On Sun, Sep 04, 2016 at 02:53:01PM +0200, Kurt Roeckx wrote: > On Sun, Sep 04, 2016 at 09:49:25AM +0000, Richard Wang wrote: > > Hi all, > > > > We finished the investigation and released the incidents report today: > > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf > > > > This report has 20 pages, please let me if you still have any questions, > > thanks. > > Hi Richard, > > About incident 0 in the report, it says: > > We investigated each certificates to think it is no necessary to > revoke these certificates. > > Can you please explain how you investigated those and why you > think it's not needed to revoke them? > > > I also don't understand what you're trying to explain in 2.2. I > think what it says is that the procedure used to be:
So I'm going to try to understand everything in the document, with time stamps I can find in the document. For order 84997, https://crt.sh/?id=29647048 On June 10, 2015, UTC+8: - ??: Order 84997 is started (11:17:03??) - 11:43:45: schrauger.github.io validation started? - 11:43:48: schrauger.github.io validation passed? - 11:44:15: schrauger.github.com validation started? - 11:44:17: schrauger.github.com validation passed? - ??: Subscriber added github.com, github.io, www.github.io? - 11:47:05: Subscriber clicked the "submit request" button - 11:49:46: It went to some PKI system? - 13:42:44: The notBefore date of the certificate - 14:03:35: The certificate was generated? - 20:43:00: Subscriber downloaded the certificate On June 11, 2015, UTC+8: - 09:38: A Mail was send to Validation Team A and B, about order 85295 and 85295. (At least that's what I understand, it's a mail 3 people.) - 09:49:21: Validation Team A said to revoke - 09:51:24: Validation Team B approved the revokation request. - 10:30:53: A mail is send to the subscriber that it's been revoked? - 10:33:08: The PKI admin approved the revocation - 10:47:55: The PKI system said the revocation was succesful Order 85295, https://crt.sh/?id=29805567, On June 10, 2015, UTC+8: - 22:39:54: Subscriber clicked the "submit request" button - 23:03:13: The notBefore date of the certificate - 23:34:55: The certificate was generated? On June 11, the same as for the previous one. For order 85391, on June 11, 2015, UTC+8: - 06:34:58: schrauger.github.io validation started - 06:35:02: schrauger.github.io was validated. - 06:35:25: schrauger.github.com validation started - 06:35:28: schrauger.github.com was validated. - ??: Subscriber added github.com, www.github.com, github.io, www.github.io? - 06:36:47: Subscriber clicked the "submit request" button - 06:39:31: It went to the PKI system? - 09:01: Someone sends a mail to 2 people, making a reference to 2 orders from the same account, and that they might not have been properly validated. So my understanding is that each time it went to the manual validation, but that the first 2 times people said ok and that only the 3rd time someone noticed that the other hostnames weren't validated. Is that correct? Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
