在 2016年12月9日星期五 UTC+8上午4:19:31,Gervase Markham写道: > On 05/12/16 13:41, Richard Wang wrote: > > We checked our system, this order is from one of the reseller. We > > have many resellers that used the API, we noticed all resellers to > > close the free SSL, but they need some time to update the system. > > More than two months? > > Has this reseller given a timeline by which they expect to have ceased > to use the API? > > > The > > most important thing is this certificate is issued by proper way that > > this subscriber finished the domain validation, so this is not a > > mis-issuance, not "deceiving". > > This is narrowly true, from a Mozilla perspective. Mozilla has not > required that WoSign stop issuing certificates. We have just said that > we no longer trust them. Of course, I don't know what commitments WoSign > has made to other root stores. And indeed, no-one has suggested that > this certificate is mis-issued from a domain validation perspective. > > There is an issue relating to the difference between WoSign's public > statement on their website that they have ceased free SSL issuance, and > the reality that they have not. We expect CAs who make public statements > about their actions to abide by those statements. > > Gerv
Before the incident of Wosign, lots of cloud service in China is using Wosign's API to issue SSL cerificates for their consumers. And in this practicular domain I think someone intended to issue a certificate from Wosign's Free Certificate G2 via somewhere and they succeeded. Because I saw other valid certificate on this domain. P.S. seems like Wosign updated their system for there is embedded SCT in this cert. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
