 Thread Richard Wang
Fair enough, thank you, Ryan. This is my last formal statement for this issue that I am tired of this argument, I need to go to hospital now :-). First, please treat WoSign as a global trusted CA, DON'T stamp as China CA. We need a fair treatment as other worldwide CAs that I am sure WoSign is

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

2016-08-31 Thread Man Ho (Certizen)
What about our existing SSL server certs, which are still valid until 31 Dec 2016? Majority of those cert. subscribers are offering government and public services to residents of Hong Kong. And I believe the impact to residents of Hong Kong will be huge when the browser suddenly prompt a warning

Re: Incidents involving the CA WoSign

2016-08-31 Thread Ryan Sleevi
On Wednesday, August 31, 2016 at 8:05:57 PM UTC-7, Richard Wang wrote: > First, please treat WoSign as a global trusted CA, DON'T stamp as China CA. > We need a fair treatment as other worldwide CAs that I am sure WoSign is not > the first CA that have incident and not the serious one; I would

Re: Incidents involving the CA WoSign

2016-08-31 Thread Ryan Sleevi
On Wednesday, August 31, 2016 at 10:07:19 AM UTC-7, watso...@gmail.com wrote: > Dear Richard, > > It's clear WoSign has continuing compliance issues with CA/Browser forum > rules, and has repeatedly failed to correct them. Furthermore there has been > lots of questions about what it would take

Re: Hongkong Post recently issued SHA1 cert that could be used in TLS

2016-08-31 Thread Kathleen Wilson
Thanks to all of you who have provided thoughtful and constructive input into this discussion. I have filed https://bugzilla.mozilla.org/show_bug.cgi?id=1299579 to request that the "Hongkong Post e-Cert CA 1 - 10" intermediate cert be added to OneCRL. See the bug for further details. Kathleen

Re: Reuse of serial numbers by StartCom

2016-08-31 Thread Eddy Nigg
On 08/31/2016 05:56 AM, Peter Bowen wrote: In reviewing the Certificate Transparency logs, I noticed the StartCom has issued multiple certificates with identical serial numbers and identical issuer names. https://crt.sh/?serial=14DCA8 (2014-12-07) https://crt.sh/?serial=04FF5D653668DB

RE: Incidents involving the CA WoSign

2016-08-31 Thread Peter Gutmann
itk98...@gmail.com writes: >Wosign indirectly bought StartSSL, https://www.letsphish.org Has there been any independent investigation into this? We know that CAs are bought and sold like baseball trading cards, but it's usually done publicly and freely acknowledged, whereas

Re: Reuse of serial numbers by StartCom

2016-08-31 Thread Kurt Roeckx
On 2016-08-31 04:56, Peter Bowen wrote: In reviewing the Certificate Transparency logs, I noticed the StartCom has issued multiple certificates with identical serial numbers and identical issuer names. https://crt.sh/?serial=14DCA8 (2014-12-07) https://crt.sh/?serial=04FF5D653668DB (2015-01-05)

Re: Incidents involving the CA WoSign

2016-08-31 Thread Percy
On Tuesday, August 30, 2016 at 7:47:43 PM UTC-7, itk9...@gmail.com wrote: > Wosign indirectly bought StartSSL, https://www.letsphish.org Ha! It makes so much sense now why StartEncrypt is such a catastrophe(https://www.google.com/search?q=StartEncrypt). I've revoked all StarCom certs in my OS.

Re: Reuse of serial numbers by StartCom

2016-08-31 Thread Matt Palmer
On Wed, Aug 31, 2016 at 09:29:20AM +0200, Kurt Roeckx wrote: > On 2016-08-31 04:56, Peter Bowen wrote: > >In reviewing the Certificate Transparency logs, I noticed the StartCom > >has issued multiple certificates with identical serial numbers and > >identical issuer names. > > >

Re: Incidents involving the CA WoSign

2016-08-31 Thread Gervase Markham
On 29/08/16 22:53, Percy wrote: > Gerv, I've notified the security team in Alibaba about this possible fake > cert and ask them to confirm that they have not applied a cert. > It's unlikely that Alibaba will use a free cert from WoSign. As a commercial > site, they usually use Verisign or

Re: Incidents involving the CA WoSign

2016-08-31 Thread sam
To the policymakers at Mozilla, my name is Samuel Pinder. I consider myself an computer network analyst and have a degree in Web Systems Development. I also host a small number of websites on a technical level. I have used Startcom's services for a number of years. I only recently came across

Re: Incidents involving the CA WoSign

2016-08-31 Thread Gervase Markham
On 24/08/16 14:08, Gervase Markham wrote: > * The issuance of certificates using SHA-1 has been banned by the > Baseline Requirements since January 1st, 2016. Browsers, including > Firefox, planned to enforce this[2] by not trusting certs with a > notBefore date after that date, but in the case of

RE: Incidents involving the CA WoSign

2016-08-31 Thread Richard Wang
Repost to the same subject. Regards, Richard > On 30 Aug 2016, at 15:11, Richard Wang wrote: > > Dear all, > > This email is the formal reply from WoSign for this 3 incidents. > > First, thank you all very much to help WoSign to improve our system security > that helped

Re: Incidents involving the CA WoSign

2016-08-31 Thread ian . kemp
On Tuesday, August 30, 2016 at 1:03:57 AM UTC+2, Percy wrote: > "Some certificates are revoked after getting report from subscriber, but some > still valid, if any subscriber think it must be revoked and replaced new one, > please contact us in the system, thanks" > > WoSign seems to lack the

Re: Incidents involving the CA WoSign

2016-08-31 Thread watsonbladd
On Tuesday, August 30, 2016 at 8:07:49 PM UTC-7, Richard Wang wrote: > This case is in the BR report: > https://cert.webtrust.org/SealFile?seal=2019=pdf > > Thanks. > > Best Regards, > > Richard > Dear Richard, It's clear WoSign has continuing compliance issues with CA/Browser forum rules,

Re: Incidents involving the CA WoSign

2016-08-31 Thread jozef . izso
As an admin I want to check the WoSign Issuer Policy provided by their "WoSign CA Free SSL Certificate G2" certificate. Issuer Policy is linked to http://www.wosign.com/policy/ This page shows the source code instead of actual policy. <% Dim strAcceptLanguage