We revoked this certificate, and we know this certificate is for test only.
For transparency, WoSign announced full transparency for all SSL certificate from July 5th that post all issued SSL certificate to Google log server, browsers can distrust WoSign issued SSL certificate after that day if no SCT embedded data in the certificate. And WoSign even plan to post the code signing certificate and client certificate to log server for full transparency for all certificates. See this news if you missed: https://www.wosign.com/english/News/2016_wosign_CT.htm. And we plan to setup an free alert service for worldwide users that if any SSL certificate for domain you care is issued from any CA, then you can get the alert email, this will benfit the ecosystem. Best Regards, Richard -----Original Message----- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of s...@gmx.ch Sent: Thursday, August 25, 2016 8:18 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Of course, adding the affected certs to OneCRL should be done immediately. WoSign also has to be transparent about all (mis) issued certs in the past and have to provide this info in the future. If they can't, I think we may consider if the current certs that are valid for 3 years should be restricted to a shorter period. Regards, Jonas > For the thread's reference, here's the crt.sh link for the misissued > GitHub > certificate: > > https://crt.sh/?id=29647048 > > Valid for 3 years, for github.com. It's not in OneCRL, CRLset, or > Microsoft's disallowedcert.stl. > > > > On Wed, Aug 24, 2016 at 9:08 AM, Gervase Markham <g...@mozilla.org> wrote: > >> Taking into account all these incidents and the actions of this CA, >> Mozilla is considering what action to take. Your input is welcomed. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
