Re: Incidents involving the CA WoSign

On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang wrote: > We finished the CT posting, all 2015 issued SSL certificate is posted to > WoSign CT log server: https://ctlog.wosign.com, total 101,410 certificates. Richard, Based on CT logs, I have seen certificates from the CAs

RE: Incidents involving the CA WoSign

-Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Friday, September 2, 2016 6:07 PM To: Richard Wang ; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign > And, as others have pointed out in this

Re: Incidents involving the CA WoSign

Yes, we plan to post to one of the Google log server tommorrow. Regards, Richard > On 2 Sep 2016, at 22:54, Peter Bowen wrote: > >> On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang wrote: >> We finished the CT posting, all 2015 issued SSL certificate is

Re: Incidents involving the CA WoSign

(forgot the list) On Fri, Sep 2, 2016 at 7:55 AM, Peter Bowen wrote: > On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang wrote: >> We finished the CT posting, all 2015 issued SSL certificate is posted to >> WoSign CT log server: https://ctlog.wosign.com,

Re: Sanctions short of distrust

On 02/09/2016 12:19, Gervase Markham wrote: On 31/08/16 20:43, Nick Lamb wrote: This suggests the need for some options short of distrust which can be deployed instead, but Mozilla does not seem to have any. If in fact it already does, this would be a great place to say what they are and

Re: Incidents involving the CA WoSign

We will check this tomorrow. Now our time is 23:32 at night. Regards, Richard > On 2 Sep 2016, at 23:20, Peter Bowen wrote: > >> On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang wrote: >> Yes, we posted all 2015 issued SSL from WoSign trusted root. >> >>>

Re: Incidents involving the CA WoSign

On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang wrote: > Yes, we posted all 2015 issued SSL from WoSign trusted root. > > On 2 Sep 2016, at 22:55, Peter Bowen wrote: >> Based on CT logs, I have seen certificates from the CAs below, all of >> which have

Re: Sanctions short of distrust

Thanks for your feedback Gerv, On Friday, 2 September 2016 11:19:49 UTC+1, Gervase Markham wrote: > Have you considered what was done for CNNIC? In that case, we distrusted > all certificates issued after a certain time. We used a whitelist for > determining this, but it would be possible to use

Re: Incidents involving the CA WoSign

On Fri, 2 Sep 2016 11:19:18 +0100 Gervase Markham wrote: > On 31/08/16 19:13, Ryan Sleevi wrote: > > A) Remove the CA. Users may manually trust it if they re-add it, > > but it will not be trusted by default. > > > F) Distrust all certs with a notBefore date after date X,

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 07:27:13PM +0200, Kurt Roeckx wrote: > On Fri, Sep 02, 2016 at 10:00:28AM -0700, Andrew Ayer wrote: > > 2. A certificate has already been found which they didn't log to CT > > despite their assertion that they had logged all certificates, > > Can you please point to those

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 10:00:28AM -0700, Andrew Ayer wrote: > 2. A certificate has already been found which they didn't log to CT > despite their assertion that they had logged all certificates, Can you please point to those that weren't logged? Kurt

Re: Incidents involving the CA WoSign

Some facts for Mozilla to consider. WoSign Root is never trusted by Apple https://support.apple.com/en-ca/HT205205 https://support.apple.com/en-ca/HT205204 However, all WoSign leaf certs are trusted on Apple devices because WoSign intermediate authority is signed by StartCom.

Re: Incidents involving the CA WoSign

On Friday, September 2, 2016 at 3:07:46 AM UTC-7, Gervase Markham wrote: > Hi Richard, > > On 01/09/16 04:04, Richard Wang wrote: > > First, please treat WoSign as a global trusted CA, DON'T stamp as > > China CA. We need a fair treatment as other worldwide CAs that I am > > sure WoSign is not

Re: Sanctions short of distrust

September 2016 11:19:49 UTC+1, Gervase Markham wrote: Have you considered what was done for CNNIC? In that case, we distrusted all certificates issued after a certain time. We used a whitelist for determining this, but it would be possible to use the notBefore date in the certificate. A CA could

Re: Incidents involving the CA WoSign

Le vendredi 2 septembre 2016 19:45:37 UTC+2, Percy a écrit : > Some facts for Mozilla to consider. WoSign Root is never trusted by Apple > https://support.apple.com/en-ca/HT205205 > https://support.apple.com/en-ca/HT205204 > > However, all WoSign leaf certs are trusted on Apple devices

Re: Sanctions short of distrust

On 02/09/16 21:14, John Nagle wrote: > 2. For certs under this root cert, always check >CA's certificate transparency server. Fail > if not found. To my knowledge, CT does not have any kind of online check mechanism. SCTs can be embedded in the certificate (at the time of

Re: Sanctions short of distrust

On Fri, Sep 02, 2016 at 11:19:11AM +0100, Gervase Markham wrote: > On 31/08/16 20:43, Nick Lamb wrote: > > This suggests the need for some options short of distrust which can > > be deployed instead, but Mozilla does not seem to have any. If in > > fact it already does, this would be a great place

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 10:27:04AM +, Richard Wang wrote: > (2) What I mean is please think about the current users if any action; 10% > from government website, 6 customers is the top 10 eCommerce website in > China; I'm reminded of a line from an old episode of a rather crass TV show, which

Re: Sanctions short of distrust

On 09/02/2016 01:04 PM, Patrick Figel wrote: On 02/09/16 21:14, John Nagle wrote: 2. For certs under this root cert, always check CA's certificate transparency server. Fail if not found. To my knowledge, CT does not have any kind of online check mechanism. SCTs can be embedded in the

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 09:01:47AM +, Richard Wang wrote: > You mean if a Chinese, a Chinese company own a USA CA, then the USA CA become > un-trustworthiness? If the Chinese company or US CA are making legal threats to try and suppress disclosure of the ownership, and the Chinese company is

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 09:24:33AM +1000, Matt Palmer wrote: > On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote: > > Do you also plan to submit these to at least one Google-operated log? > > Did you mean "non-Google-operated log"? I was under the impression that we > didn't want

Re: Sanctions short of distrust

On 03/09/16 01:15, Matt Palmer wrote: > On Fri, Sep 02, 2016 at 03:48:13PM -0700, John Nagle wrote: >> On 09/02/2016 01:04 PM, Patrick Figel wrote: >>> On 02/09/16 21:14, John Nagle wrote: 2. For certs under this root cert, always check CA's certificate transparency server. Fail if not

Re: Incidents involving the CA WoSign

From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now. BTW, as I said that the two related pages in our website are deleted. Regards, Richard > On 3 Sep 2016, at 02:16, Percy wrote: > >> On Friday,

Re: Incidents involving the CA WoSign

On Fri, Sep 2, 2016 at 5:04 PM, Richard Wang wrote: > From the screenshot, we know why Percy hate WoSign so deeply, we know he > represent which CA, everything is clear now. Richard, With all due respect, many of the people who participate in this dev-security-policy group

PEM->JSON tool and cert tests down

All, We had to take down https://cert-checker.allizom.org/ due to a security issue. This site hosted cert tests, EV tests, and the PEM->JSON tool used by the CA Community in Salesforce for importing intermediate cert data. We are actively looking for a solution, but do not currently have a

Re: Sanctions short of distrust

On Fri, Sep 02, 2016 at 03:48:13PM -0700, John Nagle wrote: > On 09/02/2016 01:04 PM, Patrick Figel wrote: > >On 02/09/16 21:14, John Nagle wrote: > >>2. For certs under this root cert, always check CA's certificate > >>transparency server. Fail if not found. > > > >To my knowledge, CT does not

Re: Sanctions short of distrust

On Sat, Sep 03, 2016 at 01:45:48AM +0200, Patrick Figel wrote: > On 03/09/16 01:15, Matt Palmer wrote: > > On Fri, Sep 02, 2016 at 03:48:13PM -0700, John Nagle wrote: > >> On 09/02/2016 01:04 PM, Patrick Figel wrote: > >>> On 02/09/16 21:14, John Nagle wrote: > 2. For certs under this root

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote: > Do you also plan to submit these to at least one Google-operated log? Did you mean "non-Google-operated log"? I was under the impression that we didn't want everything being stuffed into just Google logs. - Matt -- I really didn't

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 01:31:39AM +0200, Kurt Roeckx wrote: > On Sat, Sep 03, 2016 at 09:24:33AM +1000, Matt Palmer wrote: > > On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote: > > > Do you also plan to submit these to at least one Google-operated log? > > > > Did you mean

Re: Incidents involving the CA WoSign

Percy Alpha(PGP ) On Fri, Sep 2, 2016 at 5:04 PM, Richard Wang wrote: > From the screenshot, we know why Percy hate WoSign so deeply, we know he > represent which CA, everything is clear now. > Are you f**king

Re: Reuse of serial numbers by StartCom

On Friday, 2 September 2016 08:50:02 UTC+1, Eddy Nigg wrote: > Lets speak about relying parties - how does this bug affect you? As a relying party I am entitled to assume that there is no more than one certificate signed by a particular issuer with a certain serial number. If I have seen this

Re: Incidents involving the CA WoSign

On Friday, September 2, 2016 at 9:57:24 PM UTC-7, Percy wrote: > Richard, > You claimed on weibo (https://pbs.twimg.com/media/CrZ1Oc6WIAABtrg.jpg:large > )that "WoSign has been oppressed by large American companies over the years > but has been growing steadily over the past 10 years and is now

Re: Incidents involving the CA WoSign

Richard, You claimed on weibo (https://pbs.twimg.com/media/CrZ1Oc6WIAABtrg.jpg:large )that "WoSign has been oppressed by large American companies over the years but has been growing steadily over the past 10 years and is now the 8th largest CA in the world". Is EFF one of your so called

Re: Sanctions short of distrust

(I'm replying to the topic as posed in the abstract and as a user with Mozilla hat off. No suggestion of applicability to cases currently under discussion should be inferred.) On Wed, Aug 31, 2016 at 10:43 PM, Nick Lamb wrote: > 1. Implement "Require SCTs" for problematic

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 06:53:23AM +, Richard Wang wrote: > I think we are out of topic. On the contrary, the trustworthiness of CAs is *entirely* on topic. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Incidents involving the CA WoSign

On 2016-09-02 05:59, Peter Gutmann wrote: Vincent Lynch writes: I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign) should make a statement about this. +1. I'd already asked for something like this earlier and got silence as a response, which isn't

Re: Reuse of serial numbers by StartCom

On 09/02/2016 09:38 AM, Jakob Bohm wrote: 4. Violations that are purely technical but cannot actually endanger relying parties (such as issuing non-unique certificates to the correct entities, or issuing certificates with too early expiry dates). This would be the case with the StartCom serial

RE: Incidents involving the CA WoSign

You mean if a Chinese, a Chinese company own a USA CA, then the USA CA become un-trustworthiness? I still think this topic is out of THE Topic - Incident. Best Regards, Richard -Original Message- From: dev-security-policy

RE: Incidents involving the CA WoSign

OK I try to say some that I wish I don't violate my company confidential policy. 1. Eddy told me that this guy is the former employee of StartCom, he violates the signed NDA that he must shutdown the site within the limit time. Every re-distribution the wrong information will heavy his penalty

Re: Reuse of serial numbers by StartCom

On 01/09/2016 10:52, Nick Lamb wrote: On Thursday, 1 September 2016 08:54:16 UTC+1, Eddy Nigg wrote: Not so, rather according to my assessment, the cost and everything it entailed (including other risks) to fix that particular issue outweighed the benefits for having it fixed within a

Re: Reuse of serial numbers by StartCom

On 09/01/2016 11:52 AM, Nick Lamb wrote: On Thursday, 1 September 2016 08:54:16 UTC+1, Eddy Nigg wrote: Not so, rather according to my assessment, the cost and everything it entailed (including other risks) to fix that particular issue outweighed the benefits for having it fixed within a

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 05:59:19AM +, Richard Wang wrote: > 1. Eddy told me that this guy is the former employee of StartCom, he > violates the signed NDA that he must shutdown the site within the limit > time. Every re-distribution the wrong information will heavy his penalty > (including

RE: Incidents involving the CA WoSign

Please remember this sentence: Every re-distribution the wrong information will heavy his penalty (including site cache or mirror site). You are harming him! Best Regards, Richard -Original Message- From: dev-security-policy

Re: Incidents involving the CA WoSign

On Thursday, September 1, 2016 at 11:36:13 PM UTC-7, Richard Wang wrote: > Please remember this sentence: > Every re-distribution the wrong information will heavy his penalty (including > site cache or mirror site). > > You are harming him! You stated that he was a former employee of

Re: Incidents involving the CA WoSign

On 31/08/16 19:13, Ryan Sleevi wrote: > A) Remove the CA. Users may manually trust it if they re-add it, but it will > not be trusted by default. F) Distrust all certs with a notBefore date after date X, and require the CA to apply for re-inclusion to get the distrust lifted. (I.e. what

Re: Incidents involving the CA WoSign

Hi Richard, On 02/09/16 06:59, Richard Wang wrote: > 1. Eddy told me that this guy is the former employee of StartCom, he > violates the signed NDA that he must shutdown the site within the > limit time. Every re-distribution the wrong information will heavy > his penalty (including site cache or

Re: Incidents involving the CA WoSign

Hi Richard, On 01/09/16 04:04, Richard Wang wrote: > First, please treat WoSign as a global trusted CA, DON'T stamp as > China CA. We need a fair treatment as other worldwide CAs that I am > sure WoSign is not the first CA that have incident and not the > serious one; We are keen to treat WoSign

Re: Sanctions short of distrust

On 31/08/16 20:43, Nick Lamb wrote: > This suggests the need for some options short of distrust which can > be deployed instead, but Mozilla does not seem to have any. If in > fact it already does, this would be a great place to say what they > are and discuss why they haven't been able to be used

Re: website control validation problem

On 2016-09-02 04:22, Richard Wang wrote: For https://crt.sh/?id=29884704 , he finished the website control validation. We and Alibaba are investigating why he can do the website control validation. The is the log, but we can't expose more now since it is related to Alibaba. 2016-06-23