Re: Incidents involving the CA WoSign

On 09/03/2016 11:02 PM, Percy wrote: I agree completely that we shouldn't imply fundamental guilt by association. However, WoSign threatened legal actions against Itzhak Daniel's disclosure compiled purely from public sources. I just want to make sure the disclosure was not buried after the

Re: Incidents involving the CA WoSign

So if I understand correctly, you've published all certificates issued in 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is that correct? As noted in https://groups.google.com/d/msg/mozilla.dev.security.policy/Q3zjv95VhXI/p40n2Zv6DAAJ , this thread has turned up

Re: Incidents involving the CA WoSign

On Sat, 3 Sep 2016 21:50:51 -0700 Peter Bowen wrote: > The log entries for the SM2 certificates are > https://ctlog.wosign.com/ct/v1/get-entries?start=109239=109240; > crt.sh doesn't have them. The matching serial numbers are > https://crt.sh/?id=30613201 and

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 02:53:01PM +0200, Kurt Roeckx wrote: > On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > > Hi all, > > > > We finished the investigation and released the incidents report today: > > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf > > > >

Re: Incidents involving the CA WoSign

On Sat, Sep 3, 2016 at 10:11 PM, Richard Wang wrote: > It is posted, just Peter not find it that I told him the Log id. Richard, Thank you for providing the log ids. I am glad to see these are now logged, but I will point out the log timestamps for these two certificates

RE: [FORGED] Re: Incidents involving the CA WoSign

Peter Bowen writes: >It was brought to my attention that there is another incident. This is great stuff, it's like watching a rerun of Diginotar. Definitely the best web soap in the last few weeks... Peter. ___

RE: Incidents involving the CA WoSign

Hi all, We finished the investigation and released the incidents report today: https://www.wosign.com/report/wosign_incidents_report_09042016.pdf This report has 20 pages, please let me if you still have any questions, thanks. This report is just for Incident 0-2, we will release a separate

Re: Reuse of serial numbers by StartCom

On 09/02/2016 07:02 PM, Nick Lamb wrote: On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote: Lets speak about relying parties - how does this bug affect you? As a relying party I am entitled to assume that there is no more than one certificate signed by a particular issuer with a

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > Hi all, > > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf > > This report has 20 pages, please let me if you still have any questions,

Re: Reuse of serial numbers by StartCom

On Sun, Sep 04, 2016 at 12:04:21PM +0300, Eddy Nigg wrote: > On 09/02/2016 07:02 PM, Nick Lamb wrote: > > On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote: > > > Lets speak about relying parties - how does this bug affect you? > > As a relying party I am entitled to assume that there

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 10:05:11AM +0100, Gijs Kruitbosch wrote: > So if I understand correctly, you've published all certificates issued in > 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is that > correct? > > > As noted in >

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > Hi all, > > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf In section 2.2 you explain that there is a mail at 9:01 and 9:38, where I