ay, September 2, 2016 9:59 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: website control validation problem
On Thursday, September 1, 2016 at 6:16:53 PM UTC-7, Richard Wang wrote:
> For this case, WoSign notice Alibaba after getting report.
>
> I think this case is another
Richard
-Original Message-
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Friday, September 2, 2016 12:01 AM
To: Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>>
Cc:
mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.
The posting to log server still not finished.
Best Regards,
Richard
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Thursday, September 1, 2016 11:11 PM
To: Richard Wang <rich...@wosign.com>
Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-
I am sure it is revoked, please check it again, thanks.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Patrick T
Sent: Thursday, September 1, 2016 5:07 PM
To:
WoSign is volunteering to "Require CT", see this:
https://bugs.chromium.org/p/chromium/issues/detail?id=626338
And we even plan to log code signing certificate and client certificate in the
future once our system upgrade is ready.
We think CT is a good solution for any mis-issued problem.
e. Thanks a million.
Best Regards,
Richard Wang
CEO
WoSign CA Limited
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Ryan Sleevi
Sent: Thursday, September 1, 2016 2:14 AM
To: mozilla-dev-se
Repost to the same subject.
Regards,
Richard
> On 30 Aug 2016, at 15:11, Richard Wang <rich...@wosign.com> wrote:
>
> Dear all,
>
> This email is the formal reply from WoSign for this 3 incidents.
>
> First, thank you all very much to help WoSign to improve our sys
ty-pol...@lists.mozilla.org; Richard Wang
<rich...@wosign.com>
Subject: Re: Incidents involving the CA WoSign
On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <g...@mozilla.org> wrote:
> Dear m.d.s.policy,
>
> Several incidents have come to our attention involving
1. All certs are revoked in time, please check our CRL;
2. WoSign logged all SSL cert since July 5th;
3. I know you are Chinese with good English, welcome to join WoSign, we need
good talent like you.
Regards,
Richard
> On 31 Aug 2016, at 01:33, Percy wrote:
>
> We
cloudapp.net, which belongs to Microsoft
> Azure. I'm fairly certain this certificate was not authorized by Microsoft:
>
> https://crt.sh/?id=2980
>
> Thanks,
>
> Patrick
>
>> On 29/08/16 11:30, Richard Wang wrote:
>> Yes, we plan to revoke all
As I explained, we use same script using API, different parameter point to
different API post URL for different CA, no any PKI hosting related.
Regards,
Richard
> On 29 Aug 2016, at 16:25, Gervase Markham wrote:
>
>> On 24/08/16 17:44, Peter Bowen wrote:
>> I think you are
Sure, all issued cert is passed the domain control validations.
Regards,
Richard
> On 29 Aug 2016, at 16:30, Gervase Markham <g...@mozilla.org> wrote:
>
>> On 25/08/16 04:38, Richard Wang wrote:
>> R: NOT this case you think. Due to root inclusion problem, WoSign
Yes, we plan to revoke all after getting confirmation from subscriber. We are
doing this.
Regards,
Richard
> On 29 Aug 2016, at 16:38, Gervase Markham <g...@mozilla.org> wrote:
>
>> On 29/08/16 05:46, Richard Wang wrote:
>> For incident 1 - mis-issued certificate wit
On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote:
> We can post all 2015 issued SSL certificate to CT log server if necessary.
Is there any reason not to do that proactively?
R: OK, we will post all 2015 issued SSL certificates to CT log server, but this
take time since
I checked our system that this is a standard order in our system that passes
the website control validation.
We issued more than 300K certificates for worldwide customers including many
famous company.
For Aliyun, it's our reseller partner, see this news:
This is the standard way in China Internet, if a west company say something to
China company, all will support the west company.
PLEASE don’t move this technical problem to political issue, thanks.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
Yes, sorry for this.
As I admitted that this discussion gives us a big lesson that we know when we
need to report incident to all browsers. We guarantee we will do it better.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Matt Palmer
Sent: Thursday, August 25, 2016 2:48 PM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Thu, Aug 25, 2016 at 04:03:04AM +, Richard Wang wrote
We revoked this certificate, and we know this certificate is for test only.
For transparency, WoSign announced full transparency for all SSL certificate
from July 5th that post all issued SSL certificate to Google log server,
browsers can distrust WoSign issued SSL certificate after that day if
e Markham <g...@mozilla.org>
Cc: Richard Wang <rich...@wosign.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Incidents involving the CA WoSign
Also, I think the biggest concern is the mis issuance issues were not reported
to Mozilla but were reported to Google. A fai
.mozilla.org; Richard Wang
<rich...@wosign.com>
Subject: RE: Incidents involving the CA WoSign
That's true. I think WoSign should chime in and provide clarity about what
happened. There's far too many innocent explanations to start crying foul.
However, the fact a researcher was able to obt
.mozilla.org; Richard Wang <rich...@wosign.com>
Subject: Re: Incidents involving the CA WoSign
On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 24/08/16 17:12, Jeremy Rowley wrote:
>> On incident 2, it sounds like they are both using the same
>&g
this cert is revoked in the same once it is issued.
Thanks for posting to CT.
Best Regards,
Richard
From: Eric Mill [mailto:e...@konklone.com]
Sent: Thursday, August 25, 2016 12:08 AM
To: Gervase Markham <g...@mozilla.org>
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang
I checked the certificate that it is a client certificate issued the personal
-- PANG Ming Sum:
CN = PANG Ming Sum
E = todd.p...@autotoll.com.hk
OU = AUTOTOLL LIMITED
OU = 21506338215100635386
OU = 0001890584
O = Hongkong Post e-Cert (Organisational)
C = HK
The problem is this certificate
Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Richard Wang
Sent: Wednesday, November 18, 2015 7:55 PM
To: Peter Bowen <pzbo...@gmail.com>
Cc: Rob Stradling <rob.stradl...@c
@lists.mozilla.org] On
Behalf Of Richard Wang
Sent: Wednesday, November 18, 2015 10:41 AM
To: Peter Bowen <pzbo...@gmail.com>
Cc: Rob Stradling <rob.stradl...@comodo.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann
<pgut...@cs.auckland.ac.nz>
Subject: RE: [FORGED] Nam
I also found some mistakes for the list:
1. I see some client certificate in the report that it say the email as common
name is wrong;
2. IP address is allowed by BR;
3. IDN is allowed, but also in the report
Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:jeremy.row...@digicert.com]
Sent: Wednesday, November 18, 2015 5:17 AM
To: Rob Stradling <rob.stradl...@comodo.com>
Cc: Richard Wang <rich...@wosign.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen
<pzbo...@gmail.com>; Peter Gutmann <pgut...@cs.auckland.ac.nz>
Su
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Wednesday, November 18, 2015 12:33 AM
To: Richard Wang <rich...@wosign.com>
Cc: Rob Stradling <rob.stradl...@comodo.com>; Peter Gutmann
<pgut...@cs.auckland.ac.nz>; mozilla-dev-security-pol...@lists.mozil
: Wednesday, November 18, 2015 10:28 AM
To: Richard Wang <rich...@wosign.com>
Cc: Rob Stradling <rob.stradl...@comodo.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann
<pgut...@cs.auckland.ac.nz>
Subject: Re: [FORGED] Name issues in public certificates
Rich
I think FireFox plugin XPI need to be signed, this is the usage.
Regards,
Richard
> On Sep 24, 2015, at 20:53, Gervase Markham wrote:
>
>> On 24/09/15 02:58, Peter Kurrasch wrote:
>> I suppose my comment was not as clear as I intended but, yes, I think
>> Mozilla's
Yes, I think it should be kept. If some CA don't like this bit, then don't
apply it, so simple. No necessary to remove it in NSS.
Regards,
Richard
> On Sep 23, 2015, at 21:34, Adriano Santoni
> wrote:
>
> There's one thing that I still do not understand.
>
>
+100, should keep.
Regards,
Richard
> On Sep 23, 2015, at 06:12, Kathleen Wilson wrote:
>
> On 9/22/15 9:29 AM, Kathleen Wilson wrote:
>>>
>>> First, we need to determine if the Email trust bit should remain part of
>>> Mozilla's CA Certificate Policy.
>>
>> To be
According to this clues, as I said in Zurich CABF meeting, China will also come
out a trust list that request browser and OS support.
And other countries will come a list, then Browser and OS need to maintain
hundreds trust list.
Is it a good idea?
Best Regards,
Richard
-Original
Of Richard Wang
Sent: Wednesday, July 1, 2015 9:11 AM
To: Kurt Roeckx; mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: WoSign Root Renewal Request
Hi Kurt, Hi Jesus, Hi Martin,
Very thanks for your help.
I think we misunderstanding the CRL number definition due our engineer bad
English
Mill
Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Kurt Roeckx
Subject: Re: WoSign Root Renewal Request
This was explored in the past (several Japanese CAs collaborated and translated
the documents), but it ended up working badly when the translations weren't
following
@lists.mozilla.org] On
Behalf Of Martin Rublik
Sent: Tuesday, June 30, 2015 2:29 PM
To: dev-security-policy@lists.mozilla.org
Subject: Re: WoSign Root Renewal Request
On 30. 6. 2015 3:00, Richard Wang wrote:
Very thanks for your question.
This two root is a new root CA that only issued one test SSL for test
101 - 137 of 137 matches
Mail list logo