We revoked this certificate, and we know this certificate is for test only.
For transparency, WoSign announced full transparency for all SSL certificate
from July 5th that post all issued SSL certificate to Google log server,
browsers can distrust WoSign issued SSL certificate after that day if
See below inline, thanks.
Best Regards,
Richard
-Original Message-
From: Jeremy Rowley [mailto:jeremy.row...@digicert.com]
Sent: Thursday, August 25, 2016 3:50 AM
To: Jeremy Rowley ; Peter Bowen
; Gervase Markham
See previous reply, thanks.
Best Regards,
Richard
-Original Message-
From: Jeremy Rowley [mailto:jeremy.row...@digicert.com]
Sent: Thursday, August 25, 2016 3:41 AM
To: Peter Bowen ; Gervase Markham
Cc:
Yes, correct.
Due to root inclusion problem, WoSign root is cross signed by StartCom since
2011. And we shared some facility with StartCom like CRL and OCSP distribution
etc. But not this case, as I declared in the previous email, this is a API
parameter option that can post data to any server
this cert is revoked in the same once it is issued.
Thanks for posting to CT.
Best Regards,
Richard
From: Eric Mill [mailto:e...@konklone.com]
Sent: Thursday, August 25, 2016 12:08 AM
To: Gervase Markham
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang
Of course, adding the affected certs to OneCRL should be done immediately.
WoSign also has to be transparent about all (mis) issued certs in the
past and have to provide this info in the future.
If they can't, I think we may consider if the current certs that are
valid for 3 years should be
On Wed, Aug 24, 2016 at 12:40 PM, Jeremy Rowley
wrote:
> However, the fact a researcher was able to obtain a cert without proper domain
> validation is pretty serious. I'd like to hear more details about how this was
> accomplished. Ports 8080 and 8443 aren't that
Also, I think the biggest concern is the mis issuance issues were not reported
to Mozilla but were reported to Google. A failure to report a problem in
domain validation creates a question of whether the CA can be trusted in the
future. Could we boil these incidents down to the following
That's true. I think WoSign should chime in and provide clarity about what
happened. There's far too many innocent explanations to start crying foul.
However, the fact a researcher was able to obtain a cert without proper domain
validation is pretty serious. I'd like to hear more details about
Hi Jeremy,
On 24/08/16 17:12, Jeremy Rowley wrote:
> On incident 0, its unclear whether a cert was actually mis-issued.
> Although they used a higher level port, did the researcher
> successfully bypass WoSign's domain validation process? Is the only
> concern that WoSign permitted higher level
Gerv,
On incident 0, its unclear whether a cert was actually mis-issued. Although
they used a higher level port, did the researcher successfully bypass WoSign's
domain validation process? Is the only concern that WoSign permitted higher
level ports?
On incident 1, I agree this was a bad
11 matches
Mail list logo