RE: website control validation problem

ay, September 2, 2016 9:59 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: website control validation problem On Thursday, September 1, 2016 at 6:16:53 PM UTC-7, Richard Wang wrote: > For this case, WoSign notice Alibaba after getting report. > > I think this case is another

RE: Yes, we are improved

Richard -Original Message- From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Friday, September 2, 2016 12:01 AM To: Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>> Cc: mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.

RE: Incidents involving the CA WoSign

The posting to log server still not finished. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, September 1, 2016 11:11 PM To: Richard Wang <rich...@wosign.com> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-

RE: Reuse of serial numbers

I am sure it is revoked, please check it again, thanks. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Patrick T Sent: Thursday, September 1, 2016 5:07 PM To:

RE: Sanctions short of distrust

WoSign is volunteering to "Require CT", see this: https://bugs.chromium.org/p/chromium/issues/detail?id=626338 And we even plan to log code signing certificate and client certificate in the future once our system upgrade is ready. We think CT is a good solution for any mis-issued problem.

RE: Incidents involving the CA WoSign

e. Thanks a million. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Ryan Sleevi Sent: Thursday, September 1, 2016 2:14 AM To: mozilla-dev-se

RE: Incidents involving the CA WoSign

Repost to the same subject. Regards, Richard > On 30 Aug 2016, at 15:11, Richard Wang <rich...@wosign.com> wrote: > > Dear all, > > This email is the formal reply from WoSign for this 3 incidents. > > First, thank you all very much to help WoSign to improve our sys

RE: Incidents involving the CA WoSign

ty-pol...@lists.mozilla.org; Richard Wang <rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <g...@mozilla.org> wrote: > Dear m.d.s.policy, > > Several incidents have come to our attention involving

Re: formal reply RE: Incidents involving the CA WoSign

1. All certs are revoked in time, please check our CRL; 2. WoSign logged all SSL cert since July 5th; 3. I know you are Chinese with good English, welcome to join WoSign, we need good talent like you. Regards, Richard > On 31 Aug 2016, at 01:33, Percy wrote: > > We

Re: Incidents involving the CA WoSign

cloudapp.net, which belongs to Microsoft > Azure. I'm fairly certain this certificate was not authorized by Microsoft: > > https://crt.sh/?id=2980 > > Thanks, > > Patrick > >> On 29/08/16 11:30, Richard Wang wrote: >> Yes, we plan to revoke all

Re: Incidents involving the CA WoSign

As I explained, we use same script using API, different parameter point to different API post URL for different CA, no any PKI hosting related. Regards, Richard > On 29 Aug 2016, at 16:25, Gervase Markham wrote: > >> On 24/08/16 17:44, Peter Bowen wrote: >> I think you are

Re: Incidents involving the CA WoSign

Sure, all issued cert is passed the domain control validations. Regards, Richard > On 29 Aug 2016, at 16:30, Gervase Markham <g...@mozilla.org> wrote: > >> On 25/08/16 04:38, Richard Wang wrote: >> R: NOT this case you think. Due to root inclusion problem, WoSign

Re: Incidents involving the CA WoSign

Yes, we plan to revoke all after getting confirmation from subscriber. We are doing this. Regards, Richard > On 29 Aug 2016, at 16:38, Gervase Markham <g...@mozilla.org> wrote: > >> On 29/08/16 05:46, Richard Wang wrote: >> For incident 1 - mis-issued certificate wit

RE: Incidents involving the CA WoSign

On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote: > We can post all 2015 issued SSL certificate to CT log server if necessary. Is there any reason not to do that proactively? R: OK, we will post all 2015 issued SSL certificates to CT log server, but this take time since

Re: Incidents involving the CA WoSign

I checked our system that this is a standard order in our system that passes the website control validation. We issued more than 300K certificates for worldwide customers including many famous company. For Aliyun, it's our reseller partner, see this news:

RE: Incidents involving the CA WoSign

This is the standard way in China Internet, if a west company say something to China company, all will support the west company. PLEASE don’t move this technical problem to political issue, thanks. Best Regards, Richard -Original Message- From: dev-security-policy

RE: Incidents involving the CA WoSign

Yes, sorry for this. As I admitted that this discussion gives us a big lesson that we know when we need to report incident to all browsers. We guarantee we will do it better. Best Regards, Richard -Original Message- From: dev-security-policy

RE: Incidents involving the CA WoSign

[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Matt Palmer Sent: Thursday, August 25, 2016 2:48 PM To: dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Thu, Aug 25, 2016 at 04:03:04AM +, Richard Wang wrote

RE: Incidents involving the CA WoSign

We revoked this certificate, and we know this certificate is for test only. For transparency, WoSign announced full transparency for all SSL certificate from July 5th that post all issued SSL certificate to Google log server, browsers can distrust WoSign issued SSL certificate after that day if

RE: Incidents involving the CA WoSign

e Markham <g...@mozilla.org> Cc: Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Also, I think the biggest concern is the mis issuance issues were not reported to Mozilla but were reported to Google. A fai

RE: Incidents involving the CA WoSign

.mozilla.org; Richard Wang <rich...@wosign.com> Subject: RE: Incidents involving the CA WoSign That's true. I think WoSign should chime in and provide clarity about what happened. There's far too many innocent explanations to start crying foul. However, the fact a researcher was able to obt

RE: Incidents involving the CA WoSign

.mozilla.org; Richard Wang <rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote: > On 24/08/16 17:12, Jeremy Rowley wrote: >> On incident 2, it sounds like they are both using the same >&g

RE: Incidents involving the CA WoSign

this cert is revoked in the same once it is issued. Thanks for posting to CT. Best Regards, Richard From: Eric Mill [mailto:e...@konklone.com] Sent: Thursday, August 25, 2016 12:08 AM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang

RE: Hongkong Post recently issued SHA1 cert that could be used in TLS

I checked the certificate that it is a client certificate issued the personal -- PANG Ming Sum: CN = PANG Ming Sum E = todd.p...@autotoll.com.hk OU = AUTOTOLL LIMITED OU = 21506338215100635386 OU = 0001890584 O = Hongkong Post e-Cert (Organisational) C = HK The problem is this certificate

RE: [FORGED] Name issues in public certificates

Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard Wang Sent: Wednesday, November 18, 2015 7:55 PM To: Peter Bowen <pzbo...@gmail.com> Cc: Rob Stradling <rob.stradl...@c

RE: [FORGED] Name issues in public certificates

@lists.mozilla.org] On Behalf Of Richard Wang Sent: Wednesday, November 18, 2015 10:41 AM To: Peter Bowen <pzbo...@gmail.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann <pgut...@cs.auckland.ac.nz> Subject: RE: [FORGED] Nam

RE: [FORGED] Name issues in public certificates

I also found some mistakes for the list: 1. I see some client certificate in the report that it say the email as common name is wrong; 2. IP address is allowed by BR; 3. IDN is allowed, but also in the report Regards, Richard -Original Message- From: dev-security-policy

RE: [FORGED] Name issues in public certificates

[mailto:jeremy.row...@digicert.com] Sent: Wednesday, November 18, 2015 5:17 AM To: Rob Stradling <rob.stradl...@comodo.com> Cc: Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen <pzbo...@gmail.com>; Peter Gutmann <pgut...@cs.auckland.ac.nz> Su

RE: [FORGED] Name issues in public certificates

-Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Wednesday, November 18, 2015 12:33 AM To: Richard Wang <rich...@wosign.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; Peter Gutmann <pgut...@cs.auckland.ac.nz>; mozilla-dev-security-pol...@lists.mozil

RE: [FORGED] Name issues in public certificates

: Wednesday, November 18, 2015 10:28 AM To: Richard Wang <rich...@wosign.com> Cc: Rob Stradling <rob.stradl...@comodo.com>; mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann <pgut...@cs.auckland.ac.nz> Subject: Re: [FORGED] Name issues in public certificates Rich

Re: Policy Update Proposal: Remove Code Signing Trust Bit

I think FireFox plugin XPI need to be signed, this is the usage. Regards, Richard > On Sep 24, 2015, at 20:53, Gervase Markham wrote: > >> On 24/09/15 02:58, Peter Kurrasch wrote: >> I suppose my comment was not as clear as I intended but, yes, I think >> Mozilla's

Re: Policy Update Proposal -- Remove Email Trust Bit

Yes, I think it should be kept. If some CA don't like this bit, then don't apply it, so simple. No necessary to remove it in NSS. Regards, Richard > On Sep 23, 2015, at 21:34, Adriano Santoni > wrote: > > There's one thing that I still do not understand. > >

Re: Policy Update Proposal -- Remove Email Trust Bit

+100, should keep. Regards, Richard > On Sep 23, 2015, at 06:12, Kathleen Wilson wrote: > > On 9/22/15 9:29 AM, Kathleen Wilson wrote: >>> >>> First, we need to determine if the Email trust bit should remain part of >>> Mozilla's CA Certificate Policy. >> >> To be

RE: Letter from US House of Representatives

According to this clues, as I said in Zurich CABF meeting, China will also come out a trust list that request browser and OS support. And other countries will come a list, then Browser and OS need to maintain hundreds trust list. Is it a good idea? Best Regards, Richard -Original

RE: WoSign Root Renewal Request

Of Richard Wang Sent: Wednesday, July 1, 2015 9:11 AM To: Kurt Roeckx; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: WoSign Root Renewal Request Hi Kurt, Hi Jesus, Hi Martin, Very thanks for your help. I think we misunderstanding the CRL number definition due our engineer bad English

RE: WoSign Root Renewal Request

Mill Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Kurt Roeckx Subject: Re: WoSign Root Renewal Request This was explored in the past (several Japanese CAs collaborated and translated the documents), but it ended up working badly when the translations weren't following

RE: WoSign Root Renewal Request

@lists.mozilla.org] On Behalf Of Martin Rublik Sent: Tuesday, June 30, 2015 2:29 PM To: dev-security-policy@lists.mozilla.org Subject: Re: WoSign Root Renewal Request On 30. 6. 2015 3:00, Richard Wang wrote: Very thanks for your question. This two root is a new root CA that only issued one test SSL for test

<    1   2