"Conclusion: StartCom's attempt to restart the CA was rushed."
"It was a very hard task in very few time but the people at 360 tried
everything to get it done by that date, end of december 2016, and yes, we
reached the date but with many failures"
May I ask why StartCom choose to rush everythin
On Wednesday, August 30, 2017 at 11:15:04 AM UTC-7, Kathleen Wilson wrote:
> Posted:
>
> https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/
>
> I will look into getting this translated and published in China.
>
> Thanks,
> Kathleen
Thank you
links to all of WoSign's announcement in case anyone want to verify.
https://www.wosign.com/news/index.htm year 2017
https://www.wosign.com/news/index2016.htm year 2016
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://li
In fact, can you tell us, when was the first time WoSign started to notify
users about replacing certs?
I've dig through all of WoSign's announcement and the first and in fact the
ONLY announcement regarding replacing certs is dated July 10th, 2017 , titled
Announcement regarding Google's dec
It's true that the first post has a link to that second post. However, the
related sentence is
To learn more, please visit "Announcement regarding Google's decision on July
7th", with a hyperlink to the second post.
And only the second post mentions anything about replacing certs. I hardly
t
On Sunday, August 27, 2017 at 10:59:48 PM UTC-7, Richard Wang wrote:
> We released replacement notice in Chinese in our website:
> https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm
> https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm
> https://www.w
On Friday, August 25, 2017 at 4:42:29 PM UTC-7, Kathleen Wilson wrote:
> On Friday, August 4, 2017 at 12:01:15 AM UTC-7, Percy wrote:
> > I suggest that Mozilla can post an announcement now about the complete
> > removal of WoSign/StartCom to alert website developers. I
https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/
Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign
and StartCom have failed to maintain the standards required by our Trusted Root
Program. Observed
On Monday, August 7, 2017 at 2:36:10 PM UTC-7, Itzhak Daniel wrote:
> On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote:
> > 7. At Quihoo: Actually get rid of Richard Wang, not just change his
> >title from CEO to COO.
>
> I didn't map the new hierarchy of the "Spanish" StartCo
On Thursday, August 3, 2017 at 3:55:34 PM UTC-7, Kathleen Wilson wrote:
> On Monday, July 10, 2017 at 12:47:31 PM UTC-7, Kathleen Wilson wrote:
> > I also think we should remove the old WoSign root certs from NSS.
> >
> > Reference:
> > https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign
>
> You will fail #4. Because your system, as designed, cannot and does not
> comply with the Baseline Requirements.
Is there a design outline in the security audit as well? No one in the
community can judge either yours or WoSign's statement as this information is
not shared with us. I suggest e
On Tuesday, July 11, 2017 at 8:36:33 AM UTC-7, Ryan Sleevi wrote:
> comply with the Baseline Requirements, nor, as designed, can it. The system
> would need to undergo non-trivial effort to comply with the Baseline
> Requirements.
If the system needs significant changes to meet the BR, then does
On Tuesday, July 11, 2017 at 8:16:50 AM UTC-7, Jonathan Rudenberg wrote:
> > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy
> > wrote:
> >
> > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote:
> >>
> >> Please note this email topic is just for releasing th
So it seems that Richard Wang still has the final executive decisions regarding
security in daily operations. Basically WoSign simply changed the title of the
position from CEO to COO and bypassed Mozilla's requirement?
On Sunday, July 9, 2017 at 7:26:28 PM UTC-7, Richard Wang wrote:
> The impo
On Monday, May 1, 2017 at 7:49:32 AM UTC-7, Henri Sivonen wrote:
> On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> > On 01/05/17 07:52, Percy wrote:
> >> It seems that StartCom continues to se
It seems that StartCom continues to sell untrusted certs. Neither their home
page https://www.startcomca.com/ nor their announcement page
https://www.startcomca.com/index/news mentions that those certs are not
trusted.
___
dev-security-policy mailing
On Friday, April 28, 2017 at 1:19:01 AM UTC-7, Richard Wang wrote:
> Hi Ryan,
>
>
>
> For your question “Do you believe that, during the discussions about how to
> respond to WoSign's issues, the scope of impact was underestimated?”, the
> answer is YES.
>
>
>
> After Oct 21 2016, WoSign st
n has been sending **unsolicited** marketing emails to websites that use
Let's Encrypt cert essentially saying Let's Encrypt might revoke cert at will
and ask users to switch to WoSign (Email attached). After I posted on the forum
about this, WoSign stated "From the screenshot, we know w
WoSign and StartCom has been included as root CA in official Android builds.
(https://code.google.com/p/android/issues/detail?id=71363
https://code.google.com/p/android/issues/detail?id=21632)
Apple has restrict/remove WoSign and StartCom from iOS 10.2. "Google has
determined that two CAs, WoS
Well, based on the previous deception of WoSign before, during and after
Mozilla's investigation, I'm not remotely surprised to see this.
On Friday, December 16, 2016 at 10:18:27 AM UTC-8, tde...@gmail.com wrote:
> It seams that wosign has registered the domains letsencrypt.cn and
> letsencryp
On Wednesday, December 14, 2016 at 8:29:24 PM UTC-8, zbw...@gmail.com wrote:
> 在 2016年12月15日星期四 UTC+8上午9:53:29,Percy写道:
> > lslqtz,
> > Could you host a subdomain say wosign.loliwiki.org with this cert? So we
> > can test the blocking is functioning correctly.
>
>
lslqtz,
Could you host a subdomain say wosign.loliwiki.org with this cert? So we can
test the blocking is functioning correctly.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-p
ay, December 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote:
> As I said, we have the right to keep it or close it at any time.
>
>
> Best Regards,
>
> Richard
>
> > On 11 Dec 2016, at 12:47, Percy wrote:
> >
> >> On Saturday, December 10, 2016 at
On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote:
> Our promise is close the free SSL application in our own website:
> buy.wosign.com.
>
> And now we closed it in our PKI side.
>
>
> Best Regards,
>
> Richard
>
> > On 9 Dec 2016, at 04:17, Gervase Markham wrote:
> >
>
gt; The most important thing is this certificate is issued by proper way that
> this subscriber finished the domain validation, so this is not a
> mis-issuance, not "deceiving".
>
> Best Regards,
>
> Richard
>
> > On 6 Dec 2016, at 06:57, Percy wrote:
> >
WoSign is actively deceiving this community again.
In Nov. 13th, in the thread Apple's response to the WoSign incidents, I stated
that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate should be time
constrained by Apple. But Richard stated that "WoSign stopped to issue free SSL
certi
lslqtz,
How did you obtain this certificate from WoSign? Through the public website or
some other means?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On the WoSign website https://buy.wosign.com/free/?lan=en , it clearly states
that "Sorry, due to some security consideration,
WoSign decide to close the free SSL certificate application temporarily. Sept.
29th 2016."
___
dev-security-policy mailing li
On Tuesday, November 15, 2016 at 12:37:56 AM UTC-8, Thijs Alkemade wrote:
> On 13 Nov 2016, at 10:08, Percy wrote:
> >
> > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA
> > even though Apple limited "WoSign CA Free SSL
On Tuesday, November 15, 2016 at 12:37:56 AM UTC-8, Thijs Alkemade wrote:
> On 13 Nov 2016, at 10:08, Percy wrote:
> >
> > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA
> > even though Apple limited "WoSign CA Free SSL
On Wednesday, August 3, 2016 at 2:45:23 PM UTC-7, Kathleen Wilson wrote:
> This request from Guangdong Certificate Authority (GDCA) is to include the
> "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and
> enabled EV treatment.
>
> GDCA is a nationally recognized CA that op
On Saturday, October 1, 2016 at 2:02:25 AM UTC-7,
certificate-au...@group.apple.com wrote:
> Blocking Trust for WoSign CA Free SSL Certificate G2
>
> Certificate Authority WoSign experienced multiple control failures in their
> certificate issuance processes for the WoSign CA Free SSL Certificat
Regards,
>
> Richard
>
> > On 13 Nov 2016, at 17:07, Percy wrote:
> >
> > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate
> CA even though Apple limited "WoSign CA Free SSL Certificate G2"
> intermediate
I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA
even though Apple limited "WoSign CA Free SSL Certificate G2" intermediate CA.
An example of site signed by"CA 沃通免费SSL证书 G2" intermediate CA is
https://www.chelenet.com/
Those two intermediate certs are treated by WoSi
Yeah, I suspected so but I didn't find it in the security content
(https://support.apple.com/en-ca/HT207275).
I remember when Gerv discussed the idea on whitelisting intermediate cert, he
mentioned that firefox didn't want to undermine user sovereignty by overriding
the user's trust choice. I g
You can see from image1 that all StartCom roots are marked distrust systemwide.
No WoSign roots are included on Mac.
However when I'm accessing https://www.schrauger.com/ in Chrome, the HTTPS
connection is marked as valid (image2) and the certification authority of
WoSign is regarded as a vali
On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote:
> The security blog about Distrusting New WoSign and StartCom Certificates has
> been published:
>
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
>
> Chinese translations of
On Sunday, October 30, 2016 at 4:19:12 AM UTC-7, Han Yuwei wrote:
> According to their CPS (Chinese version 3.2 Jul.2016),
>
> 1. All CAs can issue SM2 certificates and uses SM3 Hash.
>
> 2. There is a "signing key" generated by subscriber and "encryption key"
> generated by CFCA which transmitt
accelerate the early removal process.
Percy Alpha(PGP
<https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7FE124AE>)
On Mon, Oct 31, 2016 at 4:18 PM, Ryan Sleevi wrote:
> On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote:
> > The security blog ab
According to http://se.360.cn/event/gmzb.html, the browser needs to send a
http header Accept-Protocal: SM-SSL. Perhaps someone can do an Internet
scan against Chinese sites (especially gov) to observe SM2 certs
Percy Alpha(PGP
<https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7
On Wednesday, October 12, 2016 at 12:12:08 PM UTC-7, Ryan Sleevi wrote:
> As Gerv suggested this was the official call for incidents with respect to
> StartCom, it seems appropriate to start a new thread.
>
> It would seem that, in evaluating the relationship with WoSign and Qihoo, we
> naturall
On Sunday, October 30, 2016 at 6:15:48 AM UTC-7, Gervase Markham wrote:
> On 29/10/16 22:42, Percy wrote:
> > However, on the official website
> > (https://www.wosign.com/about/Why_WoSign.htm) WoSign stated that "沃通是
> > 中国唯一一家也是全球唯一一家能签发全球信任的采用国产加密算法(SM2) 的SSL证书和代码签名证
raphy by default.
Percy Alpha(PGP
<https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7FE124AE>)
On Sat, Oct 29, 2016 at 11:36 PM, 谭晓生 wrote:
> Is there anybody thought about why it happens in China? Why the local
> browser did not block the self-issued certificates?
&g
On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote:
> On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote:
> > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the
> > entire company into question. And such trust, in my view, should b
Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the
entire company into question. And such trust, in my view, should be
evaluated when WoSign/StartCom submit their re-inclusion requests in the
future.
Percy Alpha(PGP
<https://pgp.mit.edu/pks/lookup?op=vinde
Gerv,
I believe I found the new updated report still has intentional deception.
Issue P: Use of SM2 Algorithm (Nov 2015) WoSign stated that it's only used for
testing purposes.
However, on the official website (https://www.wosign.com/about/Why_WoSign.htm)
WoSign stated that "沃通是中国唯一一家也是全球唯一一家
So 400 million Chinese users[1] are left vulnerable to MITM by even a casual
attacker and we cannot do anything about it!?
[1]: http://se.360.cn/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/list
On Thursday, October 27, 2016 at 5:26:23 PM UTC-7, Erwann Abalea wrote:
> Le jeudi 27 octobre 2016 09:55:09 UTC+2, Percy a écrit :
> > So this is it? Qihoo can continue to get away with this MITM browser?
>
> I'm afraid that can't be solved by Mozilla. Qihoo
"When facing any requirements of laws and regulations or any demands for
undergoing legal
process of court and other agencies, GDCA must provide confidential information
in this CP"
Can GDCA specify what other agencies are included? In China, many requests are
relayed simply through a phone cal
On Thursday, October 27, 2016 at 3:22:03 AM UTC-7, wangs...@gmail.com wrote:
> 在 2016年10月27日星期四 UTC+8上午8:09:06,Peter Kurrasch写道:
> > I think these are both good points and my recommendation is that Mozilla
> > deny GDCA's request for inclusion.
> >
> >
> > We should not have to explain something
So this is it? Qihoo can continue to get away with this MITM browser?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Kathleen,
This coverage is very encouraging! Among the sites you included, huanqiu, which
is a newspaper operated by the central government is notable. So far, no
censorship has been observed, contrary to the blanket censorship of the
previous CNNIC case.
___
Kathleen,
This coverage is very encouraging! Among the sites you included, huanqiu, which
is a newspaper operated by the central government is notable. So far, no
censorship has been observed, contrary to the blanket censorship of the
previous CNNIC case.
___
Kathleen,
This coverage is very encouraging! Among the sites you included, huanqiu, which
is a newspaper operated by the central government is notable. So far, no
censorship has been observed, contrary to the blanket censorship of the
previous CNNIC case.
___
Kathleen,
This coverage is very encouraging! Among the sites you included, huanqiu, which
is a newspaper operated by the central government is notable. So far, no
censorship has been observed, contrary to the blanket censorship of the
previous CNNIC case.
___
That you have to ask WoSign.
The exact wording is
"将增加一个产品选项,用户可以选购从新的沃通(WoSign)中级根证书下签发的支持所有浏览器(包括火狐浏览器)的SSL证书,在过渡期八折优惠。此中级根证书将由全球信任的其他CA根证书签发,支持所有浏览器和所有新老终端设备。此项产品升级计划一个月内完成并为广大用户提供证书服务;"
My translation: [WoSign] will add a new product selection. Users can choose SSL
certs signed by the new
StartCom on the other hand, issued no announcement (https://startssl.com/News)
even under multiple explicit inquires from multiple users
(https://forum.startcomca.com/viewforum.php?f=16&sid=549011a08d3a081898f1e1542d3ecc10).
___
dev-security-policy
WoSign will roll out a globally trusted intermediate cert to sign new certs
with the existing WoSign system that had so many control failures.
Does Mozilla and this community accept such a work-around for WoSign? If we do,
then what's the point of distrust those WoSign root certs? If not, then
WoSign has posted an announcement regarding Mozilla's decision. In the
announcement, WoSign stated
WoSign actively cooperated with the investigation and has always fix all the
issues immediately after the discovery and called Mozilla's decision
"exceptionally severe".
Certs issued by existing
Samuel,
I absolutely agree with what you're saying. That's why I suggested to Mozilla
that it mandates WoSign/StartCom to disclose such information on its websites
or otherwise inform their customers. Currently, new customers have no way to
know until it's too late, i.e when Firefox releases Fi
Thanks for bringing the discrepancy into our attention.
Even the cover page of the English and Chinese version of CPS are dated
differently.
English
Global Digital Cybersecurity Authority
CO., LTD.
Certification Practice Statement (CPS) Version: V4.3
Effective Date: July 1, 2016
Chinese
数安时代科
Kathleen,
As most users affected by this decision are Chinese, will you be able to make
the blog post available in Chinese on the security blog as well? You can ask
the Chinese firefox community or me to translate.
As I stated earlier, there are almost no news of the distrust of
WoSign/StartCo
> I’m not sure what I could reasonably require (and enforce) of the CA in
> regards to communicating with their customers.
> I recall that my security blog about CNNIC got censored in China, so I'm not
> sure what Mozilla can do about informing the CA's customers of this pending
> change/imp
On Wednesday, October 12, 2016 at 8:12:29 PM UTC-7, Percy wrote:
> WoSign has so far announced nothing about those incidents or immediate
> distrust (Apple and Mozilla) to its end users. On the contrary, WoSign had a
> press release dated Oct 8th
> (https://www.wosign.com/news/
> Others have noted the mismatch here with an October 1 date elsewhere in
> the document. I think we should pick a single date in the future, to
> allow the CAs concerned to wind down operations without leaving
> customers having just obtained certs which will stop working in a few
> months. So
(Hmm, my previous comment about two faced WoSign disappeared from Google group
probably due to anti-spam. Gerv, can you recover it for me?)
I also want to point out that WoSign is currently asking customers to go to
StartCom to get DV certs. If we continue to trust StartCom, then WoSign
basical
WoSign has so far announced nothing about those incidents or immediate distrust
(Apple and Mozilla) to its end users. On the contrary, WoSign had a press
release dated Oct 8th (https://www.wosign.com/news/netcraft-ssl-oct.htm) titled
"WoSign SSL certs reaches almost 50% market share in China". I
On Monday, October 10, 2016 at 2:16:53 PM UTC-7, Matt Palmer wrote:
> On Mon, Oct 10, 2016 at 10:33:15AM -0700, Nick Lamb wrote:
> > Would anybody here _seriously_ be shocked to read next month that a black
> > hat group is auctioning some StartCom private keys ? On the evidence
> > available we h
The Chinese wikipedia has well documented controversies surrounding Qihoo 360.
Unfortunately, it's not translated into the English Wikipedia. So please go to
https://zh.wikipedia.org/wiki/%E5%A5%87%E8%99%8E360#.E5.95.86.E4.B8.9A.E7.9F.9B.E7.9B.BE.E4.B8.8E.E4.BA.89.E8.AE.AE.E4.BA.8B.E4.BB.B6
and
I'd also like to point out the Qihoo 360 cheated in all anti-virus tests
http://www.computerworld.com/article/2917384/malware-vulnerabilities/antivirus-test-labs-call-out-chinese-security-company-as-cheat.html
When Qihoo was caught out, Qihoo turned it into a market campaign, calling
AV-C outdat
Tan said, for StartCom and WoSign’s infrastructure, the PKI servers were/are
shared, the CRL/OCSP, TSA code were cloned and the StartCom and WoSign shared
the software development team.
Also some management team are shared I assume since Richard Wang approved
Tyro's backdated cert from StartC
His writing style is very similar to StartCom's website which is produced in
China. As we're examining the infrastructure of the two companies, could
Mozilla ask Qihoo 360 to disclose the current personnel and technical
infrastructure shared between WoSign and StartCom.
WoSign has denied that t
"anyone issuing certificates for .cn, .hk or .mo domain *MUST* submit those
certificate to the CT server set (with similar constraints as you require for
WoSign/StartCom) "
This means you're rather ill-informed about the Chinese Internet. Most Chinese
sites still use .com domains. But this is n
On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote:
> Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates
> that we'd issued to WoSign:
>
> https://crt.sh/?id=3223853
> https://crt.sh/?id=12716343
> https://crt.sh/?id=12716433
>
> See also:
> https://bugzill
On Monday, September 26, 2016 at 7:21:13 AM UTC-7, Gervase Markham wrote:
> Today, Mozilla is publishing an additional document containing further
> research into the back-dating of SHA-1 certificates, in violation of the
> CAB Forum Baseline Requirements, to avoid browser blocks. It also
> contain
On Saturday, October 1, 2016 at 9:03:38 PM UTC-7, Kurt Roeckx wrote:
> On Sat, Oct 01, 2016 at 11:35:06AM -0700, Percy wrote:
> > "Apple products will trust individual existing certificates issued from
> > this intermediate CA and published to public Certificate Transparency
"Apple products will trust individual existing certificates issued from this
intermediate CA and published to public Certificate Transparency log servers by
2016-09-19"
It seems that Apple has taken the explicit white-listed approach despite the
size drawback mentioned in the other thread. I kn
On Thursday, September 29, 2016 at 10:12:37 AM UTC-7, Han Yuwei wrote:
> 在 2016年9月29日星期四 UTC+8下午11:41:12,Gervase Markham写道:
> > Hi everyone,
> >
> > Following the publication of the recent investigative report,
> > representatives of Qihoo 360 and StartCom have requested a face-to-face
> > meeting
On Wednesday, September 28, 2016 at 12:16:51 AM UTC-7, Peter Gutmann wrote:
> Percy writes:
> >On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote:
> >> Participants may be interested in this blog post from Tyro:
> >> https://tyro.com/blog/merchant
WoSign's official website stated that "For Free SSL Certificate, it support 20
domain names for 3 years period"
(https://buy.wosign.com/free/freeEmailcert.html). In order to identify possible
backdated certs in the future, I suggest that WoSign/StartCom be mandated to
upload all unexpired certs
On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote:
> On 26/09/16 15:20, Gervase Markham wrote:
> > However, this forum is the appropriate place for discussing it. Please
> > feel free to cut and paste any parts you wish to quote and comment on.
>
> Participants may be inter
"However, many eyes are on the Web PKI and if such additional back-dating is
discovered (by any means), Mozilla will immediately and permanently revoke
trust in all WoSign and StartCom roots."
Could you elaborate a bit on concrete ways of discovering such backdating?
As WoSign itself suggested,
Ha! @Showfom perhaps you should try getting a widecard cert from them and
consequently obtain a cert for all *.sb domains.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
root. If WoSign is
claiming Chinese law mandate such testing/deployment, please refer to such
laws here and perhaps the community can take the local law into account. If
however no such law exists, as far as I know, the such commitment to BR
violation is not acceptable.
On Friday, September 23, 2
Richard,
On behalf of most Chinese Internet users who do not speak English, I'm
asking why WoSign is only making the final statement available in Chinese,
but not the incident report. WoSign doesn't even have any statement,
announcement or press release in Chinese regarding any of the incidents
(ex
Ha. I was the OP of that email. Richard's reply was " From the screenshot, we
know why Percy hate WoSign so deeply, we know he represent which CA, everything
is clear now. "
On Thursday, September 22, 2016 at 11:55:43 AM UTC-7, Eric Mill wrote:
> On Wed, Sep 21, 2016 at 6:1
On Monday, September 19, 2016, Richard Wang wrote:
> Thanks for your pointing out one of the very important evidence for the
> transaction is NOT completed till yesterday that we released the news after
> it is finished at the first phase. We just finished the UK company
> investment.
>
> For Qih
On Wednesday, August 3, 2016 at 2:45:23 PM UTC-7, Kathleen Wilson wrote:
> This request from Guangdong Certificate Authority (GDCA) is to include the
> "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and
> enabled EV treatment.
>
> GDCA is a nationally recognized CA that op
On Monday, September 12, 2016 at 2:46:40 PM UTC-7, Ryan Sleevi wrote:
> On Wednesday, August 31, 2016 at 12:43:50 PM UTC-7, Nick Lamb wrote:
> > I have spent some time thinking about this, but I am only one person, and
> > one with relatively little in-depth knowledge of the Mozilla project, so I
I agree with Jakob. This is similar to case laws vs statutory law. Even though
we can get the same understandings from various cases, I believe in this
situation, it will be clearer to codify such requirements clearly.
On Monday, September 12, 2016 at 10:38:48 AM UTC-7, Jakob Bohm wrote:
> On
On Friday, September 9, 2016 at 2:49:07 AM UTC-7, Gervase Markham wrote:
> Dear m.d.s.policy,
>
> We have been actively investigating reports that WoSign and StartCom may
> have failed to comply with our policy on change of control notification.
> Below is a summary representing the best of our kn
I found the following info about Andy Ligg.
1) Interestingly, he used addresses/email/phone in HK, UK and Israel various
domains.
2) He registered various StartEncrypt and StartResell domains in April 2016.
He is the owner of a list of domains
epki.cloud 2016-03-25 GODADDY
sccrl.com
On Friday, September 9, 2016 at 10:14:43 PM UTC-7, Peter Gutmann wrote:
> Peter Kurrasch writes:
>
> >I would also ask for confirmation that "Andy Ligg" is in fact a real person
> >and not a pseudonym adopted by Richard or someone else. The similarity to
> >Eddy's name is...remarkable.
>
> Andy
On Wednesday, September 7, 2016 at 3:08:33 AM UTC-7, Richard Wang wrote:
> Hi Gerv, Kathleen and Richard,
>
> This discuss has been lasting two weeks, I think it is time to end it, it
> doesn’t worth to waste everybody’s precious time.
> I make my confession that our system and management do have
On Tuesday, September 6, 2016 at 10:59:24 AM UTC-7, Gervase Markham wrote:
> Hi Percy,
>
> On 06/09/16 16:46, Percy wrote:
> > Percy Alpha; Researcher on Internet security and censorship in China
> > http://percya.com ; CA related stuff: Broke the news on China's large
&
Percy Alpha; Researcher on Internet security and censorship in China
http://percya.com ; CA related stuff: Broke the news on China's large scale
MITM of Github in 2013, iCloud, Outlook, Yahoo in 2014; victim of Great Cannon
(hijacking HTTP request) DDOS of the website and Github in 2015; c
rity UTN – DATACorp SGC <https://www.comodo.com/>
46A762F3C3CF3732DE22A8BA1EBBA3BC048F9B8C
WoTrust Client Authority UTN-USERFirst-Client Authentication and Email
<https://www.comodo.com/> 38CFE78D9F1F0B0637AFCAAA3D5549D87C0AA1D0
Percy Alpha(PGP
<https://pgp.mit.edu/pks/lookup?op=vindex&search=0xF30D100F7FE124AE>)
On Monday, September 5, 2016 at 3:58:34 PM UTC-7, Peter Bowen wrote:
> On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham wrote:
> > Several incidents have come to our attention involving the CA "WoSign".
> > Mozilla is considering what action it should take in response to these
> > incidents. This
On Friday, August 26, 2016 at 12:57:56 PM UTC-7, 233sec Team wrote:
> Wosign's Issue mechanism is high risking for large enterprise.
> This is one prove:
>
> https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e
>
> Alicdn.com is the cdn asset domain name of Taobao/tmall who belong
In page 11, you mentioned that "System blocked many illegal request every day,
the following screen shot is the reject order log", in which you attached a log
with Google, Microsoft, QQ domains. Those domains are rejected because of the
top domain whitelist. Does that mean those attempts passed
1 - 100 of 122 matches
Mail list logo
