Re: wosign and letsencrypt.cn / letsencrypt.com.cn
On 22/12/16 14:30, Tom Delmas wrote: > There are other mechanisms. But hard to use, especially between > countries. As a Firefox user, > I expect that CA trusted by Firefox are clearly identifiable and > distinguishable from each others. If CAs ever did something specific to Firefox or the root program, such as submitting a root cert for inclusion whose common name was misleading, we may well take action on that. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: wosign and letsencrypt.cn / letsencrypt.com.cn
In this case, no any CA named as letsencrypt similar name, and no any CA want to impersonate, most CA program require the root CA have a unique friendly name in the CA program. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Tom Delmas Sent: Thursday, December 22, 2016 10:30 PM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: wosign and letsencrypt.cn / letsencrypt.com.cn Hi Gerv, > It's never come up. But I think we would be reluctant to intervene; Thank you for that answer. I understand it. > there are other mechanisms for sorting out such disputes, and it's not > our job to interpret or enforce trademark law or domain name dispute > resolution law. There are other mechanisms. But hard to use, especially between countries. As a Firefox user, I expect that CA trusted by Firefox are clearly identifiable and distinguishable from each others. We need CA to avoid website impersonation. In order to achieve that, I feel that "CA impersonation" must be avoided before all. And the logical way to do it in my opinion is in the Mozilla CA Certificate Policy. Tom ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
Hi Gerv, > It's never come up. But I think we would be reluctant to intervene; Thank you for that answer. I understand it. > there are other mechanisms for sorting out such disputes, and it's not > our job to interpret or enforce trademark law or domain name dispute > resolution law. There are other mechanisms. But hard to use, especially between countries. As a Firefox user, I expect that CA trusted by Firefox are clearly identifiable and distinguishable from each others. We need CA to avoid website impersonation. In order to achieve that, I feel that "CA impersonation" must be avoided before all. And the logical way to do it in my opinion is in the Mozilla CA Certificate Policy. Tom ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
On 21/12/16 12:42, tdel...@gmail.com wrote: > I think Mozilla still doesn't answer my first question:what is the > position of Mozilla regarding CA that act in bad faith regarding the > usage of the names associated with others CA (like, registering such > trademarks or domains) ? It's never come up. But I think we would be reluctant to intervene; there are other mechanisms for sorting out such disputes, and it's not our job to interpret or enforce trademark law or domain name dispute resolution law. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
On Monday, December 19, 2016 at 2:45:16 AM UTC+1, Richard Wang wrote: > I wish everyone can talk about this case friendly and equally. I'm sorry about the wosing-bashing that followed. It wasn't my intention. > We know Let's Encrypt is released after the public announcement, but two day > later, its .cn domain is still not registered, I think maybe it is caused by > the strict registration rule in China, so I registered it for protection that > not registered by Cornbug. Thank you for that and for your prompt response. I think Mozilla still doesn't answer my first question:what is the position of Mozilla regarding CA that act in bad faith regarding the usage of the names associated with others CA (like, registering such trademarks or domains) ? Wosing's answer to my question was positive and in my opinion faithful, but it's not the first time a CA engage in such behavior, and I think Mozilla should at least makes an official comment. Best regards ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
People here tend to bash WoSign/StartCom the whole time and make them guilty for nearly everthing, including the Lindbergh Kidnapping. I also do think people are actively searching for anything they can blame, and ignore/tolerate incidents of other CAs. Am Freitag, 16. Dezember 2016 19:18:27 UTC+1 schrieb tde...@gmail.com: > It seams that wosign has registered the domains letsencrypt.cn and > letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt : > > whois letsencrypt.cn > Domain Name: letsencrypt.cn > ROID: 20141120s10001s72911711-cn > Domain Status: clientTransferProhibited > Registrant ID: k35-n2041486_00 > Registrant: 深圳市沃通电子商务服务有限公司 > Registrant Contact Email: d...@wosign.com > Sponsoring Registrar: 厦门三五互联科技股份有限公司 > Name Server: ns3.dns-diy.com > Name Server: ns4.dns-diy.com > Registration Time: 2014-11-20 09:57:27 > Expiration Time: 2017-11-20 09:57:27 > DNSSEC: unsigned > > whois letsencrypt.com.cn > Domain Name: letsencrypt.com.cn > ROID: 20141120s10011s84227837-cn > Domain Status: clientTransferProhibited > Registrant ID: k35-n2041486_00 > Registrant: 深圳市沃通电子商务服务有限公司 > Registrant Contact Email: d...@wosign.com > Sponsoring Registrar: 厦门三五互联科技股份有限公司 > Name Server: ns3.dns-diy.com > Name Server: ns4.dns-diy.com > Registration Time: 2014-11-20 09:57:28 > Expiration Time: 2017-11-20 09:57:28 > > Let's Encrypt was announced publicly on November 18, 2014 ( > http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm > ). That domain appear to be registered two days after. > > Certificate authorities are about trust. I don't feel comfortable about a CA > registering a domain matching the name of another CA. What is the position of > Mozilla about that? > Maybe Let's Encrypt or wosign have more information about these domains? > > https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786 > > Other relevant thread: Comodo Legal Phishing attack against ISRG? > https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
在 2016年12月20日星期二 UTC+8下午8:21:33,Tom写道: > According to The Uniform Domain-Name Dispute-Resolution Policy, > letsencrypt.cn seem use in bad faith. > > On December 20, 2016 2:45:47 PM GMT+08:00, "谭晓生"wrote: > >It is ICP license you talked about, you can find some information here: > >https://support.cloudflare.com/hc/en-us/articles/209714777-ICP-FAQ > > > >It is almost impossible to register a .cn or .com.cn domain in China > >for a foreign company which do not have a legal entity in China, > >legally. > >The websites will be blocked for access by the ISP/Telco if the > >websites were hosted in China but do not have valid ICP licenses or > >even the IPs have not been registered to the government. if it is not > >that hard before, but it has more and more regulatory polices. > > Yep. As far as I known, it must use the service of one of Chinese hosting > providers. Therefore, .cn domain name must point to Chinese IP adress. > > On December 19, 2016 3:54:43 PM GMT+08:00, Han Yuwei > wrote: > >Since letsencrypt.org is very famous, I think the best way is to > >redirect letsencrypt.com.cn and letsencrypt.cn to letsencrypt.org > > And, It is disallowed redirecting to the website which haven't ICP license. > > tanxiaosh...@360.cn wrote: > >For Letsencrypt, if you want to own the .cn or .com.cn domain legally, > >think of to set a legal entity in China. > > I don't think it's a good idea. It may will take much time and money for > organization. And I think that Chinese government is not friendly to foreign > companies/organizations. .cn can use CNAME redirect and don't required to point to a Chinese IP address. ICP is for *host* not for domain. I think this is out of m.d.s.p's scope. Maybe we can leave this to Letsencrypt and Wosign. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
According to The Uniform Domain-Name Dispute-Resolution Policy, letsencrypt.cn seem use in bad faith. On December 20, 2016 2:45:47 PM GMT+08:00, "谭晓生"wrote: >It is ICP license you talked about, you can find some information here: >https://support.cloudflare.com/hc/en-us/articles/209714777-ICP-FAQ > >It is almost impossible to register a .cn or .com.cn domain in China >for a foreign company which do not have a legal entity in China, >legally. >The websites will be blocked for access by the ISP/Telco if the >websites were hosted in China but do not have valid ICP licenses or >even the IPs have not been registered to the government. if it is not >that hard before, but it has more and more regulatory polices. Yep. As far as I known, it must use the service of one of Chinese hosting providers. Therefore, .cn domain name must point to Chinese IP adress. On December 19, 2016 3:54:43 PM GMT+08:00, Han Yuwei wrote: >Since letsencrypt.org is very famous, I think the best way is to >redirect letsencrypt.com.cn and letsencrypt.cn to letsencrypt.org And, It is disallowed redirecting to the website which haven't ICP license. tanxiaosh...@360.cn wrote: >For Letsencrypt, if you want to own the .cn or .com.cn domain legally, >think of to set a legal entity in China. I don't think it's a good idea. It may will take much time and money for organization. And I think that Chinese government is not friendly to foreign companies/organizations. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: wosign and letsencrypt.cn / letsencrypt.com.cn
As far as I know, transferring by entering the name and address of the person to transfer to would work via your registrar. But then CNNIC will want to see a photo of a passport showing the name of the person in full within a certain deadline, otherwise the domain would be suspended. A registrar gathers this from the intended registrant and they send it to CNNIC on your behalf, you don't send it directly to CNNIC. Of course there is distinction between a person and a company, if you're transferring to a company, you'll need business documents showing registration details. See this FAQ: https://cnnic.com.cn/IS/CNym/cnymyhfaq/#8_1 One more thing to be aware of not listed in the FAQ there: CNNIC will want to know if you will be using the domain within China, as that requires an ACP licence for any website hosted on port 80, 8080, or 443. Choosing "no" would mean the domain would resolve, but any website on it would be inaccessible within China and would only work abroad, since ACP licences *apparently* are only available to Chinese companies. What this effectively means for Let's Encrypt, you'd have the domain name to protect it, but wouldn't be able to use it within China unless you had an actual presence there and acquired an ACP licence. I registered a .cn domain some time ago, so just thought I'd share my knowledge. Good luck, and sorry it kinda goes outside the scope of this thread. Sam On Tue, Dec 20, 2016 at 2:28 AM, Richard Wang <rich...@wosign.com> wrote: > I got the email from Josh, this is my reply: > > Hi Josh, > > Glad to receive your formal request email. > > Yes, it is hard to register a domain for foreigner, I also don't know how to > transfer to you. What I can do now is to resolute it to your website. > > As I said we can transfer to you at any time. > > > Best Regards, > > Richard > > -Original Message- > From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On > Behalf Of j...@letsencrypt.org > Sent: Monday, December 19, 2016 12:36 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: wosign and letsencrypt.cn / letsencrypt.com.cn > > We had some trouble figuring out how to purchase a Chinese domain name before > we launched, so we didn't purchase it then. We've never talked to wosign about > this before, and we haven't seen the domain used for anything confusing so > far. This is our first interaction about it and we're happy to hear that > Richard would like to help us out by transferring the domains. > > Thanks Richard, I'll be in touch. > > On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote: >> I wish everyone can talk about this case friendly and equally. >> >> It is very common that everyone can register any domain based on the first >> come and first service rule. >> >> We know Let's Encrypt is released after the public announcement, but two day >> later, its .cn domain is still not registered, I think maybe it is caused by >> the strict registration rule in China, so I registered it for protection >> that not registered by Cornbug. >> >> We don’t use those domains for any WoSign's services that we provide >> similar service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt) >> >> Now, if Mozilla or Let’s Encrypt contact me officially and request to >> transfer the two domains to them, no any problem, we can transfer to them >> for FREE! >> >> But please notice that this arrangement is for friendship, not for others >> .. >> >> >> Best Regards, >> >> Richard > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: wosign and letsencrypt.cn / letsencrypt.com.cn
I got the email from Josh, this is my reply: Hi Josh, Glad to receive your formal request email. Yes, it is hard to register a domain for foreigner, I also don't know how to transfer to you. What I can do now is to resolute it to your website. As I said we can transfer to you at any time. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of j...@letsencrypt.org Sent: Monday, December 19, 2016 12:36 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: wosign and letsencrypt.cn / letsencrypt.com.cn We had some trouble figuring out how to purchase a Chinese domain name before we launched, so we didn't purchase it then. We've never talked to wosign about this before, and we haven't seen the domain used for anything confusing so far. This is our first interaction about it and we're happy to hear that Richard would like to help us out by transferring the domains. Thanks Richard, I'll be in touch. On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote: > I wish everyone can talk about this case friendly and equally. > > It is very common that everyone can register any domain based on the first > come and first service rule. > > We know Let's Encrypt is released after the public announcement, but two day > later, its .cn domain is still not registered, I think maybe it is caused by > the strict registration rule in China, so I registered it for protection > that not registered by Cornbug. > > We don’t use those domains for any WoSign's services that we provide > similar service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt) > > Now, if Mozilla or Let’s Encrypt contact me officially and request to > transfer the two domains to them, no any problem, we can transfer to them > for FREE! > > But please notice that this arrangement is for friendship, not for others > .. > > > Best Regards, > > Richard ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
On Sunday, December 18, 2016 at 5:45:16 PM UTC-8, Richard Wang wrote: > I wish everyone can talk about this case friendly and equally. > > It is very common that everyone can register any domain based on the first > come and first service rule. > > We know Let's Encrypt is released after the public announcement, but two day > later, its .cn domain is still not registered, I think maybe it is caused by > the strict registration rule in China, so I registered it for protection that > not registered by Cornbug. > > We don’t use those domains for any WoSign's services that we provide similar > service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt) > > Now, if Mozilla or Let’s Encrypt contact me officially and request to > transfer the two domains to them, no any problem, we can transfer to them for > FREE! > > But please notice that this arrangement is for friendship, not for others > .. > > > Best Regards, > > Richard > > -Original Message- > From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On > Behalf Of tdel...@gmail.com > Sent: Saturday, December 17, 2016 1:34 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: wosign and letsencrypt.cn / letsencrypt.com.cn > > It seams that wosign has registered the domains letsencrypt.cn and > letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt : > > whois letsencrypt.cn > Domain Name: letsencrypt.cn > ROID: 20141120s10001s72911711-cn > Domain Status: clientTransferProhibited > Registrant ID: k35-n2041486_00 > Registrant: 深圳市沃通电子商务服务有限公司 > Registrant Contact Email: d...@wosign.com Sponsoring Registrar: 厦门三五互联科技股份有限公司 > Name Server: ns3.dns-diy.com > Name Server: ns4.dns-diy.com > Registration Time: 2014-11-20 09:57:27 > Expiration Time: 2017-11-20 09:57:27 > DNSSEC: unsigned > > whois letsencrypt.com.cn > Domain Name: letsencrypt.com.cn > ROID: 20141120s10011s84227837-cn > Domain Status: clientTransferProhibited > Registrant ID: k35-n2041486_00 > Registrant: 深圳市沃通电子商务服务有限公司 > Registrant Contact Email: d...@wosign.com Sponsoring Registrar: 厦门三五互联科技股份有限公司 > Name Server: ns3.dns-diy.com > Name Server: ns4.dns-diy.com > Registration Time: 2014-11-20 09:57:28 > Expiration Time: 2017-11-20 09:57:28 > > Let's Encrypt was announced publicly on November 18, 2014 ( > http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm > ). That domain appear to be registered two days after. > > Certificate authorities are about trust. I don't feel comfortable about a CA > registering a domain matching the name of another CA. What is the position of > Mozilla about that? > Maybe Let's Encrypt or wosign have more information about these domains? > > https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786 > > Other relevant thread: Comodo Legal Phishing attack against ISRG? > https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy I found WoSign's explanation completely incredulous. WoSign has been sending **unsolicited** marketing emails to websites that use Let's Encrypt cert essentially saying Let's Encrypt might revoke cert at will and ask users to switch to WoSign (Email attached). After I posted on the forum about this, WoSign stated "From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA[Let's Encrypt], everything[about all those incidents surrounding WoSign that led to its distrust] is clear now. " (https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/IxnAbfFGDQAJ) I find it hard to believe that if WoSign thought Let's Encrypt is a company that will send troll to undermine WoSign, WoSign would register Let's Encrypt's domain to protect Let's Encrypt's trademark. (Admittedly, WoSign's accusation of me came later but I'm assuming his attitudes towards Let's Encrypt is the same over the years). - This is a typical unsolicited marketing email they sent to Let's Encrypt users. https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg:large Translated below. --- Dear friend: I'm *** from WoSign CA. WoSign is the first SSL cert company in China. Your website *'s SSL cert is from Let's Encrypt, expiring at Oct, 2016. If you switch to WoSign before the expiration you can enjoy buy one year get one year free. The risks associated with foreign CA: 1. Cert revocation If foreign CA is influenced by politics and revoke certs for important Chinese organizations, the entire system will be paralyzed. 2. Information security risks If the website uses foreign certs, users need to send information to foreign servers in every visit. Time of the visit, the location
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
On Sunday, December 18, 2016 at 5:45:16 PM UTC-8, Richard Wang wrote: > We know Let's Encrypt is released after the public announcement, but two day > later, its .cn domain is still not registered, I think maybe it is caused by > the strict registration rule in China, so I registered it for protection that > not registered by Cornbug. I found it really hard to comprehend why you believe you should be registering a domain name, "for protection", that belongs to another brand, especially where there is definitely conflict of interests involved. > We don’t use those domains for any WoSign's services Until a few days ago, letsencrypt.cn points to a Microsoft/21vianet Azure China server 211.151.125.110 [1][2]. A reverse lookup on this IP [3] yields hostnames implying services of WoSign (pkiclick.net, wosigncode.net, etc.). As of the time of this email, DNS lookup of this domain name yields NXDOMAIN, which means WoSign has made the effort to remove the record. Why bother to add the DNS record in the first place then? [1] http://whois.domaintools.com/letsencrypt.cn [2] http://viewdns.info/iphistory/?domain=letsencrypt.cn [3] http://bgp.he.net/ip/211.151.125.110#_dns ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
在 2016年12月19日星期一 UTC+8下午12:36:10,jo...@letsencrypt.org写道: > We had some trouble figuring out how to purchase a Chinese domain name before > we launched, so we didn't purchase it then. We've never talked to wosign > about this before, and we haven't seen the domain used for anything confusing > so far. This is our first interaction about it and we're happy to hear that > Richard would like to help us out by transferring the domains. > > Thanks Richard, I'll be in touch. > > On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote: > > I wish everyone can talk about this case friendly and equally. > > > > It is very common that everyone can register any domain based on the first > > come and first service rule. > > > > We know Let's Encrypt is released after the public announcement, but two > > day later, its .cn domain is still not registered, I think maybe it is > > caused by the strict registration rule in China, so I registered it for > > protection that not registered by Cornbug. > > > > We don’t use those domains for any WoSign's services that we provide > > similar service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt) > > > > Now, if Mozilla or Let’s Encrypt contact me officially and request to > > transfer the two domains to them, no any problem, we can transfer to them > > for FREE! > > > > But please notice that this arrangement is for friendship, not for others > > .. > > > > > > Best Regards, > > > > Richard Register a domain in China is much more different from International common partice. For further advice I suggest LE should contact with their lawyer. Since letsencrypt.org is very famous, I think the best way is to redirect letsencrypt.com.cn and letsencrypt.cn to letsencrypt.org ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
We had some trouble figuring out how to purchase a Chinese domain name before we launched, so we didn't purchase it then. We've never talked to wosign about this before, and we haven't seen the domain used for anything confusing so far. This is our first interaction about it and we're happy to hear that Richard would like to help us out by transferring the domains. Thanks Richard, I'll be in touch. On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote: > I wish everyone can talk about this case friendly and equally. > > It is very common that everyone can register any domain based on the first > come and first service rule. > > We know Let's Encrypt is released after the public announcement, but two day > later, its .cn domain is still not registered, I think maybe it is caused by > the strict registration rule in China, so I registered it for protection that > not registered by Cornbug. > > We don’t use those domains for any WoSign's services that we provide similar > service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt) > > Now, if Mozilla or Let’s Encrypt contact me officially and request to > transfer the two domains to them, no any problem, we can transfer to them for > FREE! > > But please notice that this arrangement is for friendship, not for others > .. > > > Best Regards, > > Richard ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: wosign and letsencrypt.cn / letsencrypt.com.cn
I wish everyone can talk about this case friendly and equally. It is very common that everyone can register any domain based on the first come and first service rule. We know Let's Encrypt is released after the public announcement, but two day later, its .cn domain is still not registered, I think maybe it is caused by the strict registration rule in China, so I registered it for protection that not registered by Cornbug. We don’t use those domains for any WoSign's services that we provide similar service: https://pki.click/index_En.htm (SSL Wizard, StartEncrypt) Now, if Mozilla or Let’s Encrypt contact me officially and request to transfer the two domains to them, no any problem, we can transfer to them for FREE! But please notice that this arrangement is for friendship, not for others .. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of tdel...@gmail.com Sent: Saturday, December 17, 2016 1:34 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: wosign and letsencrypt.cn / letsencrypt.com.cn It seams that wosign has registered the domains letsencrypt.cn and letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt : whois letsencrypt.cn Domain Name: letsencrypt.cn ROID: 20141120s10001s72911711-cn Domain Status: clientTransferProhibited Registrant ID: k35-n2041486_00 Registrant: 深圳市沃通电子商务服务有限公司 Registrant Contact Email: d...@wosign.com Sponsoring Registrar: 厦门三五互联科技股份有限公司 Name Server: ns3.dns-diy.com Name Server: ns4.dns-diy.com Registration Time: 2014-11-20 09:57:27 Expiration Time: 2017-11-20 09:57:27 DNSSEC: unsigned whois letsencrypt.com.cn Domain Name: letsencrypt.com.cn ROID: 20141120s10011s84227837-cn Domain Status: clientTransferProhibited Registrant ID: k35-n2041486_00 Registrant: 深圳市沃通电子商务服务有限公司 Registrant Contact Email: d...@wosign.com Sponsoring Registrar: 厦门三五互联科技股份有限公司 Name Server: ns3.dns-diy.com Name Server: ns4.dns-diy.com Registration Time: 2014-11-20 09:57:28 Expiration Time: 2017-11-20 09:57:28 Let's Encrypt was announced publicly on November 18, 2014 ( http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm ). That domain appear to be registered two days after. Certificate authorities are about trust. I don't feel comfortable about a CA registering a domain matching the name of another CA. What is the position of Mozilla about that? Maybe Let's Encrypt or wosign have more information about these domains? https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786 Other relevant thread: Comodo Legal Phishing attack against ISRG? https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: wosign and letsencrypt.cn / letsencrypt.com.cn
Well, based on the previous deception of WoSign before, during and after Mozilla's investigation, I'm not remotely surprised to see this. On Friday, December 16, 2016 at 10:18:27 AM UTC-8, tde...@gmail.com wrote: > It seams that wosign has registered the domains letsencrypt.cn and > letsencrypt.com.cn in 2014 after the public announce of Let's Encrypt : > > whois letsencrypt.cn > Domain Name: letsencrypt.cn > ROID: 20141120s10001s72911711-cn > Domain Status: clientTransferProhibited > Registrant ID: k35-n2041486_00 > Registrant: 深圳市沃通电子商务服务有限公司 > Registrant Contact Email: d...@wosign.com > Sponsoring Registrar: 厦门三五互联科技股份有限公司 > Name Server: ns3.dns-diy.com > Name Server: ns4.dns-diy.com > Registration Time: 2014-11-20 09:57:27 > Expiration Time: 2017-11-20 09:57:27 > DNSSEC: unsigned > > whois letsencrypt.com.cn > Domain Name: letsencrypt.com.cn > ROID: 20141120s10011s84227837-cn > Domain Status: clientTransferProhibited > Registrant ID: k35-n2041486_00 > Registrant: 深圳市沃通电子商务服务有限公司 > Registrant Contact Email: d...@wosign.com > Sponsoring Registrar: 厦门三五互联科技股份有限公司 > Name Server: ns3.dns-diy.com > Name Server: ns4.dns-diy.com > Registration Time: 2014-11-20 09:57:28 > Expiration Time: 2017-11-20 09:57:28 > > Let's Encrypt was announced publicly on November 18, 2014 ( > http://www.crn.com/news/cloud/300074840/lets-encrypt-a-free-and-automated-certificate-authority-comes-out-of-stealth-mode.htm > ). That domain appear to be registered two days after. > > Certificate authorities are about trust. I don't feel comfortable about a CA > registering a domain matching the name of another CA. What is the position of > Mozilla about that? > Maybe Let's Encrypt or wosign have more information about these domains? > > https://community.letsencrypt.org/t/letsencrypt-cn-and-letsencrypt-com-cn-was-registered-by-wosign/23786 > > Other relevant thread: Comodo Legal Phishing attack against ISRG? > https://groups.google.com/d/msg/mozilla.dev.security.policy/n-8kcrSuhjg/WKj-PAI2BgAJ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy