Re: WoSign and StartCom

On Friday, 7 October 2016 21:11:01 UTC+1, Han Yuwei wrote: > About the auditor Ernst & Young (Hong Kong), I don't understand how did it(?) > involved this. Can someone explain that? Management of a public CA are oblige to state periodically that they understand and obey various rules for

Re: WoSign and StartCom

在 2016年9月26日星期一 UTC+8下午10:21:13，Gervase Markham写道： > Today, Mozilla is publishing an additional document containing further > research into the back-dating of SHA-1 certificates, in violation of the > CAB Forum Baseline Requirements, to avoid browser blocks. It also > contains some conclusions we

Re: WoSign: updated report and discussion

On 07/10/2016 19:25, Andrew Ayer wrote: On Fri, 7 Oct 2016 12:12:58 +0100 Gervase Markham wrote: * WoSign and StartCom are to be legally separated, with the corporate structure changed such that Qihoo 360 owns them both individually, rather than WoSign owning StartCom. *

Re: WoSign: updated report and discussion

在 2016年10月7日星期五 UTC+8下午7:13:42，Gervase Markham写道： > As noted by Richard Wang, WoSign have just published an updated Incident > Report: > https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf > > I think we are now in a position to discuss whether the plan proposed here: >

Re: Include Symantec-brand Class 1 and Class 2 Root Certs

On 07/10/2016 19:14, Kathleen Wilson wrote: On Thursday, October 6, 2016 at 4:27:10 PM UTC-7, Peter Bowen wrote: On Thu, Oct 6, 2016 at 3:57 PM, Richard Barnes wrote: I seem to recall we had some discussion a while back about what criteria should be applied to email CAs. Where did we end up

Re: Include Symantec-brand Class 1 and Class 2 Root Certs

On Thursday, October 6, 2016 at 4:27:10 PM UTC-7, Peter Bowen wrote: > On Thu, Oct 6, 2016 at 3:57 PM, Richard Barnes wrote: > > I seem to recall we had some discussion a while back about what criteria > > should be applied to email CAs. Where did we end up on that? > > I don't believe anything

Re: WoSign: updated report and discussion

On Friday, October 7, 2016 at 9:10:29 AM UTC-7, Gervase Markham wrote: > I should start by reiterating what you already know, but might be a > useful reminder for others - no agreement has been made between Mozilla > and Qihoo/StartCom/WoSign. We gave them advice on what we thought the > community

Re: WoSign: updated report and discussion

Hi Ryan, I should start by reiterating what you already know, but might be a useful reminder for others - no agreement has been made between Mozilla and Qihoo/StartCom/WoSign. We gave them advice on what we thought the community might like to see, but they are responsible for their plan, and the

Re: WoSign: updated report and discussion

On Friday, October 7, 2016 at 4:13:42 AM UTC-7, Gervase Markham wrote: > As noted by Richard Wang, WoSign have just published an updated Incident > Report: > https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf > > I think we are now in a position to discuss whether the plan

Re: SHA-1 exception First Data

On 06/10/16 06:46, Peter Bowen wrote: > I think we can all look back with 20/20 hindsight and say that device > vendors should not use the same roots as browsers and that maybe CAs > should have created "SHA-1 forever" roots for devices that never plan > to update, but that is great hindsight. We

Re: WoSign: updated report and discussion

On 07/10/16 13:23, Jakob Bohm wrote: > On 07/10/2016 13:12, Gervase Markham wrote: >> ... * WoSign agrees it should have been more forthcoming about its >> purchase of StartCom, and announced it earlier. >> >> * WoSign and StartCom are to be legally separated, with the >> corporate structure

Re: WoSign: updated report and discussion

On 07/10/16 12:23, Jakob Bohm wrote: > As an outsider, here is one question: If StartCom has not yet decided > on a technical separation plan, could one acceptable option for such a > plan be to reactivate the old (pre-acquisition) infrastructure and > software and take it from there? > > An

Re: WoSign: updated report and discussion

On 07/10/2016 13:12, Gervase Markham wrote: ... * WoSign agrees it should have been more forthcoming about its purchase of StartCom, and announced it earlier. * WoSign and StartCom are to be legally separated, with the corporate structure changed such that Qihoo 360 owns them both individually,

Re: WoSign: updated report and discussion

On 07/10/16 12:12, Gervase Markham wrote: > Mozilla is minded to agree that it is reasonable to at least consider > the two companies separately, although that does not preclude the > possibility that we might decide to take the same action for both of > them. Accordingly, Mozilla continues to

WoSign: updated report and discussion

As noted by Richard Wang, WoSign have just published an updated Incident Report: https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf I think we are now in a position to discuss whether the plan proposed here:

RE: WoSign and StartCom: next steps

Hi Gerv, This is the updated incident report: https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf . Thanks. Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of

Re: SHA-1 exception First Data

On 06/10/16 15:22, Jakob Bohm wrote: > Good, now communicate it. Companies should be talking to their CAs, who will offer this service if they have it. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: WoSign and StartCom: next steps

On 06/10/16 20:38, Ryan Sleevi wrote: > Do you have any further updates regarding this plan? This seems to > have stalled any further discussions about next steps. I am a little surprised it hasn't appeared by now. We did not agree a specific deadline, but my impression was that it would appear

Re: Incidents involving the CA WoSign

On 07/10/16 04:21, Peter Gutmann wrote: > That still doesn't necessarily answer the question, Google have their CRLSets > but they're more ineffective than effective in dealing with revocations > (according to GRC, they're 98% ineffective, > https://www.grc.com/revocation/crlsets.htm). That

Re: Incidents involving the CA WoSign

On Fri, Oct 07, 2016 at 03:21:48AM +, Peter Gutmann wrote: > Kurt Roeckx writes: > > >This is why browsers have something like OneCRL, so that they actually do > >know about it and why Rob added that information to the bug tracker ( >