On 13 Nov 2016, at 10:08, Percy <percyal...@gmail.com> wrote: > > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA > even though Apple limited "WoSign CA Free SSL Certificate G2" intermediate > CA. An example of site signed by"CA 沃通免费SSL证书 G2" intermediate CA is > https://www.chelenet.com/ > > Those two intermediate certs are treated by WoSign the same way and the > translation of "CA 沃通免费SSL证书 G2" is "WoSign CA Free SSL Certificate G2". > Users can select whether the end cert is signed by "CA 沃通免费SSL证书 G2" or > "WoSign CA Free SSL Certificate G2". All control measures are the same and > the only difference is the language for marketing reasons. > > Hence, because Apple has chose to blocked "WoSign CA Free SSL Certificate > G2", it makes sense to apply the same sanction on "CA 沃通免费SSL证书 G2", as > they're in all senses the same.
Hi Percy, I’ve been following Apple’s security updates to determine when the announced block becomes active and how it is implemented. Using 10.11.6, with no updates available, it appears this block is not yet active for me. There are no errors when I try to visit https://inow.ua in Safari (https://crt.sh/?id=43120524 appears to be the last certificate issued by "WoSign CA Free SSL Certificate G2” which is currently still in use). In the file /System/Library/Security/Certificates.bundle/Contents/Resources/Allowed.plist I only see two CINNIC roots listed. Could you tell us what OS and version you used to determine that Apple has limited "WoSign CA Free SSL Certificate G2”? Best regards, Thijs Alkemade _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy