Sorry, I am busy with incident report that up to 20 pages. It will be released soon today.
Two reports: one for the incident 0-2, another one is for incident X including you point out one. Best Regards, Richard -----Original Message----- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Sunday, September 4, 2016 5:19 AM To: Richard Wang <rich...@wosign.com> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, Can you also please check the following two certificates? It looks like they were missed when logging all the 2015 certs. https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2 https://www.censys.io/certificates/d99309f071141454f805c13551a827aa116bb53daefd8609e296c06b0dcdf720 Additionally, it looks like there may be a gap in logging for 2016. For example, https://www.censys.io/certificates/06797f8095ba4d9c9ec5b9475cff7df3b258069cc89f303cd91dc329eaf0c08f does not show up in any log. Thanks, Peter On Fri, Sep 2, 2016 at 8:31 AM, Richard Wang <rich...@wosign.com> wrote: > We will check this tomorrow. > Now our time is 23:32 at night. > > > Regards, > > Richard > >> On 2 Sep 2016, at 23:20, Peter Bowen <pzbo...@gmail.com> wrote: >> >>> On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <rich...@wosign.com> wrote: >>> Yes, we posted all 2015 issued SSL from WoSign trusted root. >>> >>>> On 2 Sep 2016, at 22:55, Peter Bowen <pzbo...@gmail.com> wrote: >>>> Based on CT logs, I have seen certificates from the CAs below, all >>>> of which have "WoSign" in the name. Have you logged all >>>> certificates which are signed by these CAs and have a notBefore >>>> date of 20150101000000Z or later to the WoSign CT log? >> >> Richard, >> >> It seems then there is a newly exposed bug. >> https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf578 >> 1edbe9d78f9cada8f1d702d5e340ad shows a certificate issued by your CA >> that has a notBefore in March 2015. It does not appear in the CT >> log. However another certificate with identical serial number and >> subject, but different Validity, does appear in the log. >> >> Are you aware of a bug where you were issuing certificates identical >> except for validity period? >> >> Thanks, >> Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
