RE: WoSign Root Renewal Request

2015-07-01 Thread Richard Wang
Mill Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Kurt Roeckx Subject: Re: WoSign Root Renewal Request This was explored in the past (several Japanese CAs collaborated and translated the documents), but it ended up working badly when the translations weren't following

RE: WoSign Root Renewal Request

2015-06-30 Thread Richard Wang
@lists.mozilla.org] On Behalf Of Martin Rublik Sent: Tuesday, June 30, 2015 2:29 PM To: dev-security-policy@lists.mozilla.org Subject: Re: WoSign Root Renewal Request On 30. 6. 2015 3:00, Richard Wang wrote: Very thanks for your question. This two root is a new root CA that only issued one test SSL for test

RE: WoSign Root Renewal Request

2015-07-02 Thread Richard Wang
Of Richard Wang Sent: Wednesday, July 1, 2015 9:11 AM To: Kurt Roeckx; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: WoSign Root Renewal Request Hi Kurt, Hi Jesus, Hi Martin, Very thanks for your help. I think we misunderstanding the CRL number definition due our engineer bad English

RE: Letter from US House of Representatives

2015-07-06 Thread Richard Wang
According to this clues, as I said in Zurich CABF meeting, China will also come out a trust list that request browser and OS support. And other countries will come a list, then Browser and OS need to maintain hundreds trust list. Is it a good idea? Best Regards, Richard -Original

RE: [FORGED] Name issues in public certificates

2015-11-17 Thread Richard Wang
I also found some mistakes for the list: 1. I see some client certificate in the report that it say the email as common name is wrong; 2. IP address is allowed by BR; 3. IDN is allowed, but also in the report Regards, Richard -Original Message- From: dev-security-policy

RE: [FORGED] Name issues in public certificates

2015-11-17 Thread Richard Wang
[mailto:jeremy.row...@digicert.com] Sent: Wednesday, November 18, 2015 5:17 AM To: Rob Stradling <rob.stradl...@comodo.com> Cc: Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen <pzbo...@gmail.com>; Peter Gutmann <pgut...@cs.auckland.ac.nz> Su

RE: [FORGED] Name issues in public certificates

2015-11-17 Thread Richard Wang
-Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Wednesday, November 18, 2015 12:33 AM To: Richard Wang <rich...@wosign.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; Peter Gutmann <pgut...@cs.auckland.ac.nz>; mozilla-dev-security-pol...@lists.mozil

RE: [FORGED] Name issues in public certificates

2015-11-17 Thread Richard Wang
: Wednesday, November 18, 2015 10:28 AM To: Richard Wang <rich...@wosign.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann <pgut...@cs.auckland.ac.nz> Subject: Re: [FORGED] Name issues in public certificates Rich

Re: Policy Update Proposal -- Remove Email Trust Bit

2015-09-23 Thread Richard Wang
Yes, I think it should be kept. If some CA don't like this bit, then don't apply it, so simple. No necessary to remove it in NSS. Regards, Richard > On Sep 23, 2015, at 21:34, Adriano Santoni > wrote: > > There's one thing that I still do not understand. > >

Re: Policy Update Proposal -- Remove Email Trust Bit

2015-09-23 Thread Richard Wang
+100, should keep. Regards, Richard > On Sep 23, 2015, at 06:12, Kathleen Wilson wrote: > > On 9/22/15 9:29 AM, Kathleen Wilson wrote: >>> >>> First, we need to determine if the Email trust bit should remain part of >>> Mozilla's CA Certificate Policy. >> >> To be

Re: Policy Update Proposal: Remove Code Signing Trust Bit

2015-09-24 Thread Richard Wang
I think FireFox plugin XPI need to be signed, this is the usage. Regards, Richard > On Sep 24, 2015, at 20:53, Gervase Markham wrote: > >> On 24/09/15 02:58, Peter Kurrasch wrote: >> I suppose my comment was not as clear as I intended but, yes, I think >> Mozilla's

RE: [FORGED] Name issues in public certificates

2015-11-18 Thread Richard Wang
@lists.mozilla.org] On Behalf Of Richard Wang Sent: Wednesday, November 18, 2015 10:41 AM To: Peter Bowen <pzbo...@gmail.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann <pgut...@cs.auckland.ac.nz> Subject: RE: [FORGED] Nam

RE: [FORGED] Name issues in public certificates

2016-03-09 Thread Richard Wang
Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard Wang Sent: Wednesday, November 18, 2015 7:55 PM To: Peter Bowen <pzbo...@gmail.com> Cc: Rob Stradling <rob.stradl...@c

RE: Incidents involving the CA WoSign

2016-08-24 Thread Richard Wang
.mozilla.org; Richard Wang <rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote: > On 24/08/16 17:12, Jeremy Rowley wrote: >> On incident 2, it sounds like they are both using the same >&g

RE: Incidents involving the CA WoSign

2016-08-24 Thread Richard Wang
this cert is revoked in the same once it is issued. Thanks for posting to CT. Best Regards, Richard From: Eric Mill [mailto:e...@konklone.com] Sent: Thursday, August 25, 2016 12:08 AM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang

RE: Incidents involving the CA WoSign

2016-08-24 Thread Richard Wang
e Markham <g...@mozilla.org> Cc: Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Also, I think the biggest concern is the mis issuance issues were not reported to Mozilla but were reported to Google. A fai

RE: Incidents involving the CA WoSign

2016-08-24 Thread Richard Wang
.mozilla.org; Richard Wang <rich...@wosign.com> Subject: RE: Incidents involving the CA WoSign That's true. I think WoSign should chime in and provide clarity about what happened. There's far too many innocent explanations to start crying foul. However, the fact a researcher was able to obt

RE: Incidents involving the CA WoSign

2016-08-24 Thread Richard Wang
We revoked this certificate, and we know this certificate is for test only. For transparency, WoSign announced full transparency for all SSL certificate from July 5th that post all issued SSL certificate to Google log server, browsers can distrust WoSign issued SSL certificate after that day if

RE: Incidents involving the CA WoSign

2016-08-25 Thread Richard Wang
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Matt Palmer Sent: Thursday, August 25, 2016 2:48 PM To: dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Thu, Aug 25, 2016 at 04:03:04AM +, Richard Wang wrote

RE: Incidents involving the CA WoSign

2016-09-02 Thread Richard Wang
-Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Friday, September 2, 2016 6:07 PM To: Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign > And, as others have pointed out in th

Re: Incidents involving the CA WoSign

2016-09-02 Thread Richard Wang
Yes, we plan to post to one of the Google log server tommorrow. Regards, Richard > On 2 Sep 2016, at 22:54, Peter Bowen <pzbo...@gmail.com> wrote: > >> On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang <rich...@wosign.com> wrote: >> We finished the CT posting, a

RE: Incidents involving the CA WoSign

2016-08-31 Thread Richard Wang
e. Thanks a million. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Ryan Sleevi Sent: Thursday, September 1, 2016 2:14 AM To: mozilla-dev-se

Re: Incidents involving the CA WoSign

2016-09-02 Thread Richard Wang
We will check this tomorrow. Now our time is 23:32 at night. Regards, Richard > On 2 Sep 2016, at 23:20, Peter Bowen <pzbo...@gmail.com> wrote: > >> On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <rich...@wosign.com> wrote: >> Yes, we posted all 2015 issue

Re: Incidents involving the CA WoSign

2016-09-02 Thread Richard Wang
From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now. BTW, as I said that the two related pages in our website are deleted. Regards, Richard > On 3 Sep 2016, at 02:16, Percy wrote: > >> On Friday,

RE: Incidents involving the CA WoSign

2016-09-03 Thread Richard Wang
: Sunday, September 4, 2016 5:19 AM To: Richard Wang <rich...@wosign.com> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, Can you also please check the following two certificates? It looks like they

RE: Incidents involving the CA WoSign

2016-09-05 Thread Richard Wang
uiry email. Some question will be replied in the second report. Best Regards, Richard -Original Message- From: Kurt Roeckx [mailto:k...@roeckx.be] Sent: Monday, September 5, 2016 1:34 AM To: Richard Wang <rich...@wosign.com> Cc: Gervase Markham <g...@mozilla.org>; mo

RE: Incidents involving the CA WoSign

2016-09-06 Thread Richard Wang
Thanks for your comment. For Github case: 1. what happened: issued the certificate that included un-validated domain, and found out this mistake in the next day review, and revoked this certificate. 2. why this happened: this is bug as you described, and due to many orders need to review

RE: Sanctions short of distrust

2016-09-01 Thread Richard Wang
WoSign is volunteering to "Require CT", see this: https://bugs.chromium.org/p/chromium/issues/detail?id=626338 And we even plan to log code signing certificate and client certificate in the future once our system upgrade is ready. We think CT is a good solution for any mis-issued problem.

RE: Reuse of serial numbers

2016-09-01 Thread Richard Wang
I am sure it is revoked, please check it again, thanks. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Patrick T Sent: Thursday, September 1, 2016 5:07 PM To:

RE: website control validation problem

2016-09-01 Thread Richard Wang
ay, September 2, 2016 9:59 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: website control validation problem On Thursday, September 1, 2016 at 6:16:53 PM UTC-7, Richard Wang wrote: > For this case, WoSign notice Alibaba after getting report. > > I think this case is another

RE: Yes, we are improved

2016-09-01 Thread Richard Wang
Richard -Original Message- From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Friday, September 2, 2016 12:01 AM To: Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>> Cc: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.

RE: Incidents involving the CA WoSign

2016-09-01 Thread Richard Wang
The posting to log server still not finished. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, September 1, 2016 11:11 PM To: Richard Wang <rich...@wosign.com> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-

RE: Incidents involving the CA WoSign

2016-09-02 Thread Richard Wang
@lists.mozilla.org] On Behalf Of Matt Palmer Sent: Friday, September 2, 2016 4:51 PM To: dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Fri, Sep 02, 2016 at 06:53:23AM +, Richard Wang wrote: > I think we are out of topic. On the contrary, the trustworthin

RE: Incidents involving the CA WoSign

2016-09-02 Thread Richard Wang
<vtly...@gmail.com> writes: >I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign) >should make a statement about this. +1. I'd already asked for something like this earlier and got silence +as a response, which isn't inspiring

RE: Incidents involving the CA WoSign

2016-09-02 Thread Richard Wang
@lists.mozilla.org] On Behalf Of Percy Sent: Friday, September 2, 2016 2:23 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Thursday, September 1, 2016 at 11:01:08 PM UTC-7, Richard Wang wrote: > OK I try to say some that I wish I do

Re: Incidents involving the CA WoSign

2016-09-07 Thread Richard Wang
>> On 2016-09-07 13:00, Gervase Markham wrote: >> Hi Richard, >> >>> On 07/09/16 11:06, Richard Wang wrote: >>> This discuss has been lasting two weeks, I think it is time to end >>> it, it doesn’t worth to waste everybody’s precious time. >> &g

Re: Incidents involving the CA WoSign

2016-09-07 Thread Richard Wang
Got it, thanks. We will reply to you soon. By the way, the link you used in the page to our report is not correct. Regards, Richard > On 7 Sep 2016, at 18:58, Gervase Markham <g...@mozilla.org> wrote: > > Hi Richard, > >> On 07/09/16 11:06, Richard Wang wrote: >>

RE: Incidents involving the CA WoSign

2016-09-04 Thread Richard Wang
report for another incident X soon. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Wednesday, August 24, 2016 9:08 PM To: mozilla-dev-security-pol...@lists.mozilla.org Cc: Richard Wang <rich...@wosign.

Re: Incidents involving the CA WoSign

2016-09-03 Thread Richard Wang
It is posted, just Peter not find it that I told him the Log id. We are also checking system again to double check if we missed some. Please be patient for our full 20 pages report, thanks, Regards, Richard > On 4 Sep 2016, at 12:12, Matt Palmer wrote: > >> On Sat,

Re: Incidents involving the CA WoSign

2016-09-03 Thread Richard Wang
on the browser algorithm support. Regards, Richard > On 4 Sep 2016, at 12:49, Peter Bowen <pzbo...@gmail.com> wrote: > >> On Thu, Sep 1, 2016 at 9:00 AM, Ryan Sleevi <r...@sleevi.com> wrote: >>> On Wed, August 31, 2016 10:09 pm, Richard Wang wrote: >>

RE: Incidents involving the CA WoSign

2016-09-07 Thread Richard Wang
once it is about to expire at every three years for OV SSL. I wish Mozilla could accept my suggestion, and I am sure WoSign will do it better after getting this so big lesson. Thank you. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: dev-security-policy

Re: formal reply RE: Incidents involving the CA WoSign

2016-08-30 Thread Richard Wang
1. All certs are revoked in time, please check our CRL; 2. WoSign logged all SSL cert since July 5th; 3. I know you are Chinese with good English, welcome to join WoSign, we need good talent like you. Regards, Richard > On 31 Aug 2016, at 01:33, Percy wrote: > > We

RE: Incidents involving the CA WoSign

2016-08-30 Thread Richard Wang
ty-pol...@lists.mozilla.org; Richard Wang <rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <g...@mozilla.org> wrote: > Dear m.d.s.policy, > > Several incidents have come to our attention involving

formal reply RE: Incidents involving the CA WoSign

2016-08-30 Thread Richard Wang
, and StartCom stopped StartEncrypt service. I wish I say this 3 case clearly, if not, please forgive my bad English, and please contact me if you still have any question, thanks a million. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: Gervase Markham [mailto:g

RE: Incidents involving the CA WoSign

2016-08-31 Thread Richard Wang
Repost to the same subject. Regards, Richard > On 30 Aug 2016, at 15:11, Richard Wang <rich...@wosign.com> wrote: > > Dear all, > > This email is the formal reply from WoSign for this 3 incidents. > > First, thank you all very much to help WoSign to improve our sys

Re: Incidents involving the CA WoSign

2016-09-08 Thread Richard Wang
nbingb...@gmail.com> wrote: > > 在 2016年9月7日星期三 UTC+8下午6:08:33,Richard Wang写道: >> Hi Gerv, Kathleen and Richard, >> >> This discuss has been lasting two weeks, I think it is time to end it, it >> doesn’t worth to waste everybody’s precious time. >> I make my confessio

Re: Incidents involving the CA WoSign

2016-09-10 Thread Richard Wang
Hi all, We will publish a more comprehensive report in the next several days that will attempt to cover most / all issues. Thanks for your patience. Regards, Richard > On 7 Sep 2016, at 18:58, Gervase Markham <g...@mozilla.org> wrote: > > Hi Richard, > >> On 07/0

RE: Sanctions short of distrust

2016-09-12 Thread Richard Wang
Please don't mix StartCom with WoSign case, StartCom is 100% independent at 2015. Even now, it still independent in the system, in the validation team and management team, we share the CRL/OCSP distribution resource only. Best Regards, Richard -Original Message- From:

RE: Incidents involving the CA WoSign

2016-09-16 Thread Richard Wang
Hi Gerv, This is the final report: https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf Please let me if you have any questions about the report, thanks. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: Gervase Markham Sent: Wednesday

Re: WoSign’s Ownership of StartCom

2016-09-09 Thread Richard Wang
“StartCom CA Ltd” in the UK are listed as being > owned by "StartCom CA Ltd".[2] This seems circular, but our > understanding is it actually refers to StartCom HK, which has the same > name. StartCom UK is documented as having two directors. One is Gaohua > (Richard) Wang, who will

Fwd: [cabfpub] Public disclosure of 68 GlobalSign SSL certificates issued without EKU or KU

2016-09-23 Thread Richard Wang
This is the recent incident from GlobalSign. Please notice WoSign incident is occurred in 2015 for free DV SSL, not OV or EV. Best Regards, Richard Begin forwarded message: From: Doug Beattie > Date: September 21, 2016 at

RE: Comodo issued a certificate for an extension

2016-09-23 Thread Richard Wang
First, I must make declaration that I don't know "Showfom", and I don't know if he/she is a WoSign customer. As I said in my final statement that I wish all Mozilla trusted CA can post their issued certificate to CT log server for full trenchancy, I am sure not WoSign mis-issued certificate,

RE: Comodo issued a certificate for an extension

2016-09-23 Thread Richard Wang
First, I must make declaration that I don't know "Showfom", and I don't know if he/she is a WoSign customer. As I said in my final statement that I wish all Mozilla trusted CA can post their issued certificate to CT log server for full transparency, I am sure not WoSign mis-issued certificate

RE: Comodo issued a certificate for an extension

2016-09-25 Thread Richard Wang
I think I know the reason; this may be helpful for your investigation. This is a code bug from CA issuing system that the engineer mis-understand the free additional domain added rule. System treat the "www" as a subdomain, most case it is, but in this case, it is top domain. Subscriber

RE: WoSign and StartCom: next steps

2016-10-07 Thread Richard Wang
Hi Gerv, This is the updated incident report: https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf . Thanks. Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
See below inline, thanks. Best Regards, Richard -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, September 20, 2016 7:37 PM To: Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>> Subject: Re: Incidents involving the CA

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
See below inline, thanks. Best Regards, Richard -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, September 20, 2016 7:37 PM To: Richard Wang <mailto:rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign Hi Richard, On 16/09/16

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Hi Richard, Thanks for the additional information. On 21/09/16 11:11, Richard Wang wrote: > Some SHA-1 certificate is free SSL certificate that no any reason for > us to help them get the SHA-1 certificate if we are inten

Re: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
-09-21 16:26, Richard Wang wrote: R: You can place order there and don't do the domain validation, 4 months later, you finished the domain control validation, then issue the certificate. Please try it by yourself here: https://buy.wosign.com/free/ So the date in the certificate is from when the orde

RE: Incidents involving the CA WoSign

2016-09-19 Thread Richard Wang
Lamb Sent: Tuesday, September 20, 2016 9:06 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: > This case is WoSign problem, you found out all related subordinate companies > a

RE: Incidents involving the CA WoSign

2016-09-19 Thread Richard Wang
to do any comment. Sorry. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Tuesday, September 20, 2016 10:18 AM To: Richard Wang <rich...@wosign.com> Cc: Nick Lamb <tialara...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org

RE: Incidents involving the CA WoSign

2016-09-23 Thread Richard Wang
of the two released reports. Please let me if you have any questions about this statement, thanks. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard

RE: WoSign and StartCom audit reports

2016-09-22 Thread Richard Wang
Thanks for your hard work. I wish you can finish check for all other CA's report ASAP. For WoSign, the report covered all 4 roots, not 3 roots. For StartCom, Eddy can say something about it, StartCom is 1000% independent for everything at 2015. Best Regards, Richard -Original

RE: Incidents involving the CA WoSign

2016-09-23 Thread Richard Wang
Hi Gerv, Please check this news (Feb 25th 2015) in OSCCA website: http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA finished the PKI/CA system upgrade that all licensed CA MUST be able to issue SM2 certificate to subscribers. As I said in last year CABF face to face

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
day) is Dec. 20th for a free DV SSL certificate that take so long time. I wish I said this clearly, thanks. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, September 22, 2016 11:38 AM To: Richard Wang <rich...@wosign.com&

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
> Are you saying out of over 40,000 orders over the last year, only six > "stopped to move forward" for a period of a week or more and these happen to > all have been ordered on Sunday, December 20, 2015 (China time)? You mean we issued 40,000 certificates at Dec 20, 2015? Here is the last two

Sanctions short of distrust

2016-09-21 Thread Richard Wang
But you can use OCSP Stapling in your web server. We don’t worry about most China online banking system and many ecommerce website using the foreign CA certificate, what do you worry about? As I said, we used Akamai CDN service that all hits will go to Akamai Edge servers first. Best Regar

RE: Incidents involving the CA WoSign

2016-09-22 Thread Richard Wang
Sorry, the random apart time is from 20 minutes to 60 minutes, not to 40 minutes. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard Wang Sent: Thursday, September 22, 2016

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
server that need to resign after the internet connection is ok. For normal case, it is OK, good. Thanks. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, September 22, 2016 12:32 PM To: Richard Wang <rich...@wosign.com> Cc: G

OpenSSL OCSP serious vulnerability

2016-09-22 Thread Richard Wang
OpenSSL OCSP Status Request extension unbounded memory growth (CVE-2016-6304) http://security.360.cn/cve/CVE-2016-6304/index.html?from=timeline=0 Best Regards, Richard ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Incidents involving the CA WoSign

2016-09-16 Thread Richard Wang
Thank you very much for helping us. For SM2 algorithm, this is out of this thread, I can discuss with you off list. Regards, Richard > On Sep 16, 2016, at 22:32, Vincent Lynch <vtly...@gmail.com> wrote: > >> On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang

Re: Incidents involving the CA WoSign

2016-09-16 Thread Richard Wang
Please read the report carefully that it is NOT the validation system is hijacked. Regards, Richard > On Sep 16, 2016, at 21:31, Han Yuwei <hanyuwe...@gmail.com> wrote: > > 在 2016年9月16日星期五 UTC+8下午6:07:56,Richard Wang写道: >> Hi Gerv, >> >> This is the final r

