Re: Microsoft to remove WoSign and StartCom certificates in Windows 10

2017-08-09 Thread Itzhak Daniel via dev-security-policy 
This blog post is very vague, one can understood from it that Microsoft will 
not trust any new certificates from these two CAs:

"Microsoft will begin the natural deprecation of WoSign and StartCom 
certificates by setting a “NotBefore” date ... Windows 10 will not trust any 
new certificates from these CAs after September 2017."

But this probably not the case; I guess the article refer to removal of the old 
roots of StartCom and WoSign as they [probably] didn't go through Microsoft 
Audit process again (required annually) for these certs [1]. 'Microsoft Trusted 
Root Certificate' [2] isn't open to public comments/review, so we can't really 
tell what exactly is that status, probably StartCom and WoSign will file a 
request for the new roots to be included.

Links:
1. http://aka.ms/auditreqs
2. https://technet.microsoft.com/en-us/library/cc751157.aspx
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Microsoft to remove WoSign and StartCom certificates in Windows 10

2017-08-09 Thread Richard Wang via dev-security-policy 
Notice to WoSign customers:

This announcement is for WoSign old roots:

1) CN=CA 沃通根证书, O=WoSign CA Limited, C=CN
2) CN=Certification Authority of WoSign, O=WoSign CA Limited, C=CN
3) CN=Certification Authority of WoSign G2, O=WoSign CA Limited, C=CN
4) CN=CA WoSign ECC Root, O=WoSign CA Limited, C=CN

This distrust action is no any relationship with the current trusted Managed 
Sub CA issued certificates, this distrust action doesn't affect all SSL 
certificates issued by the Managed Sub CA after Nov 21, 2016. WoSign have 
stopped to sell SSL certificate to customers from the above old roots that 
Microsoft plan to distrust since Oct 20, 2016.

敬告沃通用户:

微软宣布的是9月26日后不信任WoSign老根证书签发的证书,并不是指目前WoSign销售的SSL证书。目前销售的SSL证书都是从其他信任CA根证书签发的证书,不受任何影响。


Best Regards,

WoSign CA Limited



-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Percy via dev-security-policy
Sent: Wednesday, August 9, 2017 2:03 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Microsoft to remove WoSign and StartCom certificates in Windows 10

https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/

Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign 
and StartCom have failed to maintain the standards required by our Trusted Root 
Program. Observed unacceptable security practices include back-dating SHA-1 
certificates, mis-issuances of certificates, accidental certificate revocation, 
duplicate certificate serial numbers, and multiple CAB Forum Baseline 
Requirements (BR) violations.

Thus, Microsoft will begin the natural deprecation of WoSign and StartCom 
certificates by setting a “NotBefore” date of 26 September 2017. This means all 
existing certificates will continue to function until they self-expire. Windows 
10 will not trust any new certificates from these CAs after September 2017.

Microsoft values the global Certificate Authority community and only makes 
these decisions after careful consideration as to what is best for the security 
of our users.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Microsoft to remove WoSign and StartCom certificates in Windows 10

2017-08-09 Thread Percy via dev-security-policy 
https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/

Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign 
and StartCom have failed to maintain the standards required by our Trusted Root 
Program. Observed unacceptable security practices include back-dating SHA-1 
certificates, mis-issuances of certificates, accidental certificate revocation, 
duplicate certificate serial numbers, and multiple CAB Forum Baseline 
Requirements (BR) violations.

Thus, Microsoft will begin the natural deprecation of WoSign and StartCom 
certificates by setting a “NotBefore” date of 26 September 2017. This means all 
existing certificates will continue to function until they self-expire. Windows 
10 will not trust any new certificates from these CAs after September 2017.

Microsoft values the global Certificate Authority community and only makes 
these decisions after careful consideration as to what is best for the security 
of our users.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy