Fwd: [cabfpub] Public disclosure of 68 GlobalSign SSL certificates issued without EKU or KU

This is the recent incident from GlobalSign. Please notice WoSign incident is occurred in 2015 for free DV SSL, not OV or EV. Best Regards, Richard Begin forwarded message: From: Doug Beattie > Date: September 21, 2016 at

Re: Comodo issued a certificate for an extension

The affected cert has been logged here: https://crt.sh/?id=34242572 Am 24.09.2016 um 02:33 schrieb Richard Wang: > First, I must make declaration that I don't know "Showfom", and I don't know > if he/she is a WoSign customer. > > As I said in my final statement that I wish all Mozilla trusted

RE: Comodo issued a certificate for an extension

First, I must make declaration that I don't know "Showfom", and I don't know if he/she is a WoSign customer. As I said in my final statement that I wish all Mozilla trusted CA can post their issued certificate to CT log server for full transparency, I am sure not WoSign mis-issued certificate

RE: Comodo issued a certificate for an extension

First, I must make declaration that I don't know "Showfom", and I don't know if he/she is a WoSign customer. As I said in my final statement that I wish all Mozilla trusted CA can post their issued certificate to CT log server for full trenchancy, I am sure not WoSign mis-issued certificate,

Comodo issued a certificate for an extension

First, let me introduce myself, I'm a famous investor of ccTLD domains from China. Recently we get an easy-remember domain www.sb, please note the extension is .sb I ordered a Comodo Positive SSL for this domain, the common name which I submit is www.sb Usually they will give us a certificate

Re: WoSign and StartCom audit reports

On Fri, Sep 23, 2016 at 10:46 AM, Eddy Nigg wrote: > On 09/23/2016 05:53 AM, Peter Bowen wrote: >> >> Review of StartCom audit reports >> for the period 1 January 2015 to 31 December 2015 >> >> Good: >> - Uses AICPA standards >> - Uses current criteria versions >> >> Bad:

Re: WoSign and StartCom audit reports

On 09/23/2016 05:53 AM, Peter Bowen wrote: Review of StartCom audit reports for the period 1 January 2015 to 31 December 2015 Good: - Uses AICPA standards - Uses current criteria versions Bad: - Only covers two roots, not subordinate CAs (true for all three reports: CA, BR, and EV) - Does not

Re: Time to distrust

On Friday, September 23, 2016 at 9:15:48 AM UTC-7, Jakob Bohm wrote: >they are nowhere as bad as proponents of > extreme centralization schemes claim. Citation needed. It would seem that you're not familiar with the somewhat well-accepted industry state of the art. It would perhaps be useful if

Re: Sanctions short of distrust

On Friday, September 23, 2016 at 9:31:14 AM UTC-7, Jakob Bohm wrote: > 2.2: Mozilla also makes an e-mail client (Thunderbird) which uses the > same CA root list and the same NSS security library to check e-mail > certificates. E-mail trust bits are still part of the Mozilla CA root > database.

Re: Sanctions short of distrust

On 23/09/2016 17:18, Rob Stradling wrote: On 22/09/16 18:48, Jakob Bohm wrote: While you are at it: 1. How many WoSign/StartCom certificates did you find with domains not on that IANA list? Hi Jakob. I wasn't looking for this sort of thing, because Gerv was only interested in "unique

Re: Time to distrust

On 23/09/2016 17:27, Ryan Sleevi wrote: On Friday, September 23, 2016 at 6:03:01 AM UTC-7, Peter Kurrasch wrote: * Revocation: If a particular cert has been revoked for any reason, I should be able to find that out so that I will know not to use it. Ideally this is handled automatically in

RE: Audit requirements

What about subordinate CAs created after the audit letter is published? If both WebTrust and ETSI audit schemes assume ongoing audit reporting responsibilities, I'd assume that you wouldn't need a new audit letter every time you create a subordinate CA, which might be weekly. The list of

Re: Sanctions short of distrust

On 22/09/16 18:48, Jakob Bohm wrote: > While you are at it: > > 1. How many WoSign/StartCom certificates did you find with domains not > on that IANA list? Hi Jakob. I wasn't looking for this sort of thing, because Gerv was only interested in "unique base domains (PSL+1)". I think there

Re: Audit requirements

On Fri, Sep 23, 2016 at 5:29 AM, Kurt Roeckx wrote: > On 2016-09-23 00:57, Peter Bowen wrote: >> >> Kathleen, Gerv, Richard and m.d.s.p, >> >> In reviewing the WebTrust audit documentation submitted by various CA >> program members and organizations wishing to be members, it seems

Re: Incidents involving the CA WoSign

On 23/09/16 12:38, Richard Wang wrote: > Please check this news (Feb 25th 2015) in OSCCA website: > http://www.oscca.gov.cn/News/201312/News_1254.htm that all China > licensed CA finished the PKI/CA system upgrade that all licensed CA > MUST be able to issue SM2 certificate to subscribers. I have

Re: Incidents involving the CA WoSign

On 23/09/2016 14:12, Kurt Roeckx wrote: On 2016-09-23 13:38, Richard Wang wrote: Hi Gerv, Please check this news (Feb 25th 2015) in OSCCA website: http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA finished the PKI/CA system upgrade that all licensed CA MUST be able

Re: Audit requirements

On 23/09/2016 14:29, Kurt Roeckx wrote: On 2016-09-23 00:57, Peter Bowen wrote: Kathleen, Gerv, Richard and m.d.s.p, In reviewing the WebTrust audit documentation submitted by various CA program members and organizations wishing to be members, it seems there is possibly some confusion on what

Re: Sanctions short of distrust

On 23/09/2016 12:51, Peter Gutmann wrote: Jakob Bohm writes: While you are at it: 1. How many WoSign/StartCom certificates did you find with domains not on that IANA list? 2. How many WoSign/StartCom certificates did you find for other uses than

Re: Incidents involving the CA WoSign

On 2016-09-23 13:38, Richard Wang wrote: Hi Gerv, Please check this news (Feb 25th 2015) in OSCCA website: http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA finished the PKI/CA system upgrade that all licensed CA MUST be able to issue SM2 certificate to

RE: Incidents involving the CA WoSign

Hi Gerv, Please check this news (Feb 25th 2015) in OSCCA website: http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA finished the PKI/CA system upgrade that all licensed CA MUST be able to issue SM2 certificate to subscribers. As I said in last year CABF face to face

Re: Incidents involving the CA WoSign

On 23/09/16 11:49, Han Yuwei wrote: >> http://www.oscca.gov.cn/Column/Column_32.htm > > If anybody want a English version of laws & regulations, Percy and I may help. No-one is denying that SM2 may be a Chinese government standard. What we are saying is the fact that it's a standard does not

Re: Sanctions short of distrust

Jakob Bohm writes: >While you are at it: > >1. How many WoSign/StartCom certificates did you find with domains not > on that IANA list? > >2. How many WoSign/StartCom certificates did you find for other uses > than https://www.example.tld: > >2.1 Certificates for "odd"

Re: WoSign and StartCom audit reports

On 23/09/16 06:35, Richard Wang wrote: > For StartCom, Eddy can say something about it, StartCom is 1000% independent > for everything at 2015. You've said this or something very similar twice now, both times saying "at 2015". This is probably a language thing, because native English speakers

Re: Incidents involving the CA WoSign

On 23/09/16 07:55, Richard Wang wrote: > This is the final statement about the incident: > https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in English) Thank you. Gerv ___ dev-security-policy mailing list

Re: Incidents involving the CA WoSign

WoSign stated in the report that "Due to foreign companies to China's technology blockade, WoSign decided to research and develop all systems by ourselves in 2009, including BUY system (Online certificate store), CMS (Certificate Management System, internal work flow), PKI/CA (Certificate issuing

Re: Incidents involving the CA WoSign

Richard, On behalf of most Chinese Internet users who do not speak English, I'm asking why WoSign is only making the final statement available in Chinese, but not the incident report. WoSign doesn't even have any statement, announcement or press release in Chinese regarding any of the incidents

RE: Incidents involving the CA WoSign

Hi Gerv, This is the final statement about the incident: https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in English) https://www.wosign.com/report/WoSign_final_statement_CN_09232016.pdf (中文版) (In Chinese, this is easy for Chinese users.) I think this is the supplement of