Gerv, I believe I found the new updated report still has intentional deception.
Issue P: Use of SM2 Algorithm (Nov 2015) WoSign stated that it's only used for testing purposes. However, on the official website (https://www.wosign.com/about/Why_WoSign.htm) WoSign stated that "沃通是中国唯一一家也是全球唯一一家能签发全球信任的采用国产加密算法(SM2) 的SSL证书和代码签名证书的商业CA。" WoSign is the only commercial CA in China -- only commercial CA in the world that can Sign SM2 SSL certs/code signing cert that is globally trusted. This means that WoSign is not only signing SM2 certs for testing but also signing SM2 from the globally trusted roots in production. I suspect that there are SM2 certs from trusted root WoSign certs used in the wild. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy