Re: Incidents involving the CA WoSign

2016-10-11 Thread Peter Kurrasch
involving the CA WoSign On 07/10/16 04:21, Peter Gutmann wrote: > That still doesn't necessarily answer the question, Google have their CRLSets > but they're more ineffective than effective in dealing with revocations > (according to GRC, they're 98% ineffective, > https://www.grc.co

Re: Incidents involving the CA WoSign

2016-10-10 Thread Gervase Markham
On 10/10/16 08:15, Michael Ströder wrote: > Which "Chrome users"? All of them as a collective body. Standard revocation doesn't hold up in an active attack scenario. If someone has control of your customers' internet connection sufficient that they can direct a request that was meant to go to

Re: Incidents involving the CA WoSign

2016-10-10 Thread Michael Ströder
Gervase Markham wrote: > On 07/10/16 04:21, Peter Gutmann wrote: >> That still doesn't necessarily answer the question, Google have their CRLSets >> but they're more ineffective than effective in dealing with revocations >> (according to GRC, they're 98% ineffective, >>

Re: Incidents involving the CA WoSign

2016-10-07 Thread Gervase Markham
On 07/10/16 04:21, Peter Gutmann wrote: > That still doesn't necessarily answer the question, Google have their CRLSets > but they're more ineffective than effective in dealing with revocations > (according to GRC, they're 98% ineffective, > https://www.grc.com/revocation/crlsets.htm). That

Re: Incidents involving the CA WoSign

2016-10-07 Thread Kurt Roeckx
On Fri, Oct 07, 2016 at 03:21:48AM +, Peter Gutmann wrote: > Kurt Roeckx writes: > > >This is why browsers have something like OneCRL, so that they actually do > >know about it and why Rob added that information to the bug tracker ( >

Re: Incidents involving the CA WoSign

2016-10-06 Thread Peter Gutmann
Kurt Roeckx writes: >This is why browsers have something like OneCRL, so that they actually do >know about it and why Rob added that information to the bug tracker ( >https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2). That still doesn't necessarily answer the question,

Re: Incidents involving the CA WoSign

2016-10-05 Thread Man Ho (Certizen)
It is an interesting aspect that the Mozilla community has not discussed thoroughly, or at all. Cross-signing a third party intermediate cert is equivalent to sharing of trust, that any CA should only consider it with extreme care. Is it possibly know how many intermediate cert that is

Re: Incidents involving the CA WoSign

2016-10-05 Thread Kurt Roeckx
On Wed, Oct 05, 2016 at 01:30:37PM +, Peter Gutmann wrote: > Rob Stradling writes: > > >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds > >either. > > What I was really asking, in a tongue-in-cheek way, was whether there was any >

Re: Incidents involving the CA WoSign

2016-10-05 Thread Michael Ströder
Peter Gutmann wrote: > Rob Stradling writes: > >> Easy. It doesn't make a sound. Unrevoked certificates don't make sounds >> either. > > What I was really asking, in a tongue-in-cheek way, was whether there was any > indication of how successfully the information

Re: Incidents involving the CA WoSign

2016-10-05 Thread okaphone . elektronika
> >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds > >either. > > What I was really asking, in a tongue-in-cheek way, was whether there was any > indication of how successfully the information could be propagated to > browsers. Good question. Regardless of the answer,

Re: Incidents involving the CA WoSign

2016-10-05 Thread Peter Gutmann
Rob Stradling writes: >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds >either. What I was really asking, in a tongue-in-cheek way, was whether there was any indication of how successfully the information could be propagated to browsers.

Re: Incidents involving the CA WoSign

2016-10-05 Thread Rob Stradling
On 05/10/16 14:09, Peter Gutmann wrote: > Rob Stradling writes: > >> Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that >> we'd issued to WoSign: > > This allows us to examine the modern Internet variant of an old philosophical > question,

Re: Incidents involving the CA WoSign

2016-10-05 Thread Peter Gutmann
Rob Stradling writes: >Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that >we'd issued to WoSign: This allows us to examine the modern Internet variant of an old philosophical question, "If a certificate is revoked in the web PKI and no one

Re: Incidents involving the CA WoSign

2016-10-04 Thread Percy
On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote: > Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates > that we'd issued to WoSign: > > https://crt.sh/?id=3223853 > https://crt.sh/?id=12716343 > https://crt.sh/?id=12716433 > > See also: >

Re: Incidents involving the CA WoSign

2016-10-04 Thread Rob Stradling
Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that we'd issued to WoSign: https://crt.sh/?id=3223853 https://crt.sh/?id=12716343 https://crt.sh/?id=12716433 See also: https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2 On 06/09/16 11:11, Rob Stradling wrote: > Hi

Re: Incidents involving the CA WoSign

2016-09-23 Thread Gervase Markham
On 23/09/16 12:38, Richard Wang wrote: > Please check this news (Feb 25th 2015) in OSCCA website: > http://www.oscca.gov.cn/News/201312/News_1254.htm that all China > licensed CA finished the PKI/CA system upgrade that all licensed CA > MUST be able to issue SM2 certificate to subscribers. I have

Re: Incidents involving the CA WoSign

2016-09-23 Thread Jakob Bohm
On 23/09/2016 14:12, Kurt Roeckx wrote: On 2016-09-23 13:38, Richard Wang wrote: Hi Gerv, Please check this news (Feb 25th 2015) in OSCCA website: http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA finished the PKI/CA system upgrade that all licensed CA MUST be able

Re: Incidents involving the CA WoSign

2016-09-23 Thread Kurt Roeckx
On 2016-09-23 13:38, Richard Wang wrote: Hi Gerv, Please check this news (Feb 25th 2015) in OSCCA website: http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA finished the PKI/CA system upgrade that all licensed CA MUST be able to issue SM2 certificate to

RE: Incidents involving the CA WoSign

2016-09-23 Thread Richard Wang
cy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Gervase Markham Sent: Friday, September 23, 2016 6:55 PM To: Han Yuwei <hanyuwe...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On 23/09/16 11:49, Han Yuwe

Re: Incidents involving the CA WoSign

2016-09-23 Thread Gervase Markham
On 23/09/16 11:49, Han Yuwei wrote: >> http://www.oscca.gov.cn/Column/Column_32.htm > > If anybody want a English version of laws & regulations, Percy and I may help. No-one is denying that SM2 may be a Chinese government standard. What we are saying is the fact that it's a standard does not

Re: Incidents involving the CA WoSign

2016-09-23 Thread Gervase Markham
On 23/09/16 07:55, Richard Wang wrote: > This is the final statement about the incident: > https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in English) Thank you. Gerv ___ dev-security-policy mailing list

Re: Incidents involving the CA WoSign

2016-09-23 Thread Percy
> > -Original Message- > > From: dev-security-policy [mailto:dev-security-policy-bounces+richard > <javascript:;> > > <javascript:;>=wosign@lists.mozilla.org <javascript:;> > <javascript:;>] On Behalf Of > > Richard Wang >

Re: Incidents involving the CA WoSign

2016-09-23 Thread Percy
Friday, September 16, 2016 6:05 PM > To: Gervase Markham <g...@mozilla.org <javascript:;>> > Cc: mozilla-dev-security-pol...@lists.mozilla.org <javascript:;> > Subject: RE: Incidents involving the CA WoSign > > Hi Gerv, > > This is the final report: https://

RE: Incidents involving the CA WoSign

2016-09-23 Thread Richard Wang
Wang Sent: Friday, September 16, 2016 6:05 PM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Hi Gerv, This is the final report: https://www.wosign.com/report/WoSign_Incident_Final_Report_091620

RE: Incidents involving the CA WoSign

2016-09-22 Thread Richard Wang
1:50 PM To: Peter Bowen <pzbo...@gmail.com> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham <g...@mozilla.org> Subject: RE: Incidents involving the CA WoSign For security, the notBefore time is not the exact time of signing, random from 20 minutes to 40 minutes a

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
ervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang <rich...@wosign.com> wrote: >> Are you saying out of over 40,000 orders over the last year, only six >

Re: Incidents involving the CA WoSign

2016-09-21 Thread Peter Bowen
On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang wrote: >> Are you saying out of over 40,000 orders over the last year, only six >> "stopped to move forward" for a period of a week or more and these happen to >> all have been ordered on Sunday, December 20, 2015 (China time)? >

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
olicy > [mailto:dev-security-policy-bounces+richard=wosign.com@lists.mozilla.o > rg] On Behalf Of Gervase Markham > Sent: Wednesday, September 21, 2016 9:19 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Incidents involving the

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
gt; Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, I'm having a really hard time reconciling what you describe with what is found in the CT logs and what I observed today when doing as you suggested

Re: Incidents involving the CA WoSign

2016-09-21 Thread Peter Bowen
e, thanks. > > Regards, > > Richard > > -Original Message- > From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On > Behalf Of Gervase Markham > Sent: Wednesday, September 21, 2016 9:19 PM > To: mozilla-dev-

Re: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
Not this case. Gerv ask why the order is placed at Aug. 12th 2015, why it is issued at Dec. 20th 2015, since he finished the domain validation at Dec 20th. Best Regards, Richard On Sep 21, 2016, at 22:54, Kurt Roeckx > wrote: On 2016-09-21 16:26,

Re: Incidents involving the CA WoSign

2016-09-21 Thread Kurt Roeckx
On 2016-09-21 16:26, Richard Wang wrote: R: You can place order there and don't do the domain validation, 4 months later, you finished the domain control validation, then issue the certificate. Please try it by yourself here: https://buy.wosign.com/free/ So the date in the certificate is

Re: Incidents involving the CA WoSign

2016-09-21 Thread Gervase Markham
On 24/08/16 14:08, Gervase Markham wrote: > Several incidents have come to our attention involving the CA "WoSign". > Mozilla is considering what action it should take in response to these > incidents. I have recently updated https://wiki.mozilla.org/CA:WoSign_Issues to draw some conclusions for

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Hi Richard, Thanks for the additional information. On 21/09/16 11:11, Richard Wang wrote: > Some SHA-1 certificate is free SSL certificate that no any reason for > us to help them get the SHA-1 certificate if we are inten

Re: Incidents involving the CA WoSign

2016-09-21 Thread Gervase Markham
Hi Richard, Thanks for the additional information. On 21/09/16 11:11, Richard Wang wrote: > Some SHA-1 certificate is free SSL certificate that no any reason > for us to help them get the SHA-1 certificate if we are intentional, > and some certificate is even never used or even not retrieved

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
See below inline, thanks. Best Regards, Richard -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, September 20, 2016 7:37 PM To: Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>> Subject: Re: Incidents involving the CA

Re: Incidents involving the CA WoSign

2016-09-21 Thread Peter Bowen
; > > > > Best Regards, > > > > Richard > > > > -Original Message- > > From: Peter Bowen [mailto:pzbo...@gmail.com <javascript:;>] > > Sent: Tuesday, September 20, 2016 10:18 AM >

Re: Incidents involving the CA WoSign

2016-09-21 Thread Gervase Markham
On 21/09/16 11:10, Kurt Roeckx wrote: > I didn't read it like that, and that the assets they have in WoSign > should be more than 10% of the total assets. So that WoSign would be > more than 10% of the USD$9.99B. Oops. You are right. My apologies! I thought the benchmark was the size of the

Re: Incidents involving the CA WoSign

2016-09-21 Thread Kurt Roeckx
On 2016-09-21 12:11, Richard Wang wrote: Please check the first 313 certificate serial is “56D1570DA645BF6B44C0A7077CC6769” and the second 27 certificate is “D3BBDC3A0175E38F9D0070CD050986A” that only 31 bytes. But our serial number rule is 32 bytes. This is a little misleading. The hex

RE: Incidents involving the CA WoSign

2016-09-21 Thread Richard Wang
See below inline, thanks. Best Regards, Richard -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, September 20, 2016 7:37 PM To: Richard Wang <mailto:rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign Hi Richard, On 16/09/16

Re: Incidents involving the CA WoSign

2016-09-21 Thread Kurt Roeckx
On 2016-09-21 11:16, Gervase Markham wrote: Hi Xiaosheng, On 20/09/16 16:31, 谭晓生 wrote: Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th 2016, we have invested in more than 200 companies across the world, Wosign is just a very small one and we even do

Re: Incidents involving the CA WoSign

2016-09-21 Thread Gervase Markham
Hi Xiaosheng, On 20/09/16 16:31, 谭晓生 wrote: > Qihoo 360 is a company valued at USD$9.99B as it finished the > privatization on July 15th 2016, we have invested in more than 200 > companies across the world, Wosign is just a very small one and we > even do not have any people sent to this company

Re: Incidents involving the CA WoSign

2016-09-20 Thread Erwann Abalea
hanks, > Xiaosheng Tan > Sent from 360 Q5 Mobile Phone > > 发件人: Kurt Roeckx <k...@roeckx.be> > 发送时间: 2016年9月20日 23:45 > 收件人: mozilla-dev-security-pol...@lists.mozilla.org > 主题: Re: Incidents involving the CA WoSign > > On 2016-09-20

Re: Incidents involving the CA WoSign

2016-09-20 Thread 谭晓生
la.org 主题: Re: Incidents involving the CA WoSign On 2016-09-20 17:31, 谭晓生 wrote: > Dear Gerv and all, > > Qihoo 360 is a company valued at USD$9.99B as it finished the privatization > on July 15th 2016, we have invested in more than 200 companies across the > world, Wosign is

Re: Incidents involving the CA WoSign

2016-09-20 Thread Kurt Roeckx
On 2016-09-20 17:31, 谭晓生 wrote: Dear Gerv and all, Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th 2016, we have invested in more than 200 companies across the world, Wosign is just a very small one and we even do not have any people sent to this

Re: Incidents involving the CA WoSign

2016-09-20 Thread 谭晓生
; > Sent: Tuesday, September 20, 2016 10:18 AM > > To: Richard Wang <rich...@wosign.com <javascript:;>> > > Cc: Nick Lamb <tialara...@gmail.com <javascript:;>>; > > mozilla-dev-security-pol...@lists.mozilla.org <javascript:;> &

Re: Incidents involving the CA WoSign

2016-09-20 Thread 谭晓生
Dear Gerv and all, Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th 2016, we have invested in more than 200 companies across the world, Wosign is just a very small one and we even do not have any people sent to this company after the investment, the

Re: Incidents involving the CA WoSign

2016-09-20 Thread Gervase Markham
Hi Richard, On 16/09/16 11:05, Richard Wang wrote: > Hi Gerv, > > This is the final report: > https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf > > Please let me if you have any questions about the report, thanks. Thank you for this report. I have a few follow-up

Re: Incidents involving the CA WoSign

2016-09-20 Thread Ryan Sleevi
On Monday, September 19, 2016 at 5:25:59 PM UTC-7, Richard Wang wrote: > Your behavior let me think of a Chinese word "株连九族", means "to implicate the > nine generations of a family", this is an extreme penalty in feudal times in > China that if a man committed a crime, the whole clan that up to

Re: Incidents involving the CA WoSign

2016-09-20 Thread Gervase Markham
Hello Xiaosheng, Welcome to our discussion forum :-) It may help you to know that participants in this forum come from a wide range of backgrounds and companies, and the only ones who represent Mozilla are the ones listed here: http://wiki.mozilla.org/CA:Policy_Participants as doing so. On

Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-20 Thread Peter Gutmann
Peter Bowen writes: >As someone pointed out on Twitter this morning, it seems that the PSC >notification for Startcom UK was filed recently: >https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf So if I'm

Re: Incidents involving the CA WoSign

2016-09-20 Thread Percy
0, 2016 10:18 AM > To: Richard Wang <rich...@wosign.com <javascript:;>> > Cc: Nick Lamb <tialara...@gmail.com <javascript:;>>; > mozilla-dev-security-pol...@lists.mozilla.org <javascript:;> > Subject: Re: Incidents involving the CA WoSign > > Richard,

RE: Incidents involving the CA WoSign

2016-09-19 Thread Richard Wang
d > > -Original Message- > From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign.com@lists.mozilla.o > rg] On Behalf Of Nick Lamb > Sent: Tuesday, September 20, 2016 9:06 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Inciden

Re: Incidents involving the CA WoSign

2016-09-19 Thread Peter Bowen
ity-policy > [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On > Behalf Of Nick Lamb > Sent: Tuesday, September 20, 2016 9:06 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Incidents involving the CA WoSign > > On Tuesday, 20 Sept

RE: Incidents involving the CA WoSign

2016-09-19 Thread Richard Wang
Lamb Sent: Tuesday, September 20, 2016 9:06 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: > This case is WoSign problem, you found out all related subordinate companies > a

Re: Incidents involving the CA WoSign

2016-09-19 Thread Nick Lamb
On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: > This case is WoSign problem, you found out all related subordinate companies > and all related parent companies that up to nine generations! I think this is > NOT the best practice in the modern law-respect society. It seems

RE: Incidents involving the CA WoSign

2016-09-19 Thread Erwann Abalea
Bonsoir Richard, This info should probably be added to the thread "WoSign's ownership of StartCom", and then Peter's complementary questions are legitimate ones, being in line with Mozilla's concerns. ___ dev-security-policy mailing list

RE: Incidents involving the CA WoSign

2016-09-19 Thread Richard Wang
r Bowen [mailto:pzbo...@gmail.com] Sent: Monday, September 19, 2016 10:31 PM To: Richard Wang <rich...@wosign.com> Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, I'm still somewhat confuse

Re: Incidents involving the CA WoSign

2016-09-19 Thread Peter Bowen
PM > To: Gervase Markham <g...@mozilla.org> > Cc: mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Incidents involving the CA WoSign > > Hi Gerv, > > This is the final report: > https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf > &

RE: Incidents involving the CA WoSign

2016-09-19 Thread Richard Wang
@lists.mozilla.org] On Behalf Of Richard Wang Sent: Friday, September 16, 2016 6:05 PM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Hi Gerv, This is the final report: https://www.wosign.com/

Re: Incidents involving the CA WoSign

2016-09-18 Thread Florian Weimer
* Richard Wang: >> Thus, do you believe it was faithful and accurate for Management to >> warrant that the CA was operated in compliance with the BRs, given >> that Management was aware of incidents of non-compliance? > > This is my fault that I think it is not serious enough to state in > the

Re: Incidents involving the CA WoSign

2016-09-16 Thread Richard Wang
Thank you very much for helping us. For SM2 algorithm, this is out of this thread, I can discuss with you off list. Regards, Richard > On Sep 16, 2016, at 22:32, Vincent Lynch wrote: > >> On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang wrote: >> Hi Gerv, >>

Re: Incidents involving the CA WoSign

2016-09-16 Thread Richard Wang
Please read the report carefully that it is NOT the validation system is hijacked. Regards, Richard > On Sep 16, 2016, at 21:31, Han Yuwei wrote: > > 在 2016年9月16日星期五 UTC+8下午6:07:56,Richard Wang写道: >> Hi Gerv, >> >> This is the final report: >>

Re: Incidents involving the CA WoSign

2016-09-16 Thread Vincent Lynch
On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang wrote: > Hi Gerv, > > This is the final report: > https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf > > Please let me if you have any questions about the report, thanks. > > > Best Regards, > > Richard

Re: Incidents involving the CA WoSign

2016-09-16 Thread Han Yuwei
t; Richard Wang > CEO > WoSign CA Limited > > > -Original Message- > From: Gervase Markham > Sent: Wednesday, September 7, 2016 7:00 PM > To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Incidents involving the CA WoSign

RE: Incidents involving the CA WoSign

2016-09-16 Thread Richard Wang
, September 7, 2016 7:00 PM To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Hi Richard, On 07/09/16 11:06, Richard Wang wrote: > This discuss has been lasting two weeks, I think it is time to end it, > it doesn’t worth to

Re: Incidents involving the CA WoSign

2016-09-14 Thread Peter Bowen
On Sat, Sep 10, 2016 at 6:43 PM, Richard Wang wrote: > We will publish a more comprehensive report in the next several days that > will attempt to cover most / all issues. > Thanks for your patience. Richard, Thank you in advance for working on a comprehensive report. I

Re: Incidents involving the CA WoSign

2016-09-10 Thread Richard Wang
Hi all, We will publish a more comprehensive report in the next several days that will attempt to cover most / all issues. Thanks for your patience. Regards, Richard > On 7 Sep 2016, at 18:58, Gervase Markham wrote: > > Hi Richard, > >> On 07/09/16 11:06, Richard Wang

Re: Incidents involving the CA WoSign

2016-09-09 Thread Kyle Hamilton
> From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On > Behalf Of Richard Wang > Sent: Sunday, September 4, 2016 5:49 PM > To: Gervase Markham <g...@mozilla.org>; > mozilla-dev-security-pol...@lists.moz

Re: Incidents involving the CA WoSign

2016-09-08 Thread Jakob Bohm
On 07/09/2016 16:01, Thijs Alkemade wrote: On 07 Sep 2016, at 14:52, Rob Stradling wrote: On 06/09/16 19:12, Thijs Alkemade wrote: Hello, We obtained 2 certificates from the StartEncrypt API which had SHA-1 signatures and which were backdated to December 20,

Re: Incidents involving the CA WoSign

2016-09-08 Thread Richard Wang
gt; better after getting this so big lesson. >> Thank you. >> >> >> Best Regards, >> >> Richard Wang >> CEO >> WoSign CA Limited >> >> >> -Original Message- >> From: dev-security-policy >> [m

Re: Incidents involving the CA WoSign

2016-09-08 Thread Ming
Of Richard Wang > Sent: Sunday, September 4, 2016 5:49 PM > To: Gervase Markham <g...@mozilla.org>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Incidents involving the CA WoSign > > Hi all, > > We finished the investigation and rel

Re: Incidents involving the CA WoSign

2016-09-08 Thread Vincent Lynch
On Wednesday, September 7, 2016 at 7:00:54 AM UTC-4, Gervase Markham wrote: > Hi Richard, > > On 07/09/16 11:06, Richard Wang wrote: > > This discuss has been lasting two weeks, I think it is time to end > > it, it doesn’t worth to waste everybody’s precious time. > > Unfortunately, I think we

Re: Incidents involving the CA WoSign

2016-09-08 Thread Gervase Markham
On 08/09/16 11:39, Rob Stradling wrote: > Consider https://crt.sh/?id=30629293, for example. Are you really > suggesting that this was issued on 2nd September 2016 but backdated to > 20th December 2015? For simplicity, I've removed this section from Issue S. I think the evidence related there

Re: Incidents involving the CA WoSign

2016-09-08 Thread Rob Stradling
On 07/09/16 17:02, Gervase Markham wrote: > On 07/09/16 13:52, Rob Stradling wrote: >> Hi Thijs. I agree that this pattern is interesting (and it'd be nice to >> see an explanation), but I'm not convinced that it proves everything you >> think it proves. > > Hi Rob, > > My digest of Thijs's

Re: Incidents involving the CA WoSign

2016-09-07 Thread Percy
osign@lists.mozilla.org] On > Behalf Of Richard Wang > Sent: Sunday, September 4, 2016 5:49 PM > To: Gervase Markham <g...@mozilla.org>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: RE: Incidents involving the CA WoSign > > Hi all, > > We fin

Re: Incidents involving the CA WoSign

2016-09-07 Thread Kurt Roeckx
On Wed, Sep 07, 2016 at 02:08:24PM +0200, Kurt Roeckx wrote: > On 2016-09-07 13:00, Gervase Markham wrote: > > Hi Richard, > > > > On 07/09/16 11:06, Richard Wang wrote: > > > This discuss has been lasting two weeks, I think it is time to end > > > it, it doesn’t worth to waste everybody’s

Re: Incidents involving the CA WoSign

2016-09-07 Thread Jozef Izso
et] > Sent: Wednesday, September 7, 2016 12:06 AM > To: Richard Wang <rich...@wosign.com>; Gervase Markham <g...@mozilla.org>; > dev-security-policy@lists.mozilla.org > Subject: Re: Incidents involving the CA WoSign > > Hi, > > section 1.4. Impact Analyti

Re: Incidents involving the CA WoSign

2016-09-07 Thread dymutaos
On Tuesday, September 6, 2016 at 10:10:44 PM UTC-4, Richard Wang wrote: > ... we can't find the info what port is used, our CMS system just record this > order is validated by website control validation method, not record the used > port at that time. > > Why we can find out other 72

Re: Incidents involving the CA WoSign

2016-09-07 Thread Gervase Markham
On 07/09/16 13:52, Rob Stradling wrote: > Hi Thijs. I agree that this pattern is interesting (and it'd be nice to > see an explanation), but I'm not convinced that it proves everything you > think it proves. Hi Rob, My digest of Thijs's work (and that of others investigating the same issues) is

Re: Incidents involving the CA WoSign

2016-09-07 Thread Rob Stradling
On 07/09/16 15:01, Thijs Alkemade wrote: > What is suspicious is: > > - Twice as many SHA-1 certificates being issued on a specific Sunday in > December than the daily average that month. (Which also happens to be the > date on the certificates which I personally got from the StartEncrypt

Re: Incidents involving the CA WoSign

2016-09-07 Thread Thijs Alkemade
On 07 Sep 2016, at 14:52, Rob Stradling wrote: > > On 06/09/16 19:12, Thijs Alkemade wrote: > >> Hello, >> >> We obtained 2 certificates from the StartEncrypt API which had SHA-1 >> signatures and which were backdated to December 20, 2015. >> >> After WoSign

Re: Incidents involving the CA WoSign

2016-09-07 Thread Rob Stradling
On 06/09/16 19:12, Thijs Alkemade wrote: > Hello, > > We obtained 2 certificates from the StartEncrypt API which had SHA-1 > signatures and which were backdated to December 20, 2015. > > After WoSign announced that all certificates issued in 2015 were logged to > their Certificate

Re: Incidents involving the CA WoSign

2016-09-07 Thread Richard Wang
We posted all 2015 certificates, total 109,405 We almost finished 2016 certificates, till now, 129,426, not finished. All 392 cert is not from one serial number, it is from several serial numbers. Regards, Richard > On 7 Sep 2016, at 20:07, Kurt Roeckx wrote: > >> On

Re: Incidents involving the CA WoSign

2016-09-07 Thread Kurt Roeckx
On 2016-09-07 13:00, Gervase Markham wrote: Hi Richard, On 07/09/16 11:06, Richard Wang wrote: This discuss has been lasting two weeks, I think it is time to end it, it doesn’t worth to waste everybody’s precious time. Unfortunately, I think we may be only beginning. I have prepared a list

Re: Incidents involving the CA WoSign

2016-09-07 Thread Richard Wang
Got it, thanks. We will reply to you soon. By the way, the link you used in the page to our report is not correct. Regards, Richard > On 7 Sep 2016, at 18:58, Gervase Markham wrote: > > Hi Richard, > >> On 07/09/16 11:06, Richard Wang wrote: >> This discuss has been lasting

Re: Incidents involving the CA WoSign

2016-09-07 Thread Gervase Markham
Hi Richard, On 07/09/16 11:06, Richard Wang wrote: > This discuss has been lasting two weeks, I think it is time to end > it, it doesn’t worth to waste everybody’s precious time. Unfortunately, I think we may be only beginning. I have prepared a list of the issues we are tracking with WoSign's

RE: Incidents involving the CA WoSign

2016-09-07 Thread Richard Wang
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard Wang Sent: Sunday, September 4, 2016 5:49 PM To: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Hi all, We fi

Re: Incidents involving the CA WoSign

2016-09-07 Thread Rob Stradling
On 06/09/16 11:11, Rob Stradling wrote: > "UTN - DATACorp SGC" was also cross-certified by the "AddTrust External > CA Root" root [3], but we revoked the cross-certificates in December > 2015, invited Mozilla to add them to OneCRL [4] and disclosed them as > revoked to Salesforce [5]. (I don't

Re: Incidents involving the CA WoSign

2016-09-06 Thread Jakob Bohm
On 06/09/2016 19:49, Jonathan Rudenberg wrote: On Sep 5, 2016, at 16:25, hanyuwe...@gmail.com wrote: I thought Wosign's report is not very convincible. The bug of subdomain have existed for a long time and it made me feel it is a feature not a bug. It's not a secret among the admin of

Re: Incidents involving the CA WoSign

2016-09-06 Thread Thijs Alkemade
On 01 Sep 2016, at 18:00, Ryan Sleevi wrote: > > Incident 2: July, 2016 - At least 1 backdated SHA-1 certificate (was this > the only one? I wasn't clear from > https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/gksYkOTLCwAJ > >

Re: Incidents involving the CA WoSign

2016-09-06 Thread Gervase Markham
On 05/09/16 23:58, Peter Bowen wrote: > 1) Should any action be taken against the operators of these CAs due > to the incidents listed? > > My view is that the correct answer is "no, unless it is demonstrated > that the CA operator had knowledge of undisclosed incidents", as I > believe that the

Re: Incidents involving the CA WoSign

2016-09-06 Thread Jonathan Rudenberg
> On Sep 5, 2016, at 16:25, hanyuwe...@gmail.com wrote: > > I thought Wosign's report is not very convincible. The bug of subdomain have > existed for a long time and it made me feel it is a feature not a bug. It's > not a secret among the admin of personal or small sites. I am not very >

Re: Incidents involving the CA WoSign

2016-09-06 Thread xcrailfans
On Saturday, September 3, 2016 at 1:31:17 PM UTC-4, Andy Ligg wrote: > You are completely wrong! > > StartCom not only have office in Israel and in China, but also have > office in UK, welcome to visit our UK office: T05, Castlemead, Lower > Castle Street, Bristol, BS1 3AG, UK. Thanks for

Re: Incidents involving the CA WoSign

2016-09-06 Thread Will Hughes
Hello, First of all let me state that I am in no way involved in the operation of a certificate authority, nor am I involved in setting CA policy for any organisation; I am merely an interested observer. I am a user of Mozillas' trust store, both directly through Firefox and Thunderbird, and

Re: Incidents involving the CA WoSign

2016-09-06 Thread moonbingbing
For page 19 of the report, I have one question: If the subscriber MUST transfer the payment from his company bank account, why subscriber fake the company seal as figure 20? And from figure 21's information, one fraud company transfered the payment from alipay, NOT his company bank! 在

Re: Incidents involving the CA WoSign

2016-09-06 Thread Julian Brost
Hi, section 1.4. Impact Analytics in the report contains a list of 72 certificates, for which the domain validation was done on a high port. On 2015-04-20 I have obtained a certificate for a domain name that I validated using port 8080 but that certificate is not listed in the report. This is

Re: Incidents involving the CA WoSign

2016-09-06 Thread hanyuwei70
I thought Wosign's report is not very convincible. The bug of subdomain have existed for a long time and it made me feel it is a feature not a bug. It's not a secret among the admin of personal or small sites. I am not very similar to CA stuff that time,just a subscriber of Wosign's free

Re: Incidents involving the CA WoSign

2016-09-06 Thread Eddy Nigg
On 09/05/2016 10:54 AM, Gervase Markham wrote: Hi Eddy, On 04/09/16 09:51, Eddy Nigg wrote: I don't want to extend this discussion unnecessarily, but as a side note you don't know which agreements this employee has signed with StartCom and/or WoSign and hence you can't make a judgement on it

Re: [FORGED] Re: Incidents involving the CA WoSign

2016-09-06 Thread Percy
Yeah, it's almost impossible to distrust all WoSign authority manually from keychain access. WoSign has 28 root certs or intermediate certs signed by other CAs, listed below. (List from https://github.com/chengr28/RevokeChinaCerts/wiki/ReadMe_Online#about-certificates ) Certification Authority of

  1   2   3   >