On 02/09/16 18:00, Andrew Ayer wrote:
> I don't think relying on the notBefore date is a viable option.
> WoSign seems to have such a poor handle on their operations that I
> think it would be inevitable that someone would find a certificate in
> the wild with a notBefore date in the past that had
I did an analysis of the new StartCom website and determined that it was
designed and implemented solely in China.
http://www.percya.com/2016/09/startcom-operated-solely-in-china.html I'm
further concerned with the security of "StartResell - Setup your own website,
start to sell your brand SS
On 02/09/16 16:21, Peter Bowen wrote:
> It seems then there is a newly exposed bug.
> https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad
> shows a certificate issued by your CA that has a notBefore in March
> 2015. It does not appear in the CT log.
On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote:
> On 02/09/16 16:21, Peter Bowen wrote:
> > It seems then there is a newly exposed bug.
> > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad
> > shows a certificate issued by your CA
On Sat, Sep 03, 2016 at 11:45:21AM +0200, Kurt Roeckx wrote:
> On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote:
> > On 02/09/16 16:21, Peter Bowen wrote:
> > > It seems then there is a newly exposed bug.
> > > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edb
You are completely wrong!
StartCom not only have office in Israel and in China, but also have
office in UK, welcome to visit our UK office: T05, Castlemead, Lower
Castle Street, Bristol, BS1 3AG, UK.
And We will setup office in Bilbao, Spain in this month, Inigo Barreia
is the general manage
Andy, are you from the UK office? Can you explain why your office in UK
fails to identify even the most obvious mistakes on the StartCom website as
outlined in
http://www.percya.com/2016/09/startcom-operated-solely-in-china.html ?
E.g
Start to sell, make big money!
Setup your own website, start t
Yeah, their entire website is designed and implemented by someone in China. See
my analysis here
http://www.percya.com/2016/09/startcom-operated-solely-in-china.html
On Thursday, August 25, 2016 at 10:11:21 AM UTC-7, rugk wrote:
> Hi,
> I stumbled across this service by StartCom:
> https://star
Hi Percy,
This does not seem to be a useful or productive contribution to the community
discussion. Whether or not a given CA uses English as a first language, or has
translation issues, should not be part of the calculus of trustworthiness. The
actions, however, are far more relevant and impor
Percy,
As I suggested in the other thread, this does not seem a productive or fruitful
line of inquiry, nor does it seem relevant to the issue at hand, nor does it
seem to be done respectfully.
That is, the extent of the country of origin of a CA is not itself a
fundamental issue of trust, nor
Ryan,
I agree completely that we shouldn't imply fundamental guilt by
association. However, WoSign threatened legal actions against Itzhak
Daniel's disclosure compiled purely from public sources. I just want to
make sure the disclosure was not buried after the content was taken down.
Richard, the
On Saturday, September 3, 2016 at 12:46:02 PM UTC-7, Ryan Sleevi wrote:
> Hi Percy,
>
> This does not seem to be a useful or productive contribution to the community
> discussion. Whether or not a given CA uses English as a first language, or
> has translation issues, should not be part of the c
Trust me, the disclosure was not buried, and the factual details are being
sorted. However, it would be better for the tone and focus of the thread that
we make sure to focus on the factual elements, which, as you note, can be
publicly obtained easily, than to try to imply there's something wron
Based on the disclosure WoSign/StartCom is trying to bury, WoSign CEO is now
also in control of StartCom. Hence, the actively misleading information spread
by him should be taken into consideration when talking about StartCom as well.
___
dev-security
On Sat, Sep 03, 2016 at 01:33:38PM -0700, Percy wrote:
> Based on the disclosure WoSign/StartCom is trying to bury, WoSign CEO is now
> also in control of StartCom. Hence, the actively misleading information
> spread by him should be taken into consideration when talking about StartCom
> as well
Richard,
Can you also please check the following two certificates? It looks
like they were missed when logging all the 2015 certs.
https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2
https://www.censys.io/certificates/d99309f071141454f805c13551a827
Date: Sat, 3 Sep 2016 01:45:48 +0200
From: Patrick Figel
Subject: Re: Sanctions short of distrust
On 03/09/16 01:15, Matt Palmer wrote:
On Fri, Sep 02, 2016 at 03:48:13PM -0700, John Nagle wrote:
On 09/02/2016 01:04 PM, Patrick Figel wrote:
On 02/09/16 21:14, John Nagle wrote:
2. For certs u
Sorry, I am busy with incident report that up to 20 pages.
It will be released soon today.
Two reports: one for the incident 0-2, another one is for incident X including
you point out one.
Best Regards,
Richard
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Sun
On Sat, Sep 03, 2016 at 10:54:26PM +0200, Kurt Roeckx wrote:
> I see no problem with StartCom or WoSign being owned by the same
> person.
I didn't, either, until they started throwing around legal threats to bury
the fact that there was common ownership, and trying to use threats against
the origi
On Sat, Sep 03, 2016 at 02:18:44PM -0700, Peter Bowen wrote:
> Can you also please check the following two certificates? It looks
> like they were missed when logging all the 2015 certs.
>
> https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2
> http
On Sat, Sep 03, 2016 at 01:26:51PM -0700, Percy wrote:
> 1.WoSign actively mislead users in marketing emails.
As much as the inaccuracies and misleading statements in WoSign's marketing
materials rub me the wrong way, too, if we were to start pulling the roots
of CAs for lying in their marketing,
On Thu, Sep 1, 2016 at 9:00 AM, Ryan Sleevi wrote:
> On Wed, August 31, 2016 10:09 pm, Richard Wang wrote:
>> Thanks for your so detail instruction.
>> Yes, we are improved. The two case is happened in 2015 and the mis-issued
>> certificate period is only 5 months that we fixed 3 big bugs durin
This is another case that we will include it in our report.
We issued two test cert using SM2 algorithm that used the same serial number as
the RSA cert (same subject) to test if we can setup a gateway that install this
two type cert, it can shake hand automatically using different cert based on
It is posted, just Peter not find it that I told him the Log id.
We are also checking system again to double check if we missed some.
Please be patient for our full 20 pages report, thanks,
Regards,
Richard
> On 4 Sep 2016, at 12:12, Matt Palmer wrote:
>
>> On Sat, Sep 03, 2016 at 02:18:44
Peter Bowen writes:
>It was brought to my attention that there is another incident.
This is great stuff, it's like watching a rerun of Diginotar. Definitely the
best web soap in the last few weeks...
Peter.
___
dev-security-policy mailing list
dev-s
25 matches
Mail list logo
