This is the recent incident from GlobalSign.
Please notice WoSign incident is occurred in 2015 for free DV SSL, not OV or
EV.
Best Regards,
Richard
Begin forwarded message:
From: Doug Beattie
>
Date: September 21, 2016 at
The affected cert has been logged here: https://crt.sh/?id=34242572
Am 24.09.2016 um 02:33 schrieb Richard Wang:
> First, I must make declaration that I don't know "Showfom", and I don't know
> if he/she is a WoSign customer.
>
> As I said in my final statement that I wish all Mozilla trusted
First, I must make declaration that I don't know "Showfom", and I don't know if
he/she is a WoSign customer.
As I said in my final statement that I wish all Mozilla trusted CA can post
their issued certificate to CT log server for full transparency, I am sure not
WoSign mis-issued certificate
First, I must make declaration that I don't know "Showfom", and I don't know if
he/she is a WoSign customer.
As I said in my final statement that I wish all Mozilla trusted CA can post
their issued certificate to CT log server for full trenchancy, I am sure not
WoSign mis-issued certificate,
First, let me introduce myself, I'm a famous investor of ccTLD domains from
China.
Recently we get an easy-remember domain www.sb, please note the extension is .sb
I ordered a Comodo Positive SSL for this domain, the common name which I submit
is www.sb
Usually they will give us a certificate
On Fri, Sep 23, 2016 at 10:46 AM, Eddy Nigg wrote:
> On 09/23/2016 05:53 AM, Peter Bowen wrote:
>>
>> Review of StartCom audit reports
>> for the period 1 January 2015 to 31 December 2015
>>
>> Good:
>> - Uses AICPA standards
>> - Uses current criteria versions
>>
>> Bad:
On 09/23/2016 05:53 AM, Peter Bowen wrote:
Review of StartCom audit reports
for the period 1 January 2015 to 31 December 2015
Good:
- Uses AICPA standards
- Uses current criteria versions
Bad:
- Only covers two roots, not subordinate CAs (true for all three
reports: CA, BR, and EV)
- Does not
On Friday, September 23, 2016 at 9:15:48 AM UTC-7, Jakob Bohm wrote:
>they are nowhere as bad as proponents of
> extreme centralization schemes claim.
Citation needed. It would seem that you're not familiar with the somewhat
well-accepted industry state of the art.
It would perhaps be useful if
On Friday, September 23, 2016 at 9:31:14 AM UTC-7, Jakob Bohm wrote:
> 2.2: Mozilla also makes an e-mail client (Thunderbird) which uses the
> same CA root list and the same NSS security library to check e-mail
> certificates. E-mail trust bits are still part of the Mozilla CA root
> database.
On 23/09/2016 17:18, Rob Stradling wrote:
On 22/09/16 18:48, Jakob Bohm wrote:
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
Hi Jakob. I wasn't looking for this sort of thing, because Gerv was
only interested in "unique
On 23/09/2016 17:27, Ryan Sleevi wrote:
On Friday, September 23, 2016 at 6:03:01 AM UTC-7, Peter Kurrasch wrote:
* Revocation: If a particular cert has been revoked for any reason, I should
be able to find that out so that I will know not to use it. Ideally this is
handled automatically in
What about subordinate CAs created after the audit letter is published? If
both WebTrust and ETSI audit schemes assume ongoing audit reporting
responsibilities, I'd assume that you wouldn't need a new audit letter
every time you create a subordinate CA, which might be weekly. The list of
On 22/09/16 18:48, Jakob Bohm wrote:
> While you are at it:
>
> 1. How many WoSign/StartCom certificates did you find with domains not
> on that IANA list?
Hi Jakob. I wasn't looking for this sort of thing, because Gerv was
only interested in "unique base domains (PSL+1)".
I think there
On Fri, Sep 23, 2016 at 5:29 AM, Kurt Roeckx wrote:
> On 2016-09-23 00:57, Peter Bowen wrote:
>>
>> Kathleen, Gerv, Richard and m.d.s.p,
>>
>> In reviewing the WebTrust audit documentation submitted by various CA
>> program members and organizations wishing to be members, it seems
On 23/09/16 12:38, Richard Wang wrote:
> Please check this news (Feb 25th 2015) in OSCCA website:
> http://www.oscca.gov.cn/News/201312/News_1254.htm that all China
> licensed CA finished the PKI/CA system upgrade that all licensed CA
> MUST be able to issue SM2 certificate to subscribers.
I have
On 23/09/2016 14:12, Kurt Roeckx wrote:
On 2016-09-23 13:38, Richard Wang wrote:
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China
licensed CA finished the PKI/CA system upgrade that all licensed CA
MUST be able
On 23/09/2016 14:29, Kurt Roeckx wrote:
On 2016-09-23 00:57, Peter Bowen wrote:
Kathleen, Gerv, Richard and m.d.s.p,
In reviewing the WebTrust audit documentation submitted by various CA
program members and organizations wishing to be members, it seems
there is possibly some confusion on what
On 23/09/2016 12:51, Peter Gutmann wrote:
Jakob Bohm writes:
While you are at it:
1. How many WoSign/StartCom certificates did you find with domains not
on that IANA list?
2. How many WoSign/StartCom certificates did you find for other uses
than
On 2016-09-23 13:38, Richard Wang wrote:
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA
finished the PKI/CA system upgrade that all licensed CA MUST be able to issue
SM2 certificate to
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA
finished the PKI/CA system upgrade that all licensed CA MUST be able to issue
SM2 certificate to subscribers.
As I said in last year CABF face to face
On 23/09/16 11:49, Han Yuwei wrote:
>> http://www.oscca.gov.cn/Column/Column_32.htm
>
> If anybody want a English version of laws & regulations, Percy and I may help.
No-one is denying that SM2 may be a Chinese government standard. What we
are saying is the fact that it's a standard does not
Jakob Bohm writes:
>While you are at it:
>
>1. How many WoSign/StartCom certificates did you find with domains not
> on that IANA list?
>
>2. How many WoSign/StartCom certificates did you find for other uses
> than https://www.example.tld:
>
>2.1 Certificates for "odd"
On 23/09/16 06:35, Richard Wang wrote:
> For StartCom, Eddy can say something about it, StartCom is 1000% independent
> for everything at 2015.
You've said this or something very similar twice now, both times saying
"at 2015". This is probably a language thing, because native English
speakers
On 23/09/16 07:55, Richard Wang wrote:
> This is the final statement about the incident:
> https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in English)
Thank you.
Gerv
___
dev-security-policy mailing list
WoSign stated in the report that "Due to foreign companies to China's
technology blockade, WoSign decided to research and develop all systems by
ourselves in 2009, including BUY system (Online certificate store), CMS
(Certificate Management System, internal work flow), PKI/CA (Certificate
issuing
Richard,
On behalf of most Chinese Internet users who do not speak English, I'm
asking why WoSign is only making the final statement available in Chinese,
but not the incident report. WoSign doesn't even have any statement,
announcement or press release in Chinese regarding any of the incidents
Hi Gerv,
This is the final statement about the incident:
https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in English)
https://www.wosign.com/report/WoSign_final_statement_CN_09232016.pdf (中文版) (In
Chinese, this is easy for Chinese users.)
I think this is the supplement of
27 matches
Mail list logo