For security, the notBefore time is not the exact time of signing, random from 20 minutes to 40 minutes ahead.
For 6 long delta time, we said it is a CT Post System bug; For 2016-07-30 between 05:20 and 07:40 (CST), it is caused by the Internet connection problem from China to Google CT log server that need to resign after the internet connection is ok. For normal case, it is OK, good. Thanks. Best Regards, Richard -----Original Message----- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, September 22, 2016 12:32 PM To: Richard Wang <rich...@wosign.com> Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang <rich...@wosign.com> wrote: >> Are you saying out of over 40,000 orders over the last year, only six >> "stopped to move forward" for a period of a week or more and these happen to >> all have been ordered on Sunday, December 20, 2015 (China time)? > > You mean we issued 40,000 certificates at Dec 20, 2015? No, there slightly over 40418 certificates issued by CAs under the WoSign roots which have embedded Signed Certificate Timestamps. They were issued over the course of approximately one year; the earliest notBefore date is 2015-08-20T09:40:48Z and my CT data set was up to date as of 2015-09-05. Of these 40418 certificates, 40394 had a delta between notBefore and the earliest SCT is less than 3 hours. Eighteen certificates have a delta between 5 hours and 51 hours; all 18 of these have a notBefore on 2016-07-30 between 05:20 and 07:40 (CST). The remaining 6 certificates have a delta of between 262.3 hours (10.9 days) and 693.7 hours (28.9 days). All six of these have a notBefore on 2015-12-20 (CST). For with it is worth, the largest difference between the earliest embedded timestamp and the latest is less than 15 minutes in all certificates. > We issued SHA-1 certificate at every day, Dec 20 is not a special day, why > you care about this day is Computest get the SHA-1 certificate used this date > that we still don't know how he get this, so we closed this API completely, > even deleted the API domain resolution. I'm looking at all WoSign issued certificates, ignoring the hash algorithm used in the signature. Two dates have certificates that are clear outliers when measuring the difference between notBefore and the timestamps. I'm wondering what is special about these dates or these certificates. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
