Hi all,
We will publish a more comprehensive report in the next several days that will
attempt to cover most / all issues.
Thanks for your patience.
Regards,
Richard
> On 7 Sep 2016, at 18:58, Gervase Markham wrote:
>
> Hi Richard,
>
>> On 07/09/16 11:06, Richard Wang wrote:
>> This discuss
On Sat, Sep 10, 2016 at 6:43 PM, Richard Wang wrote:
> We will publish a more comprehensive report in the next several days that
> will attempt to cover most / all issues.
> Thanks for your patience.
Richard,
Thank you in advance for working on a comprehensive report. I
appreciate it takes sig
10:44 AM
To: Richard Wang
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham
Subject: Re: Incidents involving the CA WoSign
On Sat, Sep 10, 2016 at 6:43 PM, Richard Wang wrote:
> We will publish a more comprehensive report in the next several days that
> will attempt to
, September 7, 2016 7:00 PM
To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Hi Richard,
On 07/09/16 11:06, Richard Wang wrote:
> This discuss has been lasting two weeks, I think it is time to end it,
> it doesn’t worth to
t; Richard Wang
> CEO
> WoSign CA Limited
>
>
> -Original Message-
> From: Gervase Markham
> Sent: Wednesday, September 7, 2016 7:00 PM
> To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
>
>
On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang wrote:
> Hi Gerv,
>
> This is the final report:
> https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
>
> Please let me if you have any questions about the report, thanks.
>
>
> Best Regards,
>
> Richard Wang
Please read the report carefully that it is NOT the validation system is
hijacked.
Regards,
Richard
> On Sep 16, 2016, at 21:31, Han Yuwei wrote:
>
> 在 2016年9月16日星期五 UTC+8下午6:07:56,Richard Wang写道:
>> Hi Gerv,
>>
>> This is the final report:
>> https://www.wosign.com/report/WoSign_Incident_
Thank you very much for helping us.
For SM2 algorithm, this is out of this thread, I can discuss with you off list.
Regards,
Richard
> On Sep 16, 2016, at 22:32, Vincent Lynch wrote:
>
>> On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang wrote:
>> Hi Gerv,
>>
>> This is the fin
Hi Richard,
On 16/09/16 11:05, Richard Wang wrote:
> This is the final report:
> https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
>
> Please let me if you have any questions about the report, thanks.
Thank you for this. I will be looking at it in detail on Monday; of
cou
* Richard Wang:
>> Thus, do you believe it was faithful and accurate for Management to
>> warrant that the CA was operated in compliance with the BRs, given
>> that Management was aware of incidents of non-compliance?
>
> This is my fault that I think it is not serious enough to state in
> the ass
@lists.mozilla.org] On
Behalf Of Richard Wang
Sent: Friday, September 16, 2016 6:05 PM
To: Gervase Markham
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Incidents involving the CA WoSign
Hi Gerv,
This is the final report:
https://www.wosign.com/report
ut the report, thanks.
>
>
> Best Regards,
>
> Richard Wang
> CEO
> WoSign CA Limited
>
>
> -Original Message-
> From: Gervase Markham
> Sent: Wednesday, September 7, 2016 7:00 PM
> To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org
> Subj
my job.
Regards,
Richard
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Monday, September 19, 2016 10:31 PM
To: Richard Wang
Cc: Gervase Markham ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Richard,
I'm s
Bonsoir Richard,
This info should probably be added to the thread "WoSign's ownership of
StartCom", and then Peter's complementary questions are legitimate ones, being
in line with Mozilla's concerns.
___
dev-security-policy mailing list
dev-security-p
On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote:
> This case is WoSign problem, you found out all related subordinate companies
> and all related parent companies that up to nine generations! I think this is
> NOT the best practice in the modern law-respect society.
It seems th
] On
Behalf Of Nick Lamb
Sent: Tuesday, September 20, 2016 9:06 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote:
> This case is WoSign problem, you found out all related subordina
; From: dev-security-policy
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
> Behalf Of Nick Lamb
> Sent: Tuesday, September 20, 2016 9:06 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
>
> On Tuesday, 20
ht to do any
comment. Sorry.
Best Regards,
Richard
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Tuesday, September 20, 2016 10:18 AM
To: Richard Wang
Cc: Nick Lamb ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Ri
hard Wang >
> Cc: Nick Lamb >;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
>
> Richard,
>
> As someone pointed out on Twitter this morning, it seems that the PSC
> notific
..@gmail.com ]
> Sent: Tuesday, September 20, 2016 10:18 AM
> To: Richard Wang >
> Cc: Nick Lamb >;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
>
> Richard,
>
> As someone pointed out o
Hi Richard,
On 20/09/16 01:24, Richard Wang wrote:
> This case is WoSign problem, you found out all related subordinate
> companies and all related parent companies that up to nine
> generations! I think this is NOT the best practice in the modern
> law-respect society.
Particularly if each compa
Hello Xiaosheng,
Welcome to our discussion forum :-) It may help you to know that
participants in this forum come from a wide range of backgrounds and
companies, and the only ones who represent Mozilla are the ones listed here:
http://wiki.mozilla.org/CA:Policy_Participants
as doing so.
On 20/09/
On Monday, September 19, 2016 at 5:25:59 PM UTC-7, Richard Wang wrote:
> Your behavior let me think of a Chinese word "株连九族", means "to implicate the
> nine generations of a family", this is an extreme penalty in feudal times in
> China that if a man committed a crime, the whole clan that up to n
Hi Richard,
On 16/09/16 11:05, Richard Wang wrote:
> Hi Gerv,
>
> This is the final report:
> https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
>
> Please let me if you have any questions about the report, thanks.
Thank you for this report. I have a few follow-up questio
Dear Gerv and all,
Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on
July 15th 2016, we have invested in more than 200 companies across the world,
Wosign is just a very small one and we even do not have any people sent to this
company after the investment, the major
>
> > Richard
> >
> > -Original Message-
> > From: Peter Bowen [mailto:pzbo...@gmail.com ]
> > Sent: Tuesday, September 20, 2016 10:18 AM
> > To: Richard Wang >
> > Cc: Nick Lamb >;
&
On 2016-09-20 17:31, 谭晓生 wrote:
Dear Gerv and all,
Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th
2016, we have invested in more than 200 companies across the world, Wosign is just a very
small one and we even do not have any people sent to this compan
: Incidents involving the CA WoSign
On 2016-09-20 17:31, 谭晓生 wrote:
> Dear Gerv and all,
>
> Qihoo 360 is a company valued at USD$9.99B as it finished the privatization
> on July 15th 2016, we have invested in more than 200 companies across the
> world, Wosign is just a very small one and
hanks,
> Xiaosheng Tan
> Sent from 360 Q5 Mobile Phone
>
> 发件人: Kurt Roeckx
> 发送时间: 2016年9月20日 23:45
> 收件人: mozilla-dev-security-pol...@lists.mozilla.org
> 主题: Re: Incidents involving the CA WoSign
>
> On 2016-09-20 17:31, 谭晓生 wrote:
>
On Tue, Sep 20, 2016 at 8:41 AM, 谭晓生 wrote:
> 2) Does Qihoo 360, a Qihoo 360 subsidiary, a Qihoo 360 VIE, or a Qihoo
> 360 VIE subsidiary, or a combination of those own or control a
> majority of shares in WoSign?
> [Xiaosheng]: Yes, the combination of those own 84% of shares in Wosign
Dear Peter,
In terms of investments, the answer is that we do not have on going
negotiations on investments/acquisitions with any CAs.
In terms of partnership, as a security company, we are open to work with CAs,
we can share some threat intelligence with CAs, for example, the stolen/abused
digi
f 谭晓生
Sent: Tuesday, September 20, 2016 11:31 PM
To: Gervase Markham ; Percy ;
mozilla-dev-security-pol...@lists.mozilla.org
Cc: Nick Lamb ; Peter Bowen
Subject: Re: Incidents involving the CA WoSign
Dear Gerv and all,
Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on
July
Hi Xiaosheng,
On 20/09/16 16:31, 谭晓生 wrote:
> Qihoo 360 is a company valued at USD$9.99B as it finished the
> privatization on July 15th 2016, we have invested in more than 200
> companies across the world, Wosign is just a very small one and we
> even do not have any people sent to this company a
On 2016-09-21 11:16, Gervase Markham wrote:
Hi Xiaosheng,
On 20/09/16 16:31, 谭晓生 wrote:
Qihoo 360 is a company valued at USD$9.99B as it finished the
privatization on July 15th 2016, we have invested in more than 200
companies across the world, Wosign is just a very small one and we
even do not
See below inline, thanks.
Best Regards,
Richard
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, September 20, 2016 7:37 PM
To: Richard Wang <mailto:rich...@wosign.com>
Subject: Re: Incidents involving the CA WoSign
Hi Richard,
On 16/09/16
On 2016-09-21 12:11, Richard Wang wrote:
Please check the first 313 certificate serial is
“56D1570DA645BF6B44C0A7077CC6769” and the second 27 certificate is
“D3BBDC3A0175E38F9D0070CD050986A” that only 31 bytes. But our serial number
rule is 32 bytes.
This is a little misleading. The hex enco
On 21/09/16 11:10, Kurt Roeckx wrote:
> I didn't read it like that, and that the assets they have in WoSign
> should be more than 10% of the total assets. So that WoSign would be
> more than 10% of the USD$9.99B.
Oops. You are right. My apologies! I thought the benchmark was the size
of the subsi
On Tuesday, September 20, 2016 at 8:32:12 AM UTC-7, 谭晓生 wrote:
> Dear Gerv and all,
>
> Qihoo 360 is a company valued at USD$9.99B as it finished the privatization
> on July 15th 2016, we have invested in more than 200 companies across the
> world, Wosign is just a very small one and we even do
> -Original Message-----
> > From: Peter Bowen [mailto:pzbo...@gmail.com ]
> > Sent: Tuesday, September 20, 2016 10:18 AM
> > To: Richard Wang >
> > Cc: Nick Lamb >;
> > mozilla-dev-security-pol...@lists.mozilla.org
> >
See below inline, thanks.
Best Regards,
Richard
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, September 20, 2016 7:37 PM
To: Richard Wang mailto:rich...@wosign.com>>
Subject: Re: Incidents involving the CA WoSign
Hi Richard,
On 16/09
Hi Richard,
Thanks for the additional information.
On 21/09/16 11:11, Richard Wang wrote:
> Some SHA-1 certificate is free SSL certificate that no any reason
> for us to help them get the SHA-1 certificate if we are intentional,
> and some certificate is even never used or even not retrieved from
...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Hi Richard,
Thanks for the additional information.
On 21/09/16 11:11, Richard Wang wrote:
> Some SHA-1 certificate is free SSL certificate that no any reason for
> us to help them get the SHA-1 certificate if we are intentiona
On 24/08/16 14:08, Gervase Markham wrote:
> Several incidents have come to our attention involving the CA "WoSign".
> Mozilla is considering what action it should take in response to these
> incidents.
I have recently updated
https://wiki.mozilla.org/CA:WoSign_Issues
to draw some conclusions for
On 2016-09-21 16:26, Richard Wang wrote:
R: You can place order there and don't do the domain validation, 4 months
later, you finished the domain control validation, then issue the certificate.
Please try it by yourself here: https://buy.wosign.com/free/
So the date in the certificate is from
Not this case.
Gerv ask why the order is placed at Aug. 12th 2015, why it is issued at Dec.
20th 2015, since he finished the domain validation at Dec 20th.
Best Regards,
Richard
On Sep 21, 2016, at 22:54, Kurt Roeckx mailto:k...@roeckx.be>>
wrote:
On 2016-09-21 16:26, Richard Wang wrote:
R:
; Regards,
>
> Richard
>
> -Original Message-
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
> Behalf Of Gervase Markham
> Sent: Wednesday, September 21, 2016 9:19 PM
> To: mozilla-dev-security-pol...@lists.
rkham ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Richard,
I'm having a really hard time reconciling what you describe with what is found
in the CT logs and what I observed today when doing as you suggested and
getting a cert from https://buy.wosig
ity-policy
> [mailto:dev-security-policy-bounces+richard=wosign.com@lists.mozilla.o
> rg] On Behalf Of Gervase Markham
> Sent: Wednesday, September 21, 2016 9:19 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving
On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang wrote:
>> Are you saying out of over 40,000 orders over the last year, only six
>> "stopped to move forward" for a period of a week or more and these happen to
>> all have been ordered on Sunday, December 20, 2015 (China time)?
>
> You mean we issued
-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang wrote:
>> Are you saying out of over 40,000 orders over the last year, only six
>> "stopped to move forward" for a period of a week or more and t
1:50 PM
To: Peter Bowen
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham
Subject: RE: Incidents involving the CA WoSign
For security, the notBefore time is not the exact time of signing, random from
20 minutes to 40 minutes ahead.
For 6 long delta time, we said it is a CT
Wang
Sent: Friday, September 16, 2016 6:05 PM
To: Gervase Markham
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Incidents involving the CA WoSign
Hi Gerv,
This is the final report:
https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
Please let me if you
ns about the report, thanks.
>
>
> Best Regards,
>
> Richard Wang
> CEO
> WoSign CA Limited
>
>
> -Original Message-
> From: Gervase Markham
> Sent: Wednesday, September 7, 2016 7:00 PM
> To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org
t; > From: dev-security-policy [mailto:dev-security-policy-bounces+richard
>
> > =wosign@lists.mozilla.org
> ] On Behalf Of
> > Richard Wang
> > Sent: Friday, September 16, 2016 6:05 PM
> > To: Gervase Markham >
> > Cc: mozilla-dev-security-
On 23/09/16 07:55, Richard Wang wrote:
> This is the final statement about the incident:
> https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in English)
Thank you.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mo
t; > > I think this is the supplement of the two released reports.
> > >
> > > Please let me if you have any questions about this statement, thanks.
> > >
> > >
> > > Best Regards,
> > >
> > > Richard Wang
> > > CEO
or Chinese users.)
> > > >
> > > > I think this is the supplement of the two released reports.
> > > >
> > > > Please let me if you have any questions about this statement, thanks.
> > > >
> > > >
> > > > Best Rega
On 23/09/16 11:49, Han Yuwei wrote:
>> http://www.oscca.gov.cn/Column/Column_32.htm
>
> If anybody want a English version of laws & regulations, Percy and I may help.
No-one is denying that SM2 may be a Chinese government standard. What we
are saying is the fact that it's a standard does not comp
-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Gervase Markham
Sent: Friday, September 23, 2016 6:55 PM
To: Han Yuwei ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On 23/09/16 11:49, Han Yuwei wrote:
>> http://www.oscca.go
On 2016-09-23 13:38, Richard Wang wrote:
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA
finished the PKI/CA system upgrade that all licensed CA MUST be able to issue
SM2 certificate to subscribers.
On 23/09/2016 14:12, Kurt Roeckx wrote:
On 2016-09-23 13:38, Richard Wang wrote:
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China
licensed CA finished the PKI/CA system upgrade that all licensed CA
MUST be able to
On 23/09/16 12:38, Richard Wang wrote:
> Please check this news (Feb 25th 2015) in OSCCA website:
> http://www.oscca.gov.cn/News/201312/News_1254.htm that all China
> licensed CA finished the PKI/CA system upgrade that all licensed CA
> MUST be able to issue SM2 certificate to subscribers.
I have
Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates
that we'd issued to WoSign:
https://crt.sh/?id=3223853
https://crt.sh/?id=12716343
https://crt.sh/?id=12716433
See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2
On 06/09/16 11:11, Rob Stradling wrote:
> Hi Pe
On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote:
> Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates
> that we'd issued to WoSign:
>
> https://crt.sh/?id=3223853
> https://crt.sh/?id=12716343
> https://crt.sh/?id=12716433
>
> See also:
> https://bugzill
On Tue, Oct 04, 2016 at 01:14:45PM -0700, Percy wrote:
> On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote:
> > Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates
> > that we'd issued to WoSign:
>
> Does this mean all end entity certs chained to them are bl
Rob Stradling writes:
>Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that
>we'd issued to WoSign:
This allows us to examine the modern Internet variant of an old philosophical
question, "If a certificate is revoked in the web PKI and no one checks the
CRL, does it make
On 05/10/16 14:09, Peter Gutmann wrote:
> Rob Stradling writes:
>
>> Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that
>> we'd issued to WoSign:
>
> This allows us to examine the modern Internet variant of an old philosophical
> question, "If a certificate is revoked
Rob Stradling writes:
>Easy. It doesn't make a sound. Unrevoked certificates don't make sounds
>either.
What I was really asking, in a tongue-in-cheek way, was whether there was any
indication of how successfully the information could be propagated to
browsers.
Peter.
> >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds
> >either.
>
> What I was really asking, in a tongue-in-cheek way, was whether there was any
> indication of how successfully the information could be propagated to
> browsers.
Good question. Regardless of the answer, in
Peter Gutmann wrote:
> Rob Stradling writes:
>
>> Easy. It doesn't make a sound. Unrevoked certificates don't make sounds
>> either.
>
> What I was really asking, in a tongue-in-cheek way, was whether there was any
> indication of how successfully the information could be propagated to
> brows
On Wed, Oct 05, 2016 at 01:30:37PM +, Peter Gutmann wrote:
> Rob Stradling writes:
>
> >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds
> >either.
>
> What I was really asking, in a tongue-in-cheek way, was whether there was any
> indication of how successfully the
It is an interesting aspect that the Mozilla community has not discussed
thoroughly, or at all.
Cross-signing a third party intermediate cert is equivalent to sharing
of trust, that any CA should only consider it with extreme care. Is it
possibly know how many intermediate cert that is cross-signe
On Wed, Oct 5, 2016 at 6:55 PM, Man Ho (Certizen) wrote:
> It is an interesting aspect that the Mozilla community has not discussed
> thoroughly, or at all.
>
> Cross-signing a third party intermediate cert is equivalent to sharing
> of trust, that any CA should only consider it with extreme care.
On 10/6/2016 10:49 AM, Peter Bowen wrote:
> I think the community has discussed cross-signing both in this
> discussion and in the broader discussion of the trust graph.
>
> https://wiki.mozilla.org/CA:WoSign_Issues#Cross_Signing lists all the
> known cross-signs of WoSign.
>
> https://wiki.mozill
Kurt Roeckx writes:
>This is why browsers have something like OneCRL, so that they actually do
>know about it and why Rob added that information to the bug tracker (
>https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2).
That still doesn't necessarily answer the question, Google have their CR
On Fri, Oct 07, 2016 at 03:21:48AM +, Peter Gutmann wrote:
> Kurt Roeckx writes:
>
> >This is why browsers have something like OneCRL, so that they actually do
> >know about it and why Rob added that information to the bug tracker (
> >https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2).
On 07/10/16 04:21, Peter Gutmann wrote:
> That still doesn't necessarily answer the question, Google have their CRLSets
> but they're more ineffective than effective in dealing with revocations
> (according to GRC, they're 98% ineffective,
> https://www.grc.com/revocation/crlsets.htm).
That stati
Gervase Markham wrote:
> On 07/10/16 04:21, Peter Gutmann wrote:
>> That still doesn't necessarily answer the question, Google have their CRLSets
>> but they're more ineffective than effective in dealing with revocations
>> (according to GRC, they're 98% ineffective,
>> https://www.grc.com/revocati
On 10/10/16 08:15, Michael Ströder wrote:
> Which "Chrome users"?
All of them as a collective body.
Standard revocation doesn't hold up in an active attack scenario. If
someone has control of your customers' internet connection sufficient
that they can direct a request that was meant to go to you
: Re: Incidents involving the CA WoSign
On 07/10/16 04:21, Peter Gutmann wrote:
> That still doesn't necessarily answer the question, Google have their CRLSets
> but they're more ineffective than effective in dealing with revocations
> (according to GRC, they're 98% ineffe
rom: Gervase Markham [mailto:g...@mozilla.org]
Sent: Wednesday, August 24, 2016 9:08 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Cc: Richard Wang
Subject: Incidents involving the CA WoSign
Dear m.d.s.policy,
Several incidents have come to our attention involving the CA "WoSign"
Peter Bowen writes:
>It was brought to my attention that there is another incident.
This is great stuff, it's like watching a rerun of Diginotar. Definitely the
best web soap in the last few weeks...
Peter.
___
dev-security-policy mailing list
dev-s
On 09/04/2016 09:20 AM, Peter Gutmann wrote:
Peter Bowen writes:
It was brought to my attention that there is another incident.
This is great stuff, it's like watching a rerun of Diginotar
.says the audience on the backbenches gleefully
but no, what are you talking about?? Even
Eddy Nigg writes:
>On 09/04/2016 09:20 AM, Peter Gutmann wrote:
>> This is great stuff, it's like watching a rerun of Diginotar
>
>.says the audience on the backbenches gleefully
Well, it doesn't exactly paint the best picture of a competently-run CA, same
as Diginotar, and the progressio
Peter Bowen writes:
>In addition to the direct impact, I note that WoSign is the subject of cross-
>signatures from a number of other CAs that chain back to roots in the Mozilla
>program (or were in the program).
This is incredible, it's like a hydra. Do the BRs say anything about this
type of
On 06/09/16 15:10, Peter Gutmann wrote:
> Why would a public CA even need cross-certification from other CAs?
To inherit trust on legacy platforms that don't have an automatic root
update mechanism.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
___
On 06/09/2016 16:10, Peter Gutmann wrote:
Peter Bowen writes:
In addition to the direct impact, I note that WoSign is the subject of cross-
signatures from a number of other CAs that chain back to roots in the Mozilla
program (or were in the program).
This is incredible, it's like a hydra.
y-pol...@lists.mozilla.org"
Subject: Re: [FORGED] Re: Incidents involving the CA WoSign
Message-ID: <1473170991071.38...@cs.auckland.ac.nz>
Content-Type: text/plain; charset="iso-8859-1"
Peter Bowen writes:
>In addition to the direct impact, I note that W
On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote:
> Why would a public CA even need cross-certification from other CAs?
Maybe this question has some subtlety to it that I'm missing?
Acceptance into root trust stores is slow. Glacial in some cases. Mozilla has a
published process
Nick Lamb writes:
>On Tuesday, 6 September 2016 15:11:00 UTC+1, Peter Gutmann wrote:
>> Why would a public CA even need cross-certification from other CAs?
>
>Maybe this question has some subtlety to it that I'm missing?
OK, I really meant "that many other CAs". To take one example, the cross-
Yeah, it's almost impossible to distrust all WoSign authority manually from
keychain access. WoSign has 28 root certs or intermediate certs signed by
other CAs, listed below. (List from
https://github.com/chengr28/RevokeChinaCerts/wiki/ReadMe_Online#about-certificates
)
Certification Authority of
Peter Bowen writes:
>As someone pointed out on Twitter this morning, it seems that the PSC
>notification for Startcom UK was filed recently:
>https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf
So if I'm reading that correc
We classified this 33 misissuance certificate into two types: one type is we
think this misissuance certificate is obviously not from the domain owner, we
revoked this type certificates instantly after we know the misissuance
Your statement is contradicted by the fact that the other two mis-
1. All certs are revoked in time, please check our CRL;
2. WoSign logged all SSL cert since July 5th;
3. I know you are Chinese with good English, welcome to join WoSign, we need
good talent like you.
Regards,
Richard
> On 31 Aug 2016, at 01:33, Percy wrote:
>
> We classified this 33 misiss
201 - 294 of 294 matches
Mail list logo
