"Some certificates are revoked after getting report from subscriber, but some
still valid, if any subscriber think it must be revoked and replaced new one,
please contact us in the system, thanks"
WoSign seems to lack the basic understanding of how a certificate is used in
authentication,
On Monday, August 29, 2016 at 10:26:20 AM UTC-7, Gervase Markham wrote:
> On 29/08/16 09:48, 蓝小灰 wrote:
> > Of course I have private key of this certificate
>
> I have asked 蓝小灰 for cryptographic proof of this.
>
> Gerv
Gerv, I've notified the security team in Alibaba about this possible fake
On 29/08/16 09:48, 蓝小灰 wrote:
> Of course I have private key of this certificate
I have asked 蓝小灰 for cryptographic proof of this.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
On Friday, August 26, 2016 at 4:26:26 PM UTC+8, Richard Wang wrote:
> This is the standard way in China Internet, if a west company say something
> to China company, all will support the west company.
-- especially when local CAs are losing credibility to end-users. Microsoft
Azure's Chinese
Not vulnerabilities mentioned in this thread, but a Human-Audit weak process.
Detail you can see the reply content i send to Mr.Wang
在 2016年8月27日星期六 UTC+8上午4:24:44,Jonathan Rudenberg:
> Here’s the crt.sh link for this certificate: https://crt.sh/?id=29884704
>
> Can you provide more details
OK, revoke all at tomorrow morning since our time is 22:22 now.
The cloudapp.net is revoked at the issuance time.
Thanks.
Regards,
Richard
> On 29 Aug 2016, at 21:53, Patrick Figel wrote:
>
> Richard,
>
> the problem with this approach is that the *subscriber* might not
On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote:
> Are there any other topics that I should include in this upcoming CA
> Communication?
Also, I think that the SHA-1 topic should be brought up again. Some CA folks
will be tired of reading about this, having managed the issue
Richard,
the problem with this approach is that the *subscriber* might not be
authorized to make this decision for the parent domain. To go back to
the GitHub case, the "owner" of a github.io subdomain telling you that
they are authorized to own a certificate that covers github.io is
irrelevant,
On Tuesday, 23 August 2016 20:03:13 UTC+1, Kathleen Wilson wrote:
> Are there any other topics that I should include in this upcoming CA
> Communication?
It can be worth following-up on date-in-time commitments from those CAs in
replies to the previous communication this year. Each CA should
As I explained, we use same script using API, different parameter point to
different API post URL for different CA, no any PKI hosting related.
Regards,
Richard
> On 29 Aug 2016, at 16:25, Gervase Markham wrote:
>
>> On 24/08/16 17:44, Peter Bowen wrote:
>> I think you are
Sure, all issued cert is passed the domain control validations.
Regards,
Richard
> On 29 Aug 2016, at 16:30, Gervase Markham wrote:
>
>> On 25/08/16 04:38, Richard Wang wrote:
>> R: NOT this case you think. Due to root inclusion problem, WoSign
>> root is cross signed by
Yes, we plan to revoke all after getting confirmation from subscriber. We are
doing this.
Regards,
Richard
> On 29 Aug 2016, at 16:38, Gervase Markham wrote:
>
>> On 29/08/16 05:46, Richard Wang wrote:
>> For incident 1 - mis-issued certificate with un-validated subdomain,
On 26/08/16 06:12, 233sec Team wrote:
> https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e
>
> Alicdn.com is the cdn asset domain name of Taobao/tmall who belong to
> alibaba, which are Chinese biggest online shopping websites.
> With the fake cert's middle man attack, password
On 26/08/16 04:33, Richard Wang wrote:
> As I admitted that this discussion gives us a big lesson that we know
> when we need to report incident to all browsers. We guarantee we will
> do it better.
Richard,
You have been involved in this (Mozilla) discussion group and in the CAB
Forum for
14 matches
Mail list logo