Re: Incidents involving the CA WoSign

2016-09-03 Thread Gervase Markham
On 02/09/16 18:00, Andrew Ayer wrote: > I don't think relying on the notBefore date is a viable option. > WoSign seems to have such a poor handle on their operations that I > think it would be inevitable that someone would find a certificate in > the wild with a notBefore date in the past that had

Re: Incidents involving the CA WoSign

2016-09-03 Thread Kurt Roeckx
On Sat, Sep 03, 2016 at 11:45:21AM +0200, Kurt Roeckx wrote: > On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote: > > On 02/09/16 16:21, Peter Bowen wrote: > > > It seems then there is a newly exposed bug. > > >

Re: Incidents involving the CA WoSign

2016-09-03 Thread Percy
Andy, are you from the UK office? Can you explain why your office in UK fails to identify even the most obvious mistakes on the StartCom website as outlined in http://www.percya.com/2016/09/startcom-operated-solely-in-china.html ? E.g Start to sell, make big money! Setup your own website, start

Re: Incidents involving the CA WoSign

2016-09-03 Thread Andy Ligg
You are completely wrong! StartCom not only have office in Israel and in China, but also have office in UK, welcome to visit our UK office: T05, Castlemead, Lower Castle Street, Bristol, BS1 3AG, UK. And We will setup office in Bilbao, Spain in this month, Inigo Barreia is the general

Re: StartCom's StartPKI

2016-09-03 Thread Percy
Yeah, their entire website is designed and implemented by someone in China. See my analysis here http://www.percya.com/2016/09/startcom-operated-solely-in-china.html On Thursday, August 25, 2016 at 10:11:21 AM UTC-7, rugk wrote: > Hi, > I stumbled across this service by StartCom: >

Re: Incidents involving the CA WoSign

2016-09-03 Thread Ryan Sleevi
Trust me, the disclosure was not buried, and the factual details are being sorted. However, it would be better for the tone and focus of the thread that we make sure to focus on the factual elements, which, as you note, can be publicly obtained easily, than to try to imply there's something

Re: Incidents involving the CA WoSign

2016-09-03 Thread Peter Bowen
Richard, Can you also please check the following two certificates? It looks like they were missed when logging all the 2015 certs. https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2

Re: StartCom's StartPKI

2016-09-03 Thread Percy
Based on the disclosure WoSign/StartCom is trying to bury, WoSign CEO is now also in control of StartCom. Hence, the actively misleading information spread by him should be taken into consideration when talking about StartCom as well. ___

Re: StartCom's StartPKI

2016-09-03 Thread Matt Palmer
On Sat, Sep 03, 2016 at 01:26:51PM -0700, Percy wrote: > 1.WoSign actively mislead users in marketing emails. As much as the inaccuracies and misleading statements in WoSign's marketing materials rub me the wrong way, too, if we were to start pulling the roots of CAs for lying in their marketing,

Re: Incidents involving the CA WoSign

2016-09-03 Thread Matt Palmer
On Sat, Sep 03, 2016 at 02:18:44PM -0700, Peter Bowen wrote: > Can you also please check the following two certificates? It looks > like they were missed when logging all the 2015 certs. > > https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2 >

Re: StartCom's StartPKI

2016-09-03 Thread Ryan Sleevi
Hi Percy, This does not seem to be a useful or productive contribution to the community discussion. Whether or not a given CA uses English as a first language, or has translation issues, should not be part of the calculus of trustworthiness. The actions, however, are far more relevant and

RE: Incidents involving the CA WoSign

2016-09-03 Thread Richard Wang
Sorry, I am busy with incident report that up to 20 pages. It will be released soon today. Two reports: one for the incident 0-2, another one is for incident X including you point out one. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent:

Re: Incidents involving the CA WoSign

2016-09-03 Thread Percy
Ryan, I agree completely that we shouldn't imply fundamental guilt by association. However, WoSign threatened legal actions against Itzhak Daniel's disclosure compiled purely from public sources. I just want to make sure the disclosure was not buried after the content was taken down. Richard, the

Re: Sanctions short of distrust

2016-09-03 Thread John Nagle
Date: Sat, 3 Sep 2016 01:45:48 +0200 From: Patrick Figel Subject: Re: Sanctions short of distrust On 03/09/16 01:15, Matt Palmer wrote: On Fri, Sep 02, 2016 at 03:48:13PM -0700, John Nagle wrote: On 09/02/2016 01:04 PM, Patrick Figel wrote: On 02/09/16 21:14, John Nagle

Re: StartCom's StartPKI

2016-09-03 Thread Matt Palmer
On Sat, Sep 03, 2016 at 10:54:26PM +0200, Kurt Roeckx wrote: > I see no problem with StartCom or WoSign being owned by the same > person. I didn't, either, until they started throwing around legal threats to bury the fact that there was common ownership, and trying to use threats against the

Re: Incidents involving the CA WoSign

2016-09-03 Thread Richard Wang
It is posted, just Peter not find it that I told him the Log id. We are also checking system again to double check if we missed some. Please be patient for our full 20 pages report, thanks, Regards, Richard > On 4 Sep 2016, at 12:12, Matt Palmer wrote: > >> On Sat,

Re: Incidents involving the CA WoSign

2016-09-03 Thread Peter Bowen
On Thu, Sep 1, 2016 at 9:00 AM, Ryan Sleevi wrote: > On Wed, August 31, 2016 10:09 pm, Richard Wang wrote: >> Thanks for your so detail instruction. >> Yes, we are improved. The two case is happened in 2015 and the mis-issued >> certificate period is only 5 months that we

Re: Incidents involving the CA WoSign

2016-09-03 Thread Richard Wang
This is another case that we will include it in our report. We issued two test cert using SM2 algorithm that used the same serial number as the RSA cert (same subject) to test if we can setup a gateway that install this two type cert, it can shake hand automatically using different cert based on

Re: Incidents involving the CA WoSign

2016-09-03 Thread Percy
I did an analysis of the new StartCom website and determined that it was designed and implemented solely in China. http://www.percya.com/2016/09/startcom-operated-solely-in-china.html I'm further concerned with the security of "StartResell - Setup your own website, start to sell your brand

Re: Incidents involving the CA WoSign

2016-09-03 Thread Kurt Roeckx
On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote: > On 02/09/16 16:21, Peter Bowen wrote: > > It seems then there is a newly exposed bug. > > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad > > shows a certificate issued by your CA

Re: Incidents involving the CA WoSign

2016-09-03 Thread Gervase Markham
On 02/09/16 16:21, Peter Bowen wrote: > It seems then there is a newly exposed bug. > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad > shows a certificate issued by your CA that has a notBefore in March > 2015. It does not appear in the CT log.