Re: SHA256 for OCSP response issuer hashing

On 16/12/2016 00:36, Roland Shoemaker wrote: Let's Encrypt is currently considering moving away from using SHA1 as the issuer subject/public key hashing function in OCSP responses and using SHA256 instead. Given a little investigation this seems like a safe move to make but we wanted to check

RE: CA Public Key Material

You are right, you have done the test same as my test, this don't mean you own our intermediate CA root key. For CSR, yes, our system doesn't validate the CSR self-signature. We think it is better to validate it, so we will update our system to validate it soon. For this test certificate

SHA256 for OCSP response issuer hashing

Let's Encrypt is currently considering moving away from using SHA1 as the issuer subject/public key hashing function in OCSP responses and using SHA256 instead. Given a little investigation this seems like a safe move to make but we wanted to check with the community to see if anyone was aware of

Re: Taiwan GRCA Root Renewal Request

Kathleen Wilson wrote: > How about the following? That sounds right to me. It is important to fix the DoS issue with the path building when there are many choices for the same subject. SKI/AKI matching only fixes the DoS issue for benign cases, not malicious cases.

Re: Taiwan GRCA Root Renewal Request

In regards to updating https://wiki.mozilla.org/CA:How_to_apply#Root_certificates_with_the_same_subject_and_different_keys ? How about the following? ~~ The standards allow for two CA certificates to have the same subject names but different subject public keys. Please try to avoid this,

Re: CA Public Key Material

On Wed, 14 Dec 2016 18:46:31 -0800 Tavis Ormandy wrote: > Hello, while working on an unrelated problem, I happened to notice > that this leaf certificate for > DNS:test.wgh.cn and DNS: test.ydn.cn has the same RSA public key as > this trusted root

Re: CA Public Key Material

On 15/12/16 02:46, Tavis Ormandy wrote: Hello, while working on an unrelated problem, I happened to notice that this leaf certificate for DNS:test.wgh.cn and DNS: test.ydn.cn has the same RSA public key as this trusted root (and a few

Re: CA Public Key Material

On December 15, 2016 10:46:31 AM GMT+08:00, Tavis Ormandy wrote: >test.wgh.cn no longer resolves, but wgh.cn is the personal blog of a >WoSign employee. Uh... It is blog of Wosign CEO Wang Gaohua(aka Richard Wang). >Is it possible key material was accidentally used in a web

Re: Audit Archiving in CCADB

Thanks once again for this work Kathleen, On Wednesday, 14 December 2016 23:12:51 UTC, Kathleen Wilson wrote: > 1) Salesforce (in cloud) is using the default Java root store, which is > smaller than Mozilla's root store. This accounts for the > "sun.security.validator.ValidatorException: PKIX

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

On Wednesday, December 14, 2016 at 8:29:24 PM UTC-8, zbw...@gmail.com wrote: > 在 2016年12月15日星期四 UTC+8上午9:53:29，Percy写道： > > lslqtz, > > Could you host a subdomain say wosign.loliwiki.org with this cert? So we > > can test the blocking is functioning correctly. > > I was pulled into the black