Re: Taiwan GRCA Root Renewal Request

2016-12-05 Thread Wen-Cheng Wang
Hi Gervase, On Monday, December 5, 2016 at 9:00:53 PM UTC+8, Gervase Markham wrote: > On 04/12/16 08:17, Wen-Cheng Wang wrote: > > You are wight, there are several subordinate CAs under our Government > > Root CA. Our Government Root CA and all its subordinate have WebTrust > > for CA audits.

Re: Taiwan GRCA Root Renewal Request

2016-12-05 Thread Jakob Bohm
On 04/12/2016 06:00, capuchin...@gmail.com wrote: Jakob Bohm於 2016年12月4日星期日 UTC+8上午1時23分16秒寫道: You have made a fundamental technical mistake. I do not understand that why do you said that we made a fundamental technical mistake? As I had participated in drafting RFC 5280, I am sure that our

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-05 Thread Richard Wang
Sorry, we don't have deadline. And no plan to close it in PKI side, we keep the right to active it at any time, and we can issue this free SSL certificate for subscribers at any time if customers need it. Best Regards, Richard > On 6 Dec 2016, at 07:49, Percy wrote: >

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-05 Thread Percy
When I was trying to inform Apple to put a time constrain on the intermediate CA, you implied such constrain not necessary because no new certs will be issued. Clearly, you know already that the users can still get certs from reseller and potentially abuse it due to all the control failures

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-05 Thread Richard Wang
We checked our system, this order is from one of the reseller. We have many resellers that used the API, we noticed all resellers to close the free SSL, but they need some time to update the system. The most important thing is this certificate is issued by proper way that this subscriber

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-05 Thread Han Yuwei
在 2016年12月5日星期一 UTC+8下午9:06:13,lslqtz写道: > Certificate: > -BEGIN CERTIFICATE- > MIIFwTCCBKmgAwIBAgIQH6W3+xfuFD8074LcZJFjLjANBgkqhkiG9w0BAQsFADBP > MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJDAiBgNV > BAMMG0NBIOayg+mAmuWFjei0uVNTTOivgeS5piBHMjAeFw0xNjEyMDUwNTU4NDJa >

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-05 Thread Percy
WoSign is actively deceiving this community again. In Nov. 13th, in the thread Apple's response to the WoSign incidents, I stated that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate should be time constrained by Apple. But Richard stated that "WoSign stopped to issue free SSL

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-05 Thread Percy
lslqtz, How did you obtain this certificate from WoSign? Through the public website or some other means? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

2016-12-05 Thread Percy
On the WoSign website https://buy.wosign.com/free/?lan=en , it clearly states that "Sorry, due to some security consideration, WoSign decide to close the free SSL certificate application temporarily. Sept. 29th 2016." ___ dev-security-policy mailing

Re: Can we require id-kp-serverAuth now?

2016-12-05 Thread Brian Smith
Gervase Markham wrote: > On 04/12/16 19:11, Brian Smith wrote: > > If certificates without an EKU have dNSName or iPAddress subjectAltName > > entries, then they should be considered in scope. Otherwise they don't > need > > to be considered in scope as long as Firefox doesn't

Re: Can we require id-kp-serverAuth now?

2016-12-05 Thread Gervase Markham
On 04/12/16 19:11, Brian Smith wrote: > If certificates without an EKU have dNSName or iPAddress subjectAltName > entries, then they should be considered in scope. Otherwise they don't need > to be considered in scope as long as Firefox doesn't use the Subject CN as > a dNSName. You've already

In September 29, 2016,WoSign stop issuing free certificate,but I still successfully get it.

2016-12-05 Thread lslqtz
Certificate: -BEGIN CERTIFICATE- MIIFwTCCBKmgAwIBAgIQH6W3+xfuFD8074LcZJFjLjANBgkqhkiG9w0BAQsFADBP MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJDAiBgNV BAMMG0NBIOayg+mAmuWFjei0uVNTTOivgeS5piBHMjAeFw0xNjEyMDUwNTU4NDJa

Re: Taiwan GRCA Root Renewal Request

2016-12-05 Thread Gervase Markham
On 04/12/16 08:17, Wen-Cheng Wang wrote: > You are wight, there are several subordinate CAs under our Government > Root CA. Our Government Root CA and all its subordinate have WebTrust > for CA audits. However, among those subordinate CAs, only GCA will > issue SSL certificates. Therefore, only