在 2016年9月16日星期五 UTC+8下午6:07:56,Richard Wang写道: > Hi Gerv, > > This is the final report: > https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf > > Please let me if you have any questions about the report, thanks. > > > Best Regards, > > Richard Wang > CEO > WoSign CA Limited > > > -----Original Message----- > From: Gervase Markham > Sent: Wednesday, September 7, 2016 7:00 PM > To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Incidents involving the CA WoSign > > Hi Richard, > > On 07/09/16 11:06, Richard Wang wrote: > > This discuss has been lasting two weeks, I think it is time to end it, > > it doesn’t worth to waste everybody’s precious time. > > Unfortunately, I think we may be only beginning. > > I have prepared a list of the issues we are tracking with WoSign's > certificate issuance process and business: > > https://wiki.mozilla.org/CA:WoSign_Issues > > Please can you provide a response to issues F, P, S and T at your earliest > convenience? > > In addition, if you have further things to say about issues D, H, J, L, N or > V we would be happy to hear them. > > Thank you for your suggestions, but once Mozilla has a full understanding of > what has gone on we will be in a better position to decide what next actions > are appropriate. > > With best wishes, > > Gerv
About mis-issued alicdn.com and github.com, is the whitelist a acceptable solution? I thought it is a serve problem that possible hijacks on CA's validation host to the server. Lots of vulnerablity could be used by hackers such as DNS poisoning and TCP hijacks. This time the alicdn noticed this problem because it is a big company. If this happened to a relatively small company can we notice this in time? I am very doubt about that. Anything we can do to prevent this from happening? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy