Re: Remove old WoSign root certs from NSS

2017-08-04 Thread Percy via dev-security-policy
On Thursday, August 3, 2017 at 3:55:34 PM UTC-7, Kathleen Wilson wrote: > On Monday, July 10, 2017 at 12:47:31 PM UTC-7, Kathleen Wilson wrote: > > I also think we should remove the old WoSign root certs from NSS. > > > > Reference: > > https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign

Re: WoSign new system passed Cure 53 system security audit

2017-07-13 Thread Percy via dev-security-policy
> You will fail #4. Because your system, as designed, cannot and does not > comply with the Baseline Requirements. Is there a design outline in the security audit as well? No one in the community can judge either yours or WoSign's statement as this information is not shared with us. I suggest

Re: WoSign new system passed Cure 53 system security audit

2017-07-11 Thread Percy via dev-security-policy
On Tuesday, July 11, 2017 at 8:16:50 AM UTC-7, Jonathan Rudenberg wrote: > > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy > > wrote: > > > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: > >> > >> Please note

Re: WoSign new system passed Cure 53 system security audit

2017-07-09 Thread Percy via dev-security-policy
So it seems that Richard Wang still has the final executive decisions regarding security in daily operations. Basically WoSign simply changed the title of the position from CEO to COO and bypassed Mozilla's requirement? On Sunday, July 9, 2017 at 7:26:28 PM UTC-7, Richard Wang wrote: > The

Re: Symantec Conclusions and Next Steps

2017-04-28 Thread Percy via dev-security-policy
On Friday, April 28, 2017 at 1:19:01 AM UTC-7, Richard Wang wrote: > Hi Ryan, > > > > For your question “Do you believe that, during the discussions about how to > respond to WoSign's issues, the scope of impact was underestimated?”, the > answer is YES. > > > > After Oct 21 2016, WoSign

Re: StartCom cross-signs disclosed by Certinomis

2017-08-07 Thread Percy via dev-security-policy
On Monday, August 7, 2017 at 2:36:10 PM UTC-7, Itzhak Daniel wrote: > On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote: > > 7. At Quihoo: Actually get rid of Richard Wang, not just change his > >title from CEO to COO. > > I didn't map the new hierarchy of the "Spanish"

Microsoft to remove WoSign and StartCom certificates in Windows 10

2017-08-09 Thread Percy via dev-security-policy
https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/ Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed

Re: StartCom continues to sell untrusted certificates

2017-05-03 Thread Percy via dev-security-policy
On Monday, May 1, 2017 at 7:49:32 AM UTC-7, Henri Sivonen wrote: > On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > On 01/05/17 07:52, Percy wrote: > >> It seems that StartCom continues to sell untrusted certs. Neither

StartCom continues to sell untrusted certificates

2017-05-01 Thread Percy via dev-security-policy
It seems that StartCom continues to sell untrusted certs. Neither their home page https://www.startcomca.com/ nor their announcement page https://www.startcomca.com/index/news mentions that those certs are not trusted. ___ dev-security-policy mailing

Re: StartCom inclusion request: next steps

2017-09-14 Thread Percy via dev-security-policy
"Conclusion: StartCom's attempt to restart the CA was rushed." "It was a very hard task in very few time but the people at 360 tried everything to get it done by that date, end of december 2016, and yes, we reached the date but with many failures" May I ask why StartCom choose to rush

Re: Remove old WoSign root certs from NSS

2017-08-29 Thread Percy via dev-security-policy
On Sunday, August 27, 2017 at 10:59:48 PM UTC-7, Richard Wang wrote: > We released replacement notice in Chinese in our website: > https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm > https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm >

Re: Remove old WoSign root certs from NSS

2017-08-30 Thread Percy via dev-security-policy
links to all of WoSign's announcement in case anyone want to verify. https://www.wosign.com/news/index.htm year 2017 https://www.wosign.com/news/index2016.htm year 2016 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Remove old WoSign root certs from NSS

2017-08-30 Thread Percy via dev-security-policy
In fact, can you tell us, when was the first time WoSign started to notify users about replacing certs? I've dig through all of WoSign's announcement and the first and in fact the ONLY announcement regarding replacing certs is dated July 10th, 2017 , titled Announcement regarding Google's

Re: Remove old WoSign root certs from NSS

2017-08-30 Thread Percy via dev-security-policy
It's true that the first post has a link to that second post. However, the related sentence is To learn more, please visit "Announcement regarding Google's decision on July 7th", with a hyperlink to the second post. And only the second post mentions anything about replacing certs. I hardly

Re: Remove old WoSign root certs from NSS

2017-08-30 Thread Percy via dev-security-policy
On Wednesday, August 30, 2017 at 11:15:04 AM UTC-7, Kathleen Wilson wrote: > Posted: > > https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/ > > I will look into getting this translated and published in China. > > Thanks, > Kathleen Thank you

Re: Remove old WoSign root certs from NSS

2017-08-27 Thread Percy via dev-security-policy
On Friday, August 25, 2017 at 4:42:29 PM UTC-7, Kathleen Wilson wrote: > On Friday, August 4, 2017 at 12:01:15 AM UTC-7, Percy wrote: > > I suggest that Mozilla can post an announcement now about the complete > > removal of WoSign/StartCom to alert website developers. I suspect that a > >