So if I understand correctly, you've published all certificates issued
in 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is
that correct?
As noted in
https://groups.google.com/d/msg/mozilla.dev.security.policy/Q3zjv95VhXI/p40n2Zv6DAAJ
, this thread has turned up https://crt.sh/?id=29884704 which was
mississued and had a notBefore of June 23, 2016.
In addition to that, there was discussion about backdated SHA1 certs (
https://groups.google.com/d/msg/mozilla.dev.security.policy/KNuiSDVl7qc/z8rPfqX7DAAJ
, https://bugzilla.mozilla.org/show_bug.cgi?id=1293366 ) that were
issued in 2016 but backdated to 2015.
When explicitly asked if you were publishing all the certs with a
notBefore after 20150101000000Z in
https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/FNYETUsnDQAJ
you responded with:
On 02/09/2016 16:11, Richard Wang wrote:
> Yes, we posted all 2015 issued SSL from WoSign trusted root.
It has already been established that you issued certificates in 2016
that were backdated to 2015, and so we have no reason to even assume
that when you say "all 2015 issued SSL [certs]", that this will include
any other such hypothetical backdated certs. It has also been
established that certs were mississued in 2016 outside of the July 5th
and later period. So it seems that it would be in your own interest to
be as transparent as possible for the 2016 certs as well, and to simply
log any and every cert with a notBefore after 20150101000000Z.
Why have you not done so?
~ Gijs
On 04/09/2016 09:05, Richard Wang wrote:
https://www.censys.io/certificates/06797f8095ba4d9c9ec5b9475cff7df3b258069cc89f303cd91dc329eaf0c08f
This certificate is issued at July 1st 2016, that our promised SCT data is July
5th, 2016.
Best Regards,
Richard
-----Original Message-----
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Sunday, September 4, 2016 5:19 AM
To: Richard Wang <rich...@wosign.com>
Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Richard,
Can you also please check the following two certificates? It looks like they
were missed when logging all the 2015 certs.
https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2
https://www.censys.io/certificates/d99309f071141454f805c13551a827aa116bb53daefd8609e296c06b0dcdf720
Additionally, it looks like there may be a gap in logging for 2016.
For example,
https://www.censys.io/certificates/06797f8095ba4d9c9ec5b9475cff7df3b258069cc89f303cd91dc329eaf0c08f
does not show up in any log.
Thanks,
Peter
On Fri, Sep 2, 2016 at 8:31 AM, Richard Wang <rich...@wosign.com> wrote:
We will check this tomorrow.
Now our time is 23:32 at night.
Regards,
Richard
On 2 Sep 2016, at 23:20, Peter Bowen <pzbo...@gmail.com> wrote:
On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <rich...@wosign.com> wrote:
Yes, we posted all 2015 issued SSL from WoSign trusted root.
On 2 Sep 2016, at 22:55, Peter Bowen <pzbo...@gmail.com> wrote:
Based on CT logs, I have seen certificates from the CAs below, all
of which have "WoSign" in the name. Have you logged all
certificates which are signed by these CAs and have a notBefore
date of 20150101000000Z or later to the WoSign CT log?
Richard,
It seems then there is a newly exposed bug.
https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf578
1edbe9d78f9cada8f1d702d5e340ad shows a certificate issued by your CA
that has a notBefore in March 2015. It does not appear in the CT
log. However another certificate with identical serial number and
subject, but different Validity, does appear in the log.
Are you aware of a bug where you were issuing certificates identical
except for validity period?
Thanks,
Peter
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
