date:20161030

Re: StartCom & Qihoo Incidents

2016-10-30 Thread 谭晓生

Is there anybody thought about why it happens in China? Why the local browser did not block the self-issued certificates? Thanks， Xiaosheng Tan 在 2016/10/30 下午1:17，“Percy” 写入: On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > On Sat, Oct

Re: StartCom & Qihoo Incidents

2016-10-30 Thread Percy

As we observed the large scale MITM against iCloud, Outlook, Google and Github carried out on the backbone router with self-signed certs, and that the browsers are explicitly loads self-signed certs, I think it's clear that browsers in China are compelled by the gov to enable insecure cryptography

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-10-30 Thread Han Yuwei

在 2016年10月30日星期日 UTC+8上午5:30:23，Peter Bowen写道： > > On Oct 29, 2016, at 2:23 PM, Han Yuwei wrote: > > > > 在 2016年10月28日星期五 UTC+8下午9:23:01，wangs...@gmail.com写道： > >> We are not intended to cover-up anything since we had disclosed every > >> change to the Chinese version

Something About CFCA (China Financial Certification Authority)

2016-10-30 Thread Han Yuwei

According to their CPS (Chinese version 3.2 Jul.2016), 1. All CAs can issue SM2 certificates and uses SM3 Hash. 2. There is a "signing key" generated by subscriber and "encryption key" generated by CFCA which transmitted to subscriber. 3. For SSL certificate, the longest vaild duration is 5

Re: StartCom & Qihoo Incidents

2016-10-30 Thread 谭晓生

Nothing compelled by the gov to trust the self-issued certificates. It is because some very large website like 12306.cn(the only one online entry to buy rail way tickets in China) and some government websites, they still using self-issued certificates, even we tried to offer free trusted

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-10-30 Thread Gervase Markham

On 29/10/16 22:23, Han Yuwei wrote: > Is SM2 acceptable in publicy-trusted CAs? I don't think so. No; the BRs list the permitted algorithms, and SM2 is not one of them. > Maybe Gerv could explain more about this. And I am wondering what can > CA do if government requirement conflicts with

Re: StartCom & Qihoo Incidents

2016-10-30 Thread Gervase Markham

On 30/10/16 12:39, 谭晓生 wrote: > That’s the dilemma we have: > Block the access to self-issued certificates, user will ignore and force > trust the certificated, bad behavior training, user might change to > competitor’s product. > Do not block the access, there are possibility to do the MITM

Re: [FORGED] Re: StartCom & Qihoo Incidents

2016-10-30 Thread Peter Gutmann

Percy writes: >As we observed the large scale MITM against iCloud, Outlook, Google and >Github carried out on the backbone router with self-signed certs, and that >the browsers are explicitly loads self-signed certs, I think it's clear that >browsers in China are compelled

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

2016-10-30 Thread Han Yuwei

在 2016年10月28日星期五 UTC+8上午6:43:30，Han Yuwei写道： > 在 2016年10月27日星期四 UTC+8下午6:22:03，wangs...@gmail.com写道： > > 在 2016年10月27日星期四 UTC+8上午8:09:06，Peter Kurrasch写道： > > > I think these are both good points and my recommendation is that Mozilla > > > deny GDCA's request for inclusion. > > > > > > > > > We

Re: WoSign: updated report and discussion

2016-10-30 Thread Gervase Markham

On 29/10/16 22:42, Percy wrote: > However, on the official website > (https://www.wosign.com/about/Why_WoSign.htm) WoSign stated that "沃通是 > 中国唯一一家也是全球唯一一家能签发全球信任的采用国产加密算法(SM2) 的SSL证书和代码签名证书的商业CA。" WoSign is > the only commercial CA in China -- only commercial CA in the world > that can Sign SM2

Re: StartCom & Qihoo Incidents

2016-10-30 Thread Matt Palmer

On Sat, Oct 29, 2016 at 10:17:59PM -0700, Percy wrote: > On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > > > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of > > > the > > > entire company

Re: Something About CFCA (China Financial Certification Authority)

2016-10-30 Thread jonathansshn

Please see 6.1.7 which describes these content. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Something About CFCA (China Financial Certification Authority)

2016-10-30 Thread Han Yuwei

在 2016年10月31日星期一 UTC+8上午9:35:04，jonath...@gmail.com写道： > Please see 6.1.7 which describes these content. In version 3.2 I see that "证书最长期限（年）" (maxium validity period) about "SSL服务器证书" (SSL Server Certficates) is 5. And I don't see any other informations about SM2 usage

Re: StartCom & Qihoo Incidents

2016-10-30 Thread Han Yuwei

在 2016年10月30日星期日 UTC+8下午8:40:37，谭晓生写道： > Nothing compelled by the gov to trust the self-issued certificates. > > It is because some very large website like 12306.cn(the only one online entry > to buy rail way tickets in China) and some government websites, they still > using self-issued

Something About CFCA (China Financial Certification Authority)

2016-10-30 Thread jonathansshn

1， It’s not true. CFCA's RSA root that included in Mozilla is not able to issue sm2 certificate with sm3 hash. CFCA do have sm2 root that issue sm2 certificate but that root is not included in Mozilla or any other root store such as Apple, Microsoft or Google. And our CPS never indicate

Re: StartCom & Qihoo Incidents

2016-10-30 Thread He

On October 30, 2016 8:39:55 PM GMT+08:00, "谭晓生" wrote: >Nothing compelled by the gov to trust the self-issued certificates. > >It is because some very large website like 12306.cn(the only one online >entry to buy rail way tickets in China) and some government websites, >they

Re: Something About CFCA (China Financial Certification Authority)

2016-10-30 Thread Han Yuwei

在 2016年10月30日星期日 UTC+8下午10:26:57，jonath...@gmail.com写道： > 1，It’s not true. CFCA's RSA root that included in Mozilla is not able to > issue sm2 certificate with sm3 hash. CFCA do have sm2 root that issue sm2 > certificate but that root is not included in Mozilla or any other root store >

Re: WoSign: updated report and discussion

2016-10-30 Thread Percy

On Sunday, October 30, 2016 at 6:15:48 AM UTC-7, Gervase Markham wrote: > On 29/10/16 22:42, Percy wrote: > > However, on the official website > > (https://www.wosign.com/about/Why_WoSign.htm) WoSign stated that "沃通是 > > 中国唯一一家也是全球唯一一家能签发全球信任的采用国产加密算法(SM2) 的SSL证书和代码签名证书的商业CA。" WoSign is > > the

Re: StartCom & Qihoo Incidents

2016-10-30 Thread Percy

On Wednesday, October 12, 2016 at 12:12:08 PM UTC-7, Ryan Sleevi wrote: > As Gerv suggested this was the official call for incidents with respect to > StartCom, it seems appropriate to start a new thread. > > It would seem that, in evaluating the relationship with WoSign and Qihoo, we >

Re: StartCom & Qihoo Incidents

Re: StartCom & Qihoo Incidents

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

Something About CFCA (China Financial Certification Authority)

Re: StartCom & Qihoo Incidents

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

Re: StartCom & Qihoo Incidents

Re: [FORGED] Re: StartCom & Qihoo Incidents

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

Re: WoSign: updated report and discussion

Re: StartCom & Qihoo Incidents

Re: Something About CFCA (China Financial Certification Authority)

Re: Something About CFCA (China Financial Certification Authority)

Re: StartCom & Qihoo Incidents

Something About CFCA (China Financial Certification Authority)

Re: StartCom & Qihoo Incidents

Re: Something About CFCA (China Financial Certification Authority)

Re: WoSign: updated report and discussion

Re: StartCom & Qihoo Incidents

19 matches

Site Navigation

Mail list logo

Footer information