Re: formal reply RE: Incidents involving the CA WoSign

2016-08-30 Thread Richard Wang
1. All certs are revoked in time, please check our CRL;

2. WoSign logged all SSL cert since July 5th;

3. I know you are Chinese with good English, welcome to join WoSign, we need 
good talent like you.

Regards,

Richard

> On 31 Aug 2016, at 01:33, Percy  wrote:
> 
> We classified this 33 misissuance certificate into two types: one type is we 
> think this misissuance certificate is obviously not from the domain owner, we 
> revoked this type certificates instantly after we know the misissuance
> 
> Your statement is contradicted by the fact that the other two mis-issued 
> Github certs are not revoked 14 months after the original breach and you 
> being aware of such breach.  
> 
> 
> 
> we will post all issued SSL certificate in 2015 to CT log server soon. 
> -
> Multiple users from the original thread have identified mis-issued 
> certificate in the CT log (aggregated here 
> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html )  I 
> don't see how posting to CT log helps. Because WoSign didn't even deal with 
> mis-issued certs even after posting such certs to CT logs. Besides, WoSign 
> has issued back-dated certs, due to bug or not. Hence at least all CT should 
> be required for ALL WoSign issued cert. 
> 
> 
> Third, due to the English language limit, we know we can't understand all 
> related international standard that it may have some bugs in the system in 
> the past and maybe in the future
> --
> This is absurd. Are you saying THE largest CA in China, WoSign cannot afford 
> to hire a few developers fluent in English to help understand the 
> international standards and in turn inform their peers? I understand that 
> WoSign has to affirm they understand and will comply with BR to be included 
> in the program. Are you saying that WoSign didn't even understand BR to begin 
> with due to BR written in English? 
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: formal reply RE: Incidents involving the CA WoSign

2016-08-30 Thread Percy
We classified this 33 misissuance certificate into two types: one type is we 
think this misissuance certificate is obviously not from the domain owner, we 
revoked this type certificates instantly after we know the misissuance

Your statement is contradicted by the fact that the other two mis-issued Github 
certs are not revoked 14 months after the original breach and you being aware 
of such breach.  



we will post all issued SSL certificate in 2015 to CT log server soon. 
-
Multiple users from the original thread have identified mis-issued certificate 
in the CT log (aggregated here 
http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html )  I 
don't see how posting to CT log helps. Because WoSign didn't even deal with 
mis-issued certs even after posting such certs to CT logs. Besides, WoSign has 
issued back-dated certs, due to bug or not. Hence at least all CT should be 
required for ALL WoSign issued cert. 


Third, due to the English language limit, we know we can't understand all 
related international standard that it may have some bugs in the system in the 
past and maybe in the future
--
This is absurd. Are you saying THE largest CA in China, WoSign cannot afford to 
hire a few developers fluent in English to help understand the international 
standards and in turn inform their peers? I understand that WoSign has to 
affirm they understand and will comply with BR to be included in the program. 
Are you saying that WoSign didn't even understand BR to begin with due to BR 
written in English? 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy