在 2019年5月27日星期一 UTC+8上午10:05:25,Matt Palmer写道:
> On Sun, May 26, 2019 at 06:57:08PM -0700, Han Yuwei via dev-security-policy
> wrote:
> > If malloc() is correctly implemented, private keys are secure from
> > Heartbleed. So
> > I think it doesn't meet the criteria.
&g
If malloc() is correctly implemented, private keys are secure from Heartbleed.
So
I think it doesn't meet the criteria. CAs can't revoke a certificate without
noticing
subscriber in advance.
But if any bugs found in future which can retrieve private keys from TLS
endpoints,
you can just use
This raised a question:
How can CA prove they have done CAA checks or not at the time of issue?
在 2019年5月10日星期五 UTC+8上午10:05:36,Jeremy Rowley写道:
> FYI, we posted this today:
>
>
>
> https://bugzilla.mozilla.org/show_bug.cgi?id=1550645
>
>
>
> Basically we discovered an issue with our
Thanks for that. So now I should send another email to rev...@digicert.com or
just wait for revocation? And who should I contact if this address doesn't work?
在 2019年5月10日星期五 UTC+8上午8:26:09,Jeremy Rowley写道:
> No argument from me there. We generally act on them no matter what.
> Typically any
Hi m.d.s.p
I have reported a key compromise incident to digicert by contacting
support(at)digicert.com at Apr.13, 2019 and get replied at same day. But it
seems like this certificate is still valid.
This certificate is a code signing certificate and known for signing malware.
So I am here to
https://crt.sh/?id=7040227
https://crt.sh/?id=30328289
I am confused for those reasons.
1. the CN of two cerificates are same. So it is not necessary to issue two
certificates in just 2 minutes.
2. second one used SHA1, though is consistent with BR, but first one used
SHA256.
3. first one has
I have found this:
https://crt.sh/?id=6885329
I don't know whether Mozilla had allowed the certificate valid more than 39
months, so I am here to verify it.
I have searched on Github but found nothing.
___
dev-security-policy mailing list
A question:How would a domain holder express denial for certain certificate
requests?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
So Mozilla think Symantec's issues are on t serious enough to lose trust
entirely?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
;
> Yep. As far as I known, it must use the service of one of Chinese hosting
> providers. Therefore, .cn domain name must point to Chinese IP adress.
>
> On December 19, 2016 3:54:43 PM GMT+08:00, Han Yuwei <hanyuwe...@gmail.com>
> wrote:
> >Since letsencry
在 2016年12月19日星期一 UTC+8下午12:36:10,jo...@letsencrypt.org写道:
> We had some trouble figuring out how to purchase a Chinese domain name before
> we launched, so we didn't purchase it then. We've never talked to wosign
> about this before, and we haven't seen the domain used for anything confusing
>
在 2016年12月10日星期六 UTC+8上午9:34:50,zbw...@gmail.com写道:
> 在 2016年12月6日星期二 UTC+8上午6:50:04,Percy写道:
> > lslqtz,
> > How did you obtain this certificate from WoSign? Through the public website
> > or some other means?
>
> I get this certificate through the dealer's website, but the dealer and
> WoSign
在 2016年12月9日星期五 UTC+8上午5:42:29,Jakob Bohm写道:
> On 08/12/2016 21:48, Gervase Markham wrote:
> > Require CAs to publish their CPs and CPSes under one of the following
> > Creative Commons licenses: CC-BY, CC-BY-SA or CC-BY-ND.
> >
> > This is so that there is no legal impediment to their proper
在 2016年12月9日星期五 UTC+8上午4:19:31,Gervase Markham写道:
> On 05/12/16 13:41, Richard Wang wrote:
> > We checked our system, this order is from one of the reseller. We
> > have many resellers that used the API, we noticed all resellers to
> > close the free SSL, but they need some time to update the
在 2016年12月5日星期一 UTC+8下午9:06:13,lslqtz写道:
> Certificate:
> -BEGIN CERTIFICATE-
> MIIFwTCCBKmgAwIBAgIQH6W3+xfuFD8074LcZJFjLjANBgkqhkiG9w0BAQsFADBP
> MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJDAiBgNV
> BAMMG0NBIOayg+mAmuWFjei0uVNTTOivgeS5piBHMjAeFw0xNjEyMDUwNTU4NDJa
>
在 2016年12月1日星期四 UTC+8下午3:14:14,Gervase Markham写道:
> On 30/11/16 23:08, Han Yuwei wrote:
> > In https://github.com/mozilla/pkipolicy/issues/19 Gerv talked about
> > what shouldn't CA do but the discussion thread listed didn't
> > continue.
>
> That issue is not
Github issue:https://github.com/mozilla/pkipolicy/issues/42
My opinions:
It's good to restrict government CAs to certain TLDs for reasons below
1. government CA is intented to provide domestic assurance of IDs and services
for government's websites.
2. If we assume every government is "evil",
In https://github.com/mozilla/pkipolicy/issues/19 Gerv talked about what
shouldn't CA do but the discussion thread listed didn't continue.
There's my questions:
1. What's the definition about "The same organzition"?
The structure of large companys are very complicated now. With unaccoutable
I request to postpone this issue for further discussion for reasons below.
1. Is English CP/CPS authoritative or just a plain translation?
2. Requesting every changes to be published in English?
3. What should we do if there is conflicts between English version and CA's
native language due to
Is there enough time for CAs to change their license?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
在 2016年11月16日星期三 UTC+8下午3:59:12,wangs...@gmail.com写道:
> 在 2016年11月16日星期三 UTC+8上午1:11:05,Han Yuwei写道:
> > 在 2016年11月15日星期二 UTC+8下午7:03:07,wangs...@gmail.com写道:
> > > 在 2016年11月15日星期二 UTC+8上午8:51:25,Kathleen Wilson写道:
> > > > On Friday, October 28, 2016 at 7:29:5
在 2016年11月15日星期二 UTC+8下午7:03:07,wangs...@gmail.com写道:
> 在 2016年11月15日星期二 UTC+8上午8:51:25,Kathleen Wilson写道:
> > On Friday, October 28, 2016 at 7:29:56 AM UTC-7, wangs...@gmail.com wrote:
> > > We have uploaded the lastest translantion of CP/CPS.
> > > CP:
在 2016年11月15日星期二 UTC+8上午8:51:25,Kathleen Wilson写道:
> On Friday, October 28, 2016 at 7:29:56 AM UTC-7, wangs...@gmail.com wrote:
> > We have uploaded the lastest translantion of CP/CPS.
> > CP: https://bugzilla.mozilla.org/attachment.cgi?id=8805543
> > CPS:
在 2016年11月4日星期五 UTC+8下午8:20:11,Gervase Markham写道:
> CT is coming to Firefox. As part of that, Mozilla needs to have a set of
> CT policies surrounding how that will work. Like our root inclusion
> program, we intend to run our CT log inclusion program in an open and
> transparent fashion, such
在 2016年11月4日星期五 UTC+8上午3:52:23,Jeremy Rowley写道:
> Resent without a signature
>
>
>
> Hi everyone,
>
>
>
> This email is intended to gather public and browser feedback on how we are
> handling the transitioning Verizon's customers to DigiCert and share with
> everyone the plan for when
在 2016年9月10日星期六 UTC+8下午8:37:40,Han Yuwei写道:
> I am using Cloudflare's DNS service and I found that Cloudflare has issued a
> certficate to their server including my domain. But I didn't use any SSL
> service of theirs. Is that ok to Mozilla's policy?
>
> Issued certificate:htt
在 2016年10月31日星期一 UTC+8下午6:19:44,jonath...@gmail.com写道:
> 在 2016年10月31日星期一 UTC+8上午11:28:04,Han Yuwei写道:
> > 在 2016年10月31日星期一 UTC+8上午9:35:04,jonath...@gmail.com写道:
> > > Please see 6.1.7 which describes these content.
> >
> > In version 3.2 I see that "证书最长期限
在 2016年10月31日星期一 UTC+8下午11:29:27,chun.yi...@cn.pwc.com写道:
> Help. My previous email account (cheungchun...@gmail.com) Is blocked. I
> want to subscribe to the mailgroup using my company account
> (chun.yin.che...@cn.pwc.com).
>
> Regards
>
> CY
>
> > 在 2016年10月28日,下午11:28,Chun Yin Cheung
在 2016年11月1日星期二 UTC+8下午6:43:53,Gervase Markham写道:
> On 31/10/16 18:25, Percy wrote:
> > According to http://se.360.cn/event/gmzb.html, the browser needs to send a
> > http header Accept-Protocal: SM-SSL.
>
> That seems like an odd mechanism, because SSL connection establishment
> happens before
在 2016年10月31日星期一 UTC+8下午11:50:46,Gervase Markham写道:
> On 30/10/16 19:47, Han Yuwei wrote:
> > SM2 is widely used in Chinese government websites. There is a openssl
> > branch (https://github.com/guanzhi/GmSSL) who implemented
> > SM2/SM3/SM4. And I don't see any othe
在 2016年10月31日星期一 UTC+8上午9:35:04,jonath...@gmail.com写道:
> Please see 6.1.7 which describes these content.
In version 3.2 I see that "证书最长期限(年)" (maxium validity period) about "SSL服务器证书"
(SSL Server Certficates) is 5.
And I don't see any other informations about SM2 usage
在 2016年10月30日星期日 UTC+8下午10:26:57,jonath...@gmail.com写道:
> 1,It’s not true. CFCA's RSA root that included in Mozilla is not able to
> issue sm2 certificate with sm3 hash. CFCA do have sm2 root that issue sm2
> certificate but that root is not included in Mozilla or any other root store
>
在 2016年10月30日星期日 UTC+8下午8:40:37,谭晓生写道:
> Nothing compelled by the gov to trust the self-issued certificates.
>
> It is because some very large website like 12306.cn(the only one online entry
> to buy rail way tickets in China) and some government websites, they still
> using self-issued
According to their CPS (Chinese version 3.2 Jul.2016),
1. All CAs can issue SM2 certificates and uses SM3 Hash.
2. There is a "signing key" generated by subscriber and "encryption key"
generated by CFCA which transmitted to subscriber.
3. For SSL certificate, the longest vaild duration is 5
在 2016年10月30日星期日 UTC+8上午5:30:23,Peter Bowen写道:
> > On Oct 29, 2016, at 2:23 PM, Han Yuwei <hanyuwe...@gmail.com> wrote:
> >
> > 在 2016年10月28日星期五 UTC+8下午9:23:01,wangs...@gmail.com写道:
> >> We are not intended to cover-up anything since we had disclosed every
>
在 2016年10月28日星期五 UTC+8上午6:43:30,Han Yuwei写道:
> 在 2016年10月27日星期四 UTC+8下午6:22:03,wangs...@gmail.com写道:
> > 在 2016年10月27日星期四 UTC+8上午8:09:06,Peter Kurrasch写道:
> > > I think these are both good points and my recommendation is that Mozilla
> > > deny GDCA's request for inclus
在 2016年10月28日星期五 UTC+8下午9:23:01,wangs...@gmail.com写道:
> We are not intended to cover-up anything since we had disclosed every change
> to the Chinese version CP/CPS at once after the auditor reviewed.
> The “ROOTCA(SM2)” CA in $1.1.3 of CPS ver4.3 is equivalent to the “SM2 ROOT
> Certificate” CA
9:07 AM
> > To: mozilla-dev-s...@lists.mozilla.org
> > Subject: Re: Guang Dong Certificate Authority (GDCA) root inclusion request
> >
> >
> > On 21/10/2016 10:38, Han Yuwei wrote:
> > >
> > > I think this is a major mistake and a investgation s
> > >
> > >
> > > From: Jakob Bohm
> > > Sent: Saturday, October 22, 2016 9:07 AM
> > > To: mozilla-dev-s...@lists.mozilla.org
> > > Subject: Re: Gu
在 2016年10月25日星期二 UTC+8下午11:39:31,Nick Lamb写道:
> On Tuesday, 25 October 2016 15:45:26 UTC+1, Han Yuwei wrote:
> > Is there any timetable for enforcing CAs to support embedded CT or OCSP CT?
>
> Well, the effect of Google's policy is that if you're a subscriber looking to
> o
在 2016年10月25日星期二 UTC+8上午8:45:26,Ryan Sleevi写道:
> [Note: This is cross-posted. The best venue for follow-up questions is the
> public mailing list at ct-pol...@chromium.org or the post at
> https://groups.google.com/a/chromium.org/d/msg/ct-policy/78N3SMcqUGw/ykIwHXuqAQAJ
> ]
> [Note: Posting
在 2016年10月21日星期五 UTC+8下午6:48:21,marc@gmail.com写道:
> Am Freitag, 21. Oktober 2016 03:59:08 UTC+2 schrieb Percy:
> > Kathleen,
> > As most users affected by this decision are Chinese, will you be able to
> > make the blog post available in Chinese on the security blog as well? You
> > can ask
在 2016年10月21日星期五 UTC+8下午12:15:07,wangs...@gmail.com写道:
> 在 2016年10月21日星期五 UTC+8上午12:15:00,Han Yuwei写道:
> > 在 2016年10月20日星期四 UTC+8上午5:27:42,Andrew R. Whalley写道:
> > > Hello,
> > >
> > > Thank you for the links. I note, however, that there's at least one
在 2016年10月20日星期四 UTC+8上午5:27:42,Andrew R. Whalley写道:
> Hello,
>
> Thank you for the links. I note, however, that there's at least one
> difference between the native language version and the English translation:
>
> http://www.gdca.com.cn/cps/cps version 4.3 has a section 4.2.4 covering
> CAA.
在 2016年10月19日星期三 UTC+8上午6:42:18,Ryan Hurst写道:
> All,
>
> I do not understand the desire to require StartCom / WoSign to not utilize
> their own logs as part of the associated quorum policy.
>
> Certificate Transparency's idempotency is for not dependent on the practices
> of the operator. By
在 2016年10月18日星期二 UTC+8下午10:38:07,Inigo Barreira写道:
> Hi all,
>
>
> I´ve been reading some emails that need clarification form both sides.
>
> Firstly I´d like to remind, if I´m not wrong, that Kathleen proposed an
> action plan for distrusting StartCom, which has been taken as the final
>
在 2016年10月14日星期五 UTC+8下午11:23:10,Gervase Markham写道:
> Hi Xiaosheng,
>
> On 14/10/16 16:06, 谭晓生 wrote:
> > We’ll rewrite all the code with different programing language or buy
> > 3rd party components (for example: PKI), Wosign team using .Net, but
> > my team never use .Net, they are good at
在 2016年10月14日星期五 UTC+8上午12:50:02,Kathleen Wilson写道:
> All,
>
> Thanks again to all of you who have put in so much time and effort to
> determine what happened with WoSign and StartCom and discuss what to do about
> it.
>
> Based on the information that I have seen regarding WoSign, I believe
在 2016年10月13日星期四 UTC+8下午11:58:54,Gervase Markham写道:
> A note on accepted content for this list:
>
> Concrete information which may be important for security policy
> decisions Mozilla has to make is welcome. Wild and unsubstantiated
> accusations are not, nor are comments which attack a person or
在 2016年10月13日星期四 UTC+8下午9:09:11,uri...@gmail.com写道:
> >WoSign will resell other trusted CA's SSL certificate to our customers to
> >provide best product and best service to our customers.
>
> Is the plan to resell StartCom certificates?
>
> On Thursday, October 13, 2016 at 4:18:54 AM UTC-4,
ina ‘s tech team, director of engineering and soon the CTO of
> > Yahoo!China, I know what happened at that time.
> >
> > Thanks,
> > Xiaosheng Tan
> >
> >
> >
> > 在 2016/10/13 上午5:22,“dev-security-policy 代表 Han
> > Yuwei”<dev-security
oo’s search engine could
> work in China, I was the tech head of Yahoo!China ‘s tech team, director of
> engineering and soon the CTO of Yahoo!China, I know what happened at that
> time.
>
> Thanks,
> Xiaosheng Tan
>
>
>
> 在 2016/10/13 上午5:22,“dev-securi
在 2016年10月13日星期四 UTC+8上午3:12:08,Ryan Sleevi写道:
> As Gerv suggested this was the official call for incidents with respect to
> StartCom, it seems appropriate to start a new thread.
>
> It would seem that, in evaluating the relationship with WoSign and Qihoo, we
> naturally reach three possible
在 2016年9月26日星期一 UTC+8下午10:21:13,Gervase Markham写道:
> Today, Mozilla is publishing an additional document containing further
> research into the back-dating of SHA-1 certificates, in violation of the
> CAB Forum Baseline Requirements, to avoid browser blocks. It also
> contains some conclusions we
在 2016年10月7日星期五 UTC+8下午7:13:42,Gervase Markham写道:
> As noted by Richard Wang, WoSign have just published an updated Incident
> Report:
> https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf
>
> I think we are now in a position to discuss whether the plan proposed here:
>
在 2016年9月29日星期四 UTC+8下午11:41:12,Gervase Markham写道:
> Hi everyone,
>
> Following the publication of the recent investigative report,
> representatives of Qihoo 360 and StartCom have requested a face-to-face
> meeting with Mozilla. We have accepted, and that meeting will take place
> next Tuesday
在 2016年9月27日星期二 UTC+8下午11:21:26,Hector Martin "marcan"写道:
> On 2016-09-27 23:21, Han Yuwei wrote:
> > 在 2016年9月27日星期二 UTC+8下午8:33:28,Gervase Markham写道:
> >> On 27/09/16 13:13, adroidm...@gmail.com wrote:
> >>> We must use Windows XP becuase some programs ca
在 2016年9月27日星期二 UTC+8下午8:33:28,Gervase Markham写道:
> On 27/09/16 13:13, adroidm...@gmail.com wrote:
> > We must use Windows XP becuase some programs can only run on XP. We
> > have no money to get new programs and new Windows. Do you give $$$¥¥¥
> > to me??? You don't right? So please understand
在 2016年9月26日星期一 UTC+8下午10:21:13,Gervase Markham写道:
> Today, Mozilla is publishing an additional document containing further
> research into the back-dating of SHA-1 certificates, in violation of the
> CAB Forum Baseline Requirements, to avoid browser blocks. It also
> contains some conclusions we
在 2016年9月20日星期二 UTC+8上午12:54:48,nfji...@gmail.com写道:
> As you might have already known, most of Google services are blocked within
> China, including this very forum.
>
> I'm not sure how a fair and just assessment of a CA, that primarily serves
> the Chinese market, can be had without any
在 2016年9月16日星期五 UTC+8下午6:07:56,Richard Wang写道:
> Hi Gerv,
>
> This is the final report:
> https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
>
> Please let me if you have any questions about the report, thanks.
>
>
> Best Regards,
>
> Richard Wang
> CEO
> WoSign CA
在 2016年9月13日星期二 UTC+8上午8:07:31,Matt Palmer写道:
> On Mon, Sep 12, 2016 at 08:57:29PM +0100, Rob Stradling wrote:
> > On 12/09/16 18:57, Jakob Bohm wrote:
> > > On 11/09/2016 07:49, Peter Bowen wrote:
> > >> On Sat, Sep 10, 2016 at 10:40 PM, Han Yuwei <hanyuwe...@gm
在 2016年9月9日星期五 UTC+8下午5:49:07,Gervase Markham写道:
> Dear m.d.s.policy,
>
> We have been actively investigating reports that WoSign and StartCom may
> have failed to comply with our policy on change of control notification.
> Below is a summary representing the best of our knowledge and belief,
>
在 2016年9月10日星期六 UTC+8下午10:44:05,Erwann Abalea写道:
> Bonjour,
>
> Le samedi 10 septembre 2016 14:37:40 UTC+2, Han Yuwei a écrit :
> > I am using Cloudflare's DNS service and I found that Cloudflare has issued
> > a certficate to their server including my domain. But
I am using Cloudflare's DNS service and I found that Cloudflare has issued a
certficate to their server including my domain. But I didn't use any SSL
service of theirs. Is that ok to Mozilla's policy?
Issued certificate:https://crt.sh/?id=31206531
My domain is BUPT.MOE
I raise this question because of the Wosign's incident about high port
validating. Many CA use email validating such as send a email to
webmas...@foo.bar, or put a specific file into the root of website.
What I think is that this cannot validate *domain* is yours. It just verified
you have the
66 matches
Mail list logo
