: Re: Incidents involving the CA WoSign
On 07/10/16 04:21, Peter Gutmann wrote:
> That still doesn't necessarily answer the question, Google have their CRLSets
> but they're more ineffective than effective in dealing with revocations
> (according to GRC, they're 98% ineffe
On 10/10/16 08:15, Michael Ströder wrote:
> Which "Chrome users"?
All of them as a collective body.
Standard revocation doesn't hold up in an active attack scenario. If
someone has control of your customers' internet connection sufficient
that they can direct a request that was meant to go to you
Gervase Markham wrote:
> On 07/10/16 04:21, Peter Gutmann wrote:
>> That still doesn't necessarily answer the question, Google have their CRLSets
>> but they're more ineffective than effective in dealing with revocations
>> (according to GRC, they're 98% ineffective,
>> https://www.grc.com/revocati
On 07/10/16 04:21, Peter Gutmann wrote:
> That still doesn't necessarily answer the question, Google have their CRLSets
> but they're more ineffective than effective in dealing with revocations
> (according to GRC, they're 98% ineffective,
> https://www.grc.com/revocation/crlsets.htm).
That stati
On Fri, Oct 07, 2016 at 03:21:48AM +, Peter Gutmann wrote:
> Kurt Roeckx writes:
>
> >This is why browsers have something like OneCRL, so that they actually do
> >know about it and why Rob added that information to the bug tracker (
> >https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2).
Kurt Roeckx writes:
>This is why browsers have something like OneCRL, so that they actually do
>know about it and why Rob added that information to the bug tracker (
>https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2).
That still doesn't necessarily answer the question, Google have their CR
On 10/6/2016 10:49 AM, Peter Bowen wrote:
> I think the community has discussed cross-signing both in this
> discussion and in the broader discussion of the trust graph.
>
> https://wiki.mozilla.org/CA:WoSign_Issues#Cross_Signing lists all the
> known cross-signs of WoSign.
>
> https://wiki.mozill
On Wed, Oct 5, 2016 at 6:55 PM, Man Ho (Certizen) wrote:
> It is an interesting aspect that the Mozilla community has not discussed
> thoroughly, or at all.
>
> Cross-signing a third party intermediate cert is equivalent to sharing
> of trust, that any CA should only consider it with extreme care.
It is an interesting aspect that the Mozilla community has not discussed
thoroughly, or at all.
Cross-signing a third party intermediate cert is equivalent to sharing
of trust, that any CA should only consider it with extreme care. Is it
possibly know how many intermediate cert that is cross-signe
On Wed, Oct 05, 2016 at 01:30:37PM +, Peter Gutmann wrote:
> Rob Stradling writes:
>
> >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds
> >either.
>
> What I was really asking, in a tongue-in-cheek way, was whether there was any
> indication of how successfully the
Peter Gutmann wrote:
> Rob Stradling writes:
>
>> Easy. It doesn't make a sound. Unrevoked certificates don't make sounds
>> either.
>
> What I was really asking, in a tongue-in-cheek way, was whether there was any
> indication of how successfully the information could be propagated to
> brows
> >Easy. It doesn't make a sound. Unrevoked certificates don't make sounds
> >either.
>
> What I was really asking, in a tongue-in-cheek way, was whether there was any
> indication of how successfully the information could be propagated to
> browsers.
Good question. Regardless of the answer, in
Rob Stradling writes:
>Easy. It doesn't make a sound. Unrevoked certificates don't make sounds
>either.
What I was really asking, in a tongue-in-cheek way, was whether there was any
indication of how successfully the information could be propagated to
browsers.
Peter.
On 05/10/16 14:09, Peter Gutmann wrote:
> Rob Stradling writes:
>
>> Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that
>> we'd issued to WoSign:
>
> This allows us to examine the modern Internet variant of an old philosophical
> question, "If a certificate is revoked
Rob Stradling writes:
>Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates that
>we'd issued to WoSign:
This allows us to examine the modern Internet variant of an old philosophical
question, "If a certificate is revoked in the web PKI and no one checks the
CRL, does it make
On Tue, Oct 04, 2016 at 01:14:45PM -0700, Percy wrote:
> On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote:
> > Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates
> > that we'd issued to WoSign:
>
> Does this mean all end entity certs chained to them are bl
On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote:
> Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates
> that we'd issued to WoSign:
>
> https://crt.sh/?id=3223853
> https://crt.sh/?id=12716343
> https://crt.sh/?id=12716433
>
> See also:
> https://bugzill
Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates
that we'd issued to WoSign:
https://crt.sh/?id=3223853
https://crt.sh/?id=12716343
https://crt.sh/?id=12716433
See also:
https://bugzilla.mozilla.org/show_bug.cgi?id=906611#c2
On 06/09/16 11:11, Rob Stradling wrote:
> Hi Pe
On 23/09/16 12:38, Richard Wang wrote:
> Please check this news (Feb 25th 2015) in OSCCA website:
> http://www.oscca.gov.cn/News/201312/News_1254.htm that all China
> licensed CA finished the PKI/CA system upgrade that all licensed CA
> MUST be able to issue SM2 certificate to subscribers.
I have
On 23/09/2016 14:12, Kurt Roeckx wrote:
On 2016-09-23 13:38, Richard Wang wrote:
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China
licensed CA finished the PKI/CA system upgrade that all licensed CA
MUST be able to
On 2016-09-23 13:38, Richard Wang wrote:
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA
finished the PKI/CA system upgrade that all licensed CA MUST be able to issue
SM2 certificate to subscribers.
-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Gervase Markham
Sent: Friday, September 23, 2016 6:55 PM
To: Han Yuwei ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On 23/09/16 11:49, Han Yuwei wrote:
>> http://www.oscca.go
On 23/09/16 11:49, Han Yuwei wrote:
>> http://www.oscca.gov.cn/Column/Column_32.htm
>
> If anybody want a English version of laws & regulations, Percy and I may help.
No-one is denying that SM2 may be a Chinese government standard. What we
are saying is the fact that it's a standard does not comp
or Chinese users.)
> > > >
> > > > I think this is the supplement of the two released reports.
> > > >
> > > > Please let me if you have any questions about this statement, thanks.
> > > >
> > > >
> > > > Best Rega
t; > > I think this is the supplement of the two released reports.
> > >
> > > Please let me if you have any questions about this statement, thanks.
> > >
> > >
> > > Best Regards,
> > >
> > > Richard Wang
> > > CEO
On 23/09/16 07:55, Richard Wang wrote:
> This is the final statement about the incident:
> https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in English)
Thank you.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mo
t; > From: dev-security-policy [mailto:dev-security-policy-bounces+richard
>
> > =wosign@lists.mozilla.org
> ] On Behalf Of
> > Richard Wang
> > Sent: Friday, September 16, 2016 6:05 PM
> > To: Gervase Markham >
> > Cc: mozilla-dev-security-
ns about the report, thanks.
>
>
> Best Regards,
>
> Richard Wang
> CEO
> WoSign CA Limited
>
>
> -Original Message-
> From: Gervase Markham
> Sent: Wednesday, September 7, 2016 7:00 PM
> To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org
Wang
Sent: Friday, September 16, 2016 6:05 PM
To: Gervase Markham
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Incidents involving the CA WoSign
Hi Gerv,
This is the final report:
https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
Please let me if you
1:50 PM
To: Peter Bowen
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham
Subject: RE: Incidents involving the CA WoSign
For security, the notBefore time is not the exact time of signing, random from
20 minutes to 40 minutes ahead.
For 6 long delta time, we said it is a CT
-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang wrote:
>> Are you saying out of over 40,000 orders over the last year, only six
>> "stopped to move forward" for a period of a week or more and t
On Wed, Sep 21, 2016 at 9:10 PM, Richard Wang wrote:
>> Are you saying out of over 40,000 orders over the last year, only six
>> "stopped to move forward" for a period of a week or more and these happen to
>> all have been ordered on Sunday, December 20, 2015 (China time)?
>
> You mean we issued
ity-policy
> [mailto:dev-security-policy-bounces+richard=wosign.com@lists.mozilla.o
> rg] On Behalf Of Gervase Markham
> Sent: Wednesday, September 21, 2016 9:19 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving
rkham ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Richard,
I'm having a really hard time reconciling what you describe with what is found
in the CT logs and what I observed today when doing as you suggested and
getting a cert from https://buy.wosig
; Regards,
>
> Richard
>
> -Original Message-
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
> Behalf Of Gervase Markham
> Sent: Wednesday, September 21, 2016 9:19 PM
> To: mozilla-dev-security-pol...@lists.
Not this case.
Gerv ask why the order is placed at Aug. 12th 2015, why it is issued at Dec.
20th 2015, since he finished the domain validation at Dec 20th.
Best Regards,
Richard
On Sep 21, 2016, at 22:54, Kurt Roeckx mailto:k...@roeckx.be>>
wrote:
On 2016-09-21 16:26, Richard Wang wrote:
R:
On 2016-09-21 16:26, Richard Wang wrote:
R: You can place order there and don't do the domain validation, 4 months
later, you finished the domain control validation, then issue the certificate.
Please try it by yourself here: https://buy.wosign.com/free/
So the date in the certificate is from
On 24/08/16 14:08, Gervase Markham wrote:
> Several incidents have come to our attention involving the CA "WoSign".
> Mozilla is considering what action it should take in response to these
> incidents.
I have recently updated
https://wiki.mozilla.org/CA:WoSign_Issues
to draw some conclusions for
...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Hi Richard,
Thanks for the additional information.
On 21/09/16 11:11, Richard Wang wrote:
> Some SHA-1 certificate is free SSL certificate that no any reason for
> us to help them get the SHA-1 certificate if we are intentiona
Hi Richard,
Thanks for the additional information.
On 21/09/16 11:11, Richard Wang wrote:
> Some SHA-1 certificate is free SSL certificate that no any reason
> for us to help them get the SHA-1 certificate if we are intentional,
> and some certificate is even never used or even not retrieved from
See below inline, thanks.
Best Regards,
Richard
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, September 20, 2016 7:37 PM
To: Richard Wang mailto:rich...@wosign.com>>
Subject: Re: Incidents involving the CA WoSign
Hi Richard,
On 16/09
> -Original Message-----
> > From: Peter Bowen [mailto:pzbo...@gmail.com ]
> > Sent: Tuesday, September 20, 2016 10:18 AM
> > To: Richard Wang >
> > Cc: Nick Lamb >;
> > mozilla-dev-security-pol...@lists.mozilla.org
> >
On Tuesday, September 20, 2016 at 8:32:12 AM UTC-7, 谭晓生 wrote:
> Dear Gerv and all,
>
> Qihoo 360 is a company valued at USD$9.99B as it finished the privatization
> on July 15th 2016, we have invested in more than 200 companies across the
> world, Wosign is just a very small one and we even do
On 21/09/16 11:10, Kurt Roeckx wrote:
> I didn't read it like that, and that the assets they have in WoSign
> should be more than 10% of the total assets. So that WoSign would be
> more than 10% of the USD$9.99B.
Oops. You are right. My apologies! I thought the benchmark was the size
of the subsi
On 2016-09-21 12:11, Richard Wang wrote:
Please check the first 313 certificate serial is
“56D1570DA645BF6B44C0A7077CC6769” and the second 27 certificate is
“D3BBDC3A0175E38F9D0070CD050986A” that only 31 bytes. But our serial number
rule is 32 bytes.
This is a little misleading. The hex enco
See below inline, thanks.
Best Regards,
Richard
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, September 20, 2016 7:37 PM
To: Richard Wang <mailto:rich...@wosign.com>
Subject: Re: Incidents involving the CA WoSign
Hi Richard,
On 16/09/16
On 2016-09-21 11:16, Gervase Markham wrote:
Hi Xiaosheng,
On 20/09/16 16:31, 谭晓生 wrote:
Qihoo 360 is a company valued at USD$9.99B as it finished the
privatization on July 15th 2016, we have invested in more than 200
companies across the world, Wosign is just a very small one and we
even do not
Hi Xiaosheng,
On 20/09/16 16:31, 谭晓生 wrote:
> Qihoo 360 is a company valued at USD$9.99B as it finished the
> privatization on July 15th 2016, we have invested in more than 200
> companies across the world, Wosign is just a very small one and we
> even do not have any people sent to this company a
f 谭晓生
Sent: Tuesday, September 20, 2016 11:31 PM
To: Gervase Markham ; Percy ;
mozilla-dev-security-pol...@lists.mozilla.org
Cc: Nick Lamb ; Peter Bowen
Subject: Re: Incidents involving the CA WoSign
Dear Gerv and all,
Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on
July
Dear Peter,
In terms of investments, the answer is that we do not have on going
negotiations on investments/acquisitions with any CAs.
In terms of partnership, as a security company, we are open to work with CAs,
we can share some threat intelligence with CAs, for example, the stolen/abused
digi
On Tue, Sep 20, 2016 at 8:41 AM, 谭晓生 wrote:
> 2) Does Qihoo 360, a Qihoo 360 subsidiary, a Qihoo 360 VIE, or a Qihoo
> 360 VIE subsidiary, or a combination of those own or control a
> majority of shares in WoSign?
> [Xiaosheng]: Yes, the combination of those own 84% of shares in Wosign
hanks,
> Xiaosheng Tan
> Sent from 360 Q5 Mobile Phone
>
> 发件人: Kurt Roeckx
> 发送时间: 2016年9月20日 23:45
> 收件人: mozilla-dev-security-pol...@lists.mozilla.org
> 主题: Re: Incidents involving the CA WoSign
>
> On 2016-09-20 17:31, 谭晓生 wrote:
>
: Incidents involving the CA WoSign
On 2016-09-20 17:31, 谭晓生 wrote:
> Dear Gerv and all,
>
> Qihoo 360 is a company valued at USD$9.99B as it finished the privatization
> on July 15th 2016, we have invested in more than 200 companies across the
> world, Wosign is just a very small one and
On 2016-09-20 17:31, 谭晓生 wrote:
Dear Gerv and all,
Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on July 15th
2016, we have invested in more than 200 companies across the world, Wosign is just a very
small one and we even do not have any people sent to this compan
>
> > Richard
> >
> > -Original Message-
> > From: Peter Bowen [mailto:pzbo...@gmail.com ]
> > Sent: Tuesday, September 20, 2016 10:18 AM
> > To: Richard Wang >
> > Cc: Nick Lamb >;
&
Dear Gerv and all,
Qihoo 360 is a company valued at USD$9.99B as it finished the privatization on
July 15th 2016, we have invested in more than 200 companies across the world,
Wosign is just a very small one and we even do not have any people sent to this
company after the investment, the major
Hi Richard,
On 16/09/16 11:05, Richard Wang wrote:
> Hi Gerv,
>
> This is the final report:
> https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
>
> Please let me if you have any questions about the report, thanks.
Thank you for this report. I have a few follow-up questio
On Monday, September 19, 2016 at 5:25:59 PM UTC-7, Richard Wang wrote:
> Your behavior let me think of a Chinese word "株连九族", means "to implicate the
> nine generations of a family", this is an extreme penalty in feudal times in
> China that if a man committed a crime, the whole clan that up to n
Hello Xiaosheng,
Welcome to our discussion forum :-) It may help you to know that
participants in this forum come from a wide range of backgrounds and
companies, and the only ones who represent Mozilla are the ones listed here:
http://wiki.mozilla.org/CA:Policy_Participants
as doing so.
On 20/09/
Hi Richard,
On 20/09/16 01:24, Richard Wang wrote:
> This case is WoSign problem, you found out all related subordinate
> companies and all related parent companies that up to nine
> generations! I think this is NOT the best practice in the modern
> law-respect society.
Particularly if each compa
..@gmail.com ]
> Sent: Tuesday, September 20, 2016 10:18 AM
> To: Richard Wang >
> Cc: Nick Lamb >;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
>
> Richard,
>
> As someone pointed out o
Peter Bowen writes:
>As someone pointed out on Twitter this morning, it seems that the PSC
>notification for Startcom UK was filed recently:
>https://s3-eu-west-1.amazonaws.com/document-api-images-prod/docs/UdxHYAlFj6U9DNs6VBJdnIDv4IQAWd4YKYomMERO_2o/application-pdf
So if I'm reading that correc
hard Wang >
> Cc: Nick Lamb >;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
>
> Richard,
>
> As someone pointed out on Twitter this morning, it seems that the PSC
> notific
ht to do any
comment. Sorry.
Best Regards,
Richard
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Tuesday, September 20, 2016 10:18 AM
To: Richard Wang
Cc: Nick Lamb ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Ri
; From: dev-security-policy
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
> Behalf Of Nick Lamb
> Sent: Tuesday, September 20, 2016 9:06 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
>
> On Tuesday, 20
] On
Behalf Of Nick Lamb
Sent: Tuesday, September 20, 2016 9:06 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote:
> This case is WoSign problem, you found out all related subordina
On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote:
> This case is WoSign problem, you found out all related subordinate companies
> and all related parent companies that up to nine generations! I think this is
> NOT the best practice in the modern law-respect society.
It seems th
Bonsoir Richard,
This info should probably be added to the thread "WoSign's ownership of
StartCom", and then Peter's complementary questions are legitimate ones, being
in line with Mozilla's concerns.
___
dev-security-policy mailing list
dev-security-p
my job.
Regards,
Richard
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Monday, September 19, 2016 10:31 PM
To: Richard Wang
Cc: Gervase Markham ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Richard,
I'm s
ut the report, thanks.
>
>
> Best Regards,
>
> Richard Wang
> CEO
> WoSign CA Limited
>
>
> -Original Message-
> From: Gervase Markham
> Sent: Wednesday, September 7, 2016 7:00 PM
> To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org
> Subj
@lists.mozilla.org] On
Behalf Of Richard Wang
Sent: Friday, September 16, 2016 6:05 PM
To: Gervase Markham
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Incidents involving the CA WoSign
Hi Gerv,
This is the final report:
https://www.wosign.com/report
* Richard Wang:
>> Thus, do you believe it was faithful and accurate for Management to
>> warrant that the CA was operated in compliance with the BRs, given
>> that Management was aware of incidents of non-compliance?
>
> This is my fault that I think it is not serious enough to state in
> the ass
Hi Richard,
On 16/09/16 11:05, Richard Wang wrote:
> This is the final report:
> https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
>
> Please let me if you have any questions about the report, thanks.
Thank you for this. I will be looking at it in detail on Monday; of
cou
Thank you very much for helping us.
For SM2 algorithm, this is out of this thread, I can discuss with you off list.
Regards,
Richard
> On Sep 16, 2016, at 22:32, Vincent Lynch wrote:
>
>> On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang wrote:
>> Hi Gerv,
>>
>> This is the fin
Please read the report carefully that it is NOT the validation system is
hijacked.
Regards,
Richard
> On Sep 16, 2016, at 21:31, Han Yuwei wrote:
>
> 在 2016年9月16日星期五 UTC+8下午6:07:56,Richard Wang写道:
>> Hi Gerv,
>>
>> This is the final report:
>> https://www.wosign.com/report/WoSign_Incident_
On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang wrote:
> Hi Gerv,
>
> This is the final report:
> https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
>
> Please let me if you have any questions about the report, thanks.
>
>
> Best Regards,
>
> Richard Wang
t; Richard Wang
> CEO
> WoSign CA Limited
>
>
> -Original Message-
> From: Gervase Markham
> Sent: Wednesday, September 7, 2016 7:00 PM
> To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
>
>
, September 7, 2016 7:00 PM
To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Hi Richard,
On 07/09/16 11:06, Richard Wang wrote:
> This discuss has been lasting two weeks, I think it is time to end it,
> it doesn’t worth to
10:44 AM
To: Richard Wang
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Gervase Markham
Subject: Re: Incidents involving the CA WoSign
On Sat, Sep 10, 2016 at 6:43 PM, Richard Wang wrote:
> We will publish a more comprehensive report in the next several days that
> will attempt to
On Sat, Sep 10, 2016 at 6:43 PM, Richard Wang wrote:
> We will publish a more comprehensive report in the next several days that
> will attempt to cover most / all issues.
> Thanks for your patience.
Richard,
Thank you in advance for working on a comprehensive report. I
appreciate it takes sig
Hi all,
We will publish a more comprehensive report in the next several days that will
attempt to cover most / all issues.
Thanks for your patience.
Regards,
Richard
> On 7 Sep 2016, at 18:58, Gervase Markham wrote:
>
> Hi Richard,
>
>> On 07/09/16 11:06, Richard Wang wrote:
>> This discuss
certificate for
> free once it is about to expire at every three years for OV SSL.
> >>
> >> I wish Mozilla could accept my suggestion, and I am sure WoSign will do
> it better after getting this so big lesson.
> >> Thank you.
> >>
> >>
> >> Best
t; -Original Message-
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
> Behalf Of Richard Wang
> Sent: Sunday, September 4, 2016 5:49 PM
> To: Gervase Markham ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subj
On 07/09/2016 16:01, Thijs Alkemade wrote:
On 07 Sep 2016, at 14:52, Rob Stradling wrote:
On 06/09/16 19:12, Thijs Alkemade wrote:
Hello,
We obtained 2 certificates from the StartEncrypt API which had SHA-1 signatures
and which were backdated to December 20, 2015.
After WoSign announced t
after getting this so big lesson.
>> Thank you.
>>
>>
>> Best Regards,
>>
>> Richard Wang
>> CEO
>> WoSign CA Limited
>>
>>
>> -Original Message-
>> From: dev-security-policy
>> [mailto:dev-security-policy-bou
Behalf Of Richard Wang
> Sent: Sunday, September 4, 2016 5:49 PM
> To: Gervase Markham ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: RE: Incidents involving the CA WoSign
>
> Hi all,
>
> We finished the investigation and released the incidents report today:
&
On Wednesday, September 7, 2016 at 7:00:54 AM UTC-4, Gervase Markham wrote:
> Hi Richard,
>
> On 07/09/16 11:06, Richard Wang wrote:
> > This discuss has been lasting two weeks, I think it is time to end
> > it, it doesn’t worth to waste everybody’s precious time.
>
> Unfortunately, I think we ma
On 08/09/16 11:39, Rob Stradling wrote:
> Consider https://crt.sh/?id=30629293, for example. Are you really
> suggesting that this was issued on 2nd September 2016 but backdated to
> 20th December 2015?
For simplicity, I've removed this section from Issue S. I think the
evidence related there sta
On 07/09/16 17:02, Gervase Markham wrote:
> On 07/09/16 13:52, Rob Stradling wrote:
>> Hi Thijs. I agree that this pattern is interesting (and it'd be nice to
>> see an explanation), but I'm not convinced that it proves everything you
>> think it proves.
>
> Hi Rob,
>
> My digest of Thijs's work
-bounces+richard=wosign@lists.mozilla.org] On
> Behalf Of Richard Wang
> Sent: Sunday, September 4, 2016 5:49 PM
> To: Gervase Markham ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: RE: Incidents involving the CA WoSign
>
> Hi all,
>
> We finished the investigation and
On Wed, Sep 07, 2016 at 02:08:24PM +0200, Kurt Roeckx wrote:
> On 2016-09-07 13:00, Gervase Markham wrote:
> > Hi Richard,
> >
> > On 07/09/16 11:06, Richard Wang wrote:
> > > This discuss has been lasting two weeks, I think it is time to end
> > > it, it doesn’t worth to waste everybody’s preciou
ednesday, September 7, 2016 12:06 AM
> To: Richard Wang ; Gervase Markham ;
> dev-security-policy@lists.mozilla.org
> Subject: Re: Incidents involving the CA WoSign
>
> Hi,
>
> section 1.4. Impact Analytics in the report contains a list of 72
> certificates, for which the dom
On Tuesday, September 6, 2016 at 10:10:44 PM UTC-4, Richard Wang wrote:
> ... we can't find the info what port is used, our CMS system just record this
> order is validated by website control validation method, not record the used
> port at that time.
>
> Why we can find out other 72 certificate
On 07/09/16 13:52, Rob Stradling wrote:
> Hi Thijs. I agree that this pattern is interesting (and it'd be nice to
> see an explanation), but I'm not convinced that it proves everything you
> think it proves.
Hi Rob,
My digest of Thijs's work (and that of others investigating the same
issues) is
On 07/09/16 15:01, Thijs Alkemade wrote:
> What is suspicious is:
>
> - Twice as many SHA-1 certificates being issued on a specific Sunday in
> December than the daily average that month. (Which also happens to be the
> date on the certificates which I personally got from the StartEncrypt API.)
On 07 Sep 2016, at 14:52, Rob Stradling wrote:
>
> On 06/09/16 19:12, Thijs Alkemade wrote:
>
>> Hello,
>>
>> We obtained 2 certificates from the StartEncrypt API which had SHA-1
>> signatures and which were backdated to December 20, 2015.
>>
>> After WoSign announced that all certificates is
On 06/09/16 19:12, Thijs Alkemade wrote:
> Hello,
>
> We obtained 2 certificates from the StartEncrypt API which had SHA-1
> signatures and which were backdated to December 20, 2015.
>
> After WoSign announced that all certificates issued in 2015 were logged to
> their Certificate Transparency
We posted all 2015 certificates, total 109,405
We almost finished 2016 certificates, till now, 129,426, not finished.
All 392 cert is not from one serial number, it is from several serial numbers.
Regards,
Richard
> On 7 Sep 2016, at 20:07, Kurt Roeckx wrote:
>
>> On 2016-09-07 13:00, Gerva
On 2016-09-07 13:00, Gervase Markham wrote:
Hi Richard,
On 07/09/16 11:06, Richard Wang wrote:
This discuss has been lasting two weeks, I think it is time to end
it, it doesn’t worth to waste everybody’s precious time.
Unfortunately, I think we may be only beginning.
I have prepared a list o
On 07/09/16 12:14, Richard Wang wrote:
> By the way, the link you used in the page to our report is not correct.
Fixed; thank you.
Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-s
1 - 100 of 293 matches
Mail list logo