RE: Incidents involving the CA WoSign

2016-09-19 Thread Richard Wang
@lists.mozilla.org] On Behalf Of Richard Wang Sent: Friday, September 16, 2016 6:05 PM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Hi Gerv, This is the final report: https://www.wosign.com/

RE: Incidents involving the CA WoSign

2016-09-19 Thread Richard Wang
r Bowen [mailto:pzbo...@gmail.com] Sent: Monday, September 19, 2016 10:31 PM To: Richard Wang <rich...@wosign.com> Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, I'm still somewhat confuse

RE: Hongkong Post recently issued SHA1 cert that could be used in TLS

2016-08-17 Thread Richard Wang
I checked the certificate that it is a client certificate issued the personal -- PANG Ming Sum: CN = PANG Ming Sum E = todd.p...@autotoll.com.hk OU = AUTOTOLL LIMITED OU = 21506338215100635386 OU = 0001890584 O = Hongkong Post e-Cert (Organisational) C = HK The problem is this certificate

RE: Incidents involving the CA WoSign

2016-08-26 Thread Richard Wang
This is the standard way in China Internet, if a west company say something to China company, all will support the west company. PLEASE don’t move this technical problem to political issue, thanks. Best Regards, Richard -Original Message- From: dev-security-policy

Re: Incidents involving the CA WoSign

2016-08-26 Thread Richard Wang
I checked our system that this is a standard order in our system that passes the website control validation. We issued more than 300K certificates for worldwide customers including many famous company. For Aliyun, it's our reseller partner, see this news:

Re: Incidents involving the CA WoSign

2016-08-29 Thread Richard Wang
As I explained, we use same script using API, different parameter point to different API post URL for different CA, no any PKI hosting related. Regards, Richard > On 29 Aug 2016, at 16:25, Gervase Markham wrote: > >> On 24/08/16 17:44, Peter Bowen wrote: >> I think you are

Re: Incidents involving the CA WoSign

2016-08-29 Thread Richard Wang
Yes, we plan to revoke all after getting confirmation from subscriber. We are doing this. Regards, Richard > On 29 Aug 2016, at 16:38, Gervase Markham <g...@mozilla.org> wrote: > >> On 29/08/16 05:46, Richard Wang wrote: >> For incident 1 - mis-issued certificate wit

Re: Incidents involving the CA WoSign

2016-08-29 Thread Richard Wang
Sure, all issued cert is passed the domain control validations. Regards, Richard > On 29 Aug 2016, at 16:30, Gervase Markham <g...@mozilla.org> wrote: > >> On 25/08/16 04:38, Richard Wang wrote: >> R: NOT this case you think. Due to root inclusion problem, WoSign

RE: Incidents involving the CA WoSign

2016-08-28 Thread Richard Wang
On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote: > We can post all 2015 issued SSL certificate to CT log server if necessary. Is there any reason not to do that proactively? R: OK, we will post all 2015 issued SSL certificates to CT log server, but this take time since

RE: Incidents involving the CA WoSign

2016-08-25 Thread Richard Wang
Yes, sorry for this. As I admitted that this discussion gives us a big lesson that we know when we need to report incident to all browsers. We guarantee we will do it better. Best Regards, Richard -Original Message- From: dev-security-policy

Re: Incidents involving the CA WoSign

2016-08-29 Thread Richard Wang
cloudapp.net, which belongs to Microsoft > Azure. I'm fairly certain this certificate was not authorized by Microsoft: > > https://crt.sh/?id=2980 > > Thanks, > > Patrick > >> On 29/08/16 11:30, Richard Wang wrote: >> Yes, we plan to revoke all

RE: Remediation Plan for WoSign and StartCom

2016-10-23 Thread Richard Wang
Hi Kathleen, WoSign released the news today since I just came back from USA CABF meeting. http://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm (in Chinese) https://www.wosign.com/english/News/announcement_about_Mozilla_Action_20161024.htm (in English) Best Regards,

RE: Remediation Plan for WoSign and StartCom

2016-10-23 Thread Richard Wang
: Monday, October 24, 2016 12:05 PM To: Richard Wang <rich...@wosign.com> Cc: Kathleen Wilson <kwil...@mozilla.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Remediation Plan for WoSign and StartCom Hi Richard, A few questions - 1) Your post says "Ther

RE: WoSign has new roots?

2016-11-22 Thread Richard Wang
Hi all, This is the OEM certificate from Certum, Certum own and control everything with its own validation, you can check the test site: https://ovpretest.wosign.com that its CPS/CRL/OCSP/OID all belong to Certum. I don't think WoSign can't be a reseller of other CA. Thanks. Best Regards,

RE: WoSign has new roots?

2016-11-22 Thread Richard Wang
This is a common way for all CAs that issued many intermediate CAs for its resellers. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Ryan Sleevi Sent: Wednesday, November 23,

Re: Apple's response to the WoSign incidents

2016-11-13 Thread Richard Wang
I said many times that I am the Acting CEO of Wo sign now till the new CEO arrives. Even I am not the CEO instead of an employee, I think I can response the email about WoSign that just tell everyone the fact, not representing the company making any new decision. Please check my previous

Re: Apple's response to the WoSign incidents

2016-11-13 Thread Richard Wang
WoSign stopped to issue free SSL certificate from those two intermediate CAs since Sept 29. Best Regards, Richard > On 13 Nov 2016, at 17:07, Percy wrote: > > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA > even though Apple limited

RE: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

2016-10-26 Thread Richard Wang
. - From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard Wang Sent: Monday, October 24, 2016 10:47 AM To: Kathleen Wilson <k

RE: WoSign: updated report and discussion

2016-10-13 Thread Richard Wang
Percy, I think your English is too bad! And the English translation from Chinese is very bad. The report said: "Richard Wang will be relieved of his duties as CEO of WoSign", it is "will be". Now I am the Acting CEO of WoSign till the new CEO arrives. Anybody that is int

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-10 Thread Richard Wang
Our promise is close the free SSL application in our own website: buy.wosign.com. And now we closed it in our PKI side. Best Regards, Richard > On 9 Dec 2016, at 04:17, Gervase Markham <g...@mozilla.org> wrote: > >> On 05/12/16 13:41, Richard Wang wrote: >> We checke

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-10 Thread Richard Wang
As I said before, you finished the domain validation. This is DV SSL that no need to do the manual validation. Best Regards, Richard > On 10 Dec 2016, at 09:33, "zbw...@gmail.com" wrote: > > 在 2016年12月6日星期二 UTC+8上午6:50:04,Percy写道: >> lslqtz, >> How did you obtain this

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-11 Thread Richard Wang
As I said, we have the right to keep it or close it at any time. Best Regards, Richard > On 11 Dec 2016, at 12:47, Percy <percyal...@gmail.com> wrote: > >> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote: >> Our promise is close the free SS

RE: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-13 Thread Richard Wang
or disable it at one channel but not another channel, which ultimately has the same security if WoSign is doing the validation. On Sunday, December 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote: > As I said, we have the right to keep it or close it at any time. > > > Bes

RE: CA Public Key Material

2016-12-15 Thread Richard Wang
You are right, you have done the test same as my test, this don't mean you own our intermediate CA root key. For CSR, yes, our system doesn't validate the CSR self-signature. We think it is better to validate it, so we will update our system to validate it soon. For this test certificate

RE: Incident Report – Certificates issued without proper domain validation

2017-01-11 Thread Richard Wang
The nest.com certificate subject is: CN = www.nest.com O = Google Inc L = Mountain View S = California C = US This means this website owned by Google Inc. Right? Best Regards, Richard -Original Message- From: dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-05 Thread Richard Wang
We checked our system, this order is from one of the reseller. We have many resellers that used the API, we noticed all resellers to close the free SSL, but they need some time to update the system. The most important thing is this certificate is issued by proper way that this subscriber

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-05 Thread Richard Wang
s will be issued, via wosign, resellers, no any other > method? > >> On Monday, December 5, 2016 at 3:43:35 PM UTC-8, Richard Wang wrote: >> We checked our system, this order is from one of the reseller. We have many >> resellers that used the API, we noticed all reselle

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

2016-12-19 Thread Richard Wang
interaction about it and we're happy to hear that Richard would like to help us out by transferring the domains. Thanks Richard, I'll be in touch. On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote: > I wish everyone can talk about this case friendly and equally. > > I

  1   2   >