在 2016年10月28日星期五 UTC+8上午8:19:43,Percy写道:
> "When facing any requirements of laws and regulations or any demands for
> undergoing legal
> process of court and other agencies, GDCA must provide confidential
> information in this CP"
>
> Can GDCA specify what other agencies are included? In China,
在 2016年10月31日星期一 UTC+8上午9:35:04,jonath...@gmail.com写道:
> Please see 6.1.7 which describes these content.
In version 3.2 I see that "证书最长期限(年)" (maxium validity period) about "SSL服务器证书"
(SSL Server Certficates) is 5.
And I don't see any other informations about SM2 usage
_
Please see 6.1.7 which describes these content.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Sat, Oct 29, 2016 at 10:17:59PM -0700, Percy wrote:
> On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote:
> > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote:
> > > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of
> > > the
> > > entire company int
在 2016年10月30日星期日 UTC+8下午9:15:48,Gervase Markham写道:
> On 29/10/16 22:42, Percy wrote:
> > However, on the official website
> > (https://www.wosign.com/about/Why_WoSign.htm) WoSign stated that "沃通是
> > 中国唯一一家也是全球唯一一家能签发全球信任的采用国产加密算法(SM2) 的SSL证书和代码签名证书的商业CA。" WoSign is
> > the only commercial CA in Ch
On Wednesday, October 12, 2016 at 12:12:08 PM UTC-7, Ryan Sleevi wrote:
> As Gerv suggested this was the official call for incidents with respect to
> StartCom, it seems appropriate to start a new thread.
>
> It would seem that, in evaluating the relationship with WoSign and Qihoo, we
> naturall
On Sunday, October 30, 2016 at 6:15:48 AM UTC-7, Gervase Markham wrote:
> On 29/10/16 22:42, Percy wrote:
> > However, on the official website
> > (https://www.wosign.com/about/Why_WoSign.htm) WoSign stated that "沃通是
> > 中国唯一一家也是全球唯一一家能签发全球信任的采用国产加密算法(SM2) 的SSL证书和代码签名证书的商业CA。" WoSign is
> > the onl
On October 30, 2016 8:39:55 PM GMT+08:00, "谭晓生" wrote:
>Nothing compelled by the gov to trust the self-issued certificates.
>
>It is because some very large website like 12306.cn(the only one online
>entry to buy rail way tickets in China) and some government websites,
>they still using self-issue
在 2016年10月30日星期日 UTC+8下午10:26:57,jonath...@gmail.com写道:
> 1,It’s not true. CFCA's RSA root that included in Mozilla is not able to
> issue sm2 certificate with sm3 hash. CFCA do have sm2 root that issue sm2
> certificate but that root is not included in Mozilla or any other root store
> such
在 2016年10月30日星期日 UTC+8下午8:40:37,谭晓生写道:
> Nothing compelled by the gov to trust the self-issued certificates.
>
> It is because some very large website like 12306.cn(the only one online entry
> to buy rail way tickets in China) and some government websites, they still
> using self-issued certific
1, It’s not true. CFCA's RSA root that included in Mozilla is not able to
issue sm2 certificate with sm3 hash. CFCA do have sm2 root that issue sm2
certificate but that root is not included in Mozilla or any other root store
such as Apple, Microsoft or Google. And our CPS never indicate tha
On 30/10/16 12:39, 谭晓生 wrote:
> That’s the dilemma we have:
> Block the access to self-issued certificates, user will ignore and force
> trust the certificated, bad behavior training, user might change to
> competitor’s product.
> Do not block the access, there are possibility to do the MITM atta
On 29/10/16 22:42, Percy wrote:
> However, on the official website
> (https://www.wosign.com/about/Why_WoSign.htm) WoSign stated that "沃通是
> 中国唯一一家也是全球唯一一家能签发全球信任的采用国产加密算法(SM2) 的SSL证书和代码签名证书的商业CA。" WoSign is
> the only commercial CA in China -- only commercial CA in the world
> that can Sign SM2 SS
On 29/10/16 22:23, Han Yuwei wrote:
> Is SM2 acceptable in publicy-trusted CAs? I don't think so.
No; the BRs list the permitted algorithms, and SM2 is not one of them.
> Maybe Gerv could explain more about this. And I am wondering what can
> CA do if government requirement conflicts with Mozilla
Nothing compelled by the gov to trust the self-issued certificates.
It is because some very large website like 12306.cn(the only one online entry
to buy rail way tickets in China) and some government websites, they still
using self-issued certificates, even we tried to offer free trusted
certif
According to their CPS (Chinese version 3.2 Jul.2016),
1. All CAs can issue SM2 certificates and uses SM3 Hash.
2. There is a "signing key" generated by subscriber and "encryption key"
generated by CFCA which transmitted to subscriber.
3. For SSL certificate, the longest vaild duration is 5 yea
在 2016年10月30日星期日 UTC+8下午2:37:12,谭晓生写道:
> Is there anybody thought about why it happens in China? Why the local browser
> did not block the self-issued certificates?
>
> Thanks,
> Xiaosheng Tan
>
>
>
> 在 2016/10/30 下午1:17,“Percy” 写入:
>
> On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, M
在 2016年10月30日星期日 UTC+8上午5:30:23,Peter Bowen写道:
> > On Oct 29, 2016, at 2:23 PM, Han Yuwei wrote:
> >
> > 在 2016年10月28日星期五 UTC+8下午9:23:01,wangs...@gmail.com写道:
> >> We are not intended to cover-up anything since we had disclosed every
> >> change to the Chinese version CP/CPS at once after the au
在 2016年10月28日星期五 UTC+8上午6:43:30,Han Yuwei写道:
> 在 2016年10月27日星期四 UTC+8下午6:22:03,wangs...@gmail.com写道:
> > 在 2016年10月27日星期四 UTC+8上午8:09:06,Peter Kurrasch写道:
> > > I think these are both good points and my recommendation is that Mozilla
> > > deny GDCA's request for inclusion.
> > >
> > >
> > > We
Percy writes:
>As we observed the large scale MITM against iCloud, Outlook, Google and
>Github carried out on the backbone router with self-signed certs, and that
>the browsers are explicitly loads self-signed certs, I think it's clear that
>browsers in China are compelled by the gov to enable in
As we observed the large scale MITM against iCloud, Outlook, Google and
Github carried out on the backbone router with self-signed certs, and that
the browsers are explicitly loads self-signed certs, I think it's clear
that browsers in China are compelled by the gov to enable insecure
cryptography
21 matches
Mail list logo