Re: Google Trust Services Root Inclusion Request

It is unfair that somebody attacked me in the WoSign sanction discussion, but no body say any word for this! Why? Due to Ryan is famous person and I am nobody? Best Regards, Richard Wang On Sep 27, 2018, at 18:24, James Burton mailto:j...@0.me.uk>> wrote: Richard, Your conduct is t

RE: Re: Google Trust Services Root Inclusion Request

，是因为你代表谷歌浏览器，而谷歌浏览器严重影响Mozilla对所有CA有生杀大权。如果你离开谷歌，你将什么也不是，没有人会理会你的存在，也没有人会在意你说的话。所以下次不要在发言之前就声明不代表谷歌，废话哦！ 你的短视把全球互联网安全带到了沟里，认为有SSL证书(https)就安全，许多假冒银行网站、假冒PayPal 网站都有Lets Encrypt证书，谷歌浏览器显示为安全，完全误导了全球互联网用户，导致许多用户上当受骗和财产损失。已加密并不等于安全，安全不仅意味着需要加密，而且还需要告知用户此网站的真实身份，一个假冒银行网站加密有任何意义吗？没有并且更糟糕。

RE: Re: Re: Google Trust Services Root Inclusion Request

tiate WoSign issues email in M.D.S.P in Aug 24, 2016 -- Issue 0 (a.k.a. Issue L: Any Port (Jan - Apr 2015), Mozilla wrote: "This problem was reported to Google, and thence to WoSign and resolved. Mozilla only became aware of it recently.” The FACT is Google Ryan Sleevi sent email to Richard Wang a

RE: Re: Google Trust Services Root Inclusion Request

you for still remembering WoSign. Best Regards, Richard Wang Original message From: Ryan Sleevi via dev-security-policy Received: 2018-09-26 14:48:28 To: Jeremy Rowley Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Google Trust Services Root Inclusion Request

RE: Remove old WoSign root certs from NSS

from NSS On Sunday, August 27, 2017 at 10:59:48 PