Re: Apple's response to the WoSign incidents

[Richard Wang]

I said many times that I am the Acting CEO of Wo sign now till the new CEO 
arrives.

Even I am not the CEO instead of an employee, I think I can response the email 
about WoSign that just tell everyone the fact, not representing the company 
making any new decision.

Please check my previous replied emails.

Best Regards,

Richard

> On 14 Nov 2016, at 04:46, Percy  wrote:
> 
>> On Saturday, October 1, 2016 at 2:02:25 AM UTC-7, 
>> certificate-au...@group.apple.com wrote:
>> Blocking Trust for WoSign CA Free SSL Certificate G2
>> 
>> Certificate Authority WoSign experienced multiple control failures in their 
>> certificate issuance processes for the WoSign CA Free SSL Certificate G2 
>> intermediate CA. Although no WoSign root is in the list of Apple trusted 
>> roots, this intermediate CA used cross-signed certificate relationships with 
>> StartCom and Comodo to establish trust on Apple products.
>> 
>> In light of these findings, we are taking action to protect users in an 
>> upcoming security update.  Apple products will no longer trust the WoSign CA 
>> Free SSL Certificate G2 intermediate CA.
>> 
>> To avoid disruption to existing WoSign certificate holders and to allow 
>> their transition to trusted roots, Apple products will trust individual 
>> existing certificates issued from this intermediate CA and published to 
>> public Certificate Transparency log servers by 2016-09-19. They will 
>> continue to be trusted until they expire, are revoked, or are untrusted at 
>> Apple’s discretion.
>> 
>> As the investigation progresses, we will take further action on 
>> WoSign/StartCom trust anchors in Apple products as needed to protect users.
>> 
>> Regards,
>> 
>> Apple Root Certificate Program
> 
> Richard,
> As the management reshuffling is part of WoSign/StartCom's response, may I 
> ask under what capacity are you still representing WoSign on this forum?
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Apple's response to the WoSign incidents

[Percy]

On Saturday, October 1, 2016 at 2:02:25 AM UTC-7, 
certificate-au...@group.apple.com wrote:
> Blocking Trust for WoSign CA Free SSL Certificate G2
> 
> Certificate Authority WoSign experienced multiple control failures in their 
> certificate issuance processes for the WoSign CA Free SSL Certificate G2 
> intermediate CA. Although no WoSign root is in the list of Apple trusted 
> roots, this intermediate CA used cross-signed certificate relationships with 
> StartCom and Comodo to establish trust on Apple products.
> 
> In light of these findings, we are taking action to protect users in an 
> upcoming security update.  Apple products will no longer trust the WoSign CA 
> Free SSL Certificate G2 intermediate CA.
> 
> To avoid disruption to existing WoSign certificate holders and to allow their 
> transition to trusted roots, Apple products will trust individual existing 
> certificates issued from this intermediate CA and published to public 
> Certificate Transparency log servers by 2016-09-19. They will continue to be 
> trusted until they expire, are revoked, or are untrusted at Apple’s 
> discretion.
> 
> As the investigation progresses, we will take further action on 
> WoSign/StartCom trust anchors in Apple products as needed to protect users.
> 
> Regards,
> 
> Apple Root Certificate Program

Richard,
As the management reshuffling is part of WoSign/StartCom's response, may I ask 
under what capacity are you still representing WoSign on this forum?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Apple's response to the WoSign incidents

[Richard Wang]

WoSign stopped to issue free SSL certificate from those two intermediate CAs 
since Sept 29.


Best Regards,

Richard

> On 13 Nov 2016, at 17:07, Percy  wrote:
> 
> I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA 
> even though Apple limited "WoSign CA Free SSL Certificate G2" intermediate 
> CA. An example of site signed by"CA 沃通免费SSL证书 G2" intermediate CA  is 
> https://www.chelenet.com/
> 
> Those two intermediate certs are treated by WoSign the same way and the 
> translation of  "CA 沃通免费SSL证书 G2" is "WoSign CA Free SSL Certificate G2". 
> Users can select whether the end cert is signed by "CA 沃通免费SSL证书 G2" or 
> "WoSign CA Free SSL Certificate G2". All control measures are the same and 
> the only difference is the language for marketing reasons. 
> 
> Hence, because Apple has chose to blocked "WoSign CA Free SSL Certificate 
> G2", it makes sense to apply the same sanction on "CA 沃通免费SSL证书 G2", as 
> they're in all senses the same.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Apple's response to the WoSign incidents

[Percy]

I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA 
even though Apple limited "WoSign CA Free SSL Certificate G2" intermediate CA. 
An example of site signed by"CA 沃通免费SSL证书 G2" intermediate CA  is 
https://www.chelenet.com/

Those two intermediate certs are treated by WoSign the same way and the 
translation of  "CA 沃通免费SSL证书 G2" is "WoSign CA Free SSL Certificate G2". Users 
can select whether the end cert is signed by "CA 沃通免费SSL证书 G2" or "WoSign CA 
Free SSL Certificate G2". All control measures are the same and the only 
difference is the language for marketing reasons. 

Hence, because Apple has chose to blocked "WoSign CA Free SSL Certificate G2", 
it makes sense to apply the same sanction on "CA 沃通免费SSL证书 G2", as they're in 
all senses the same.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy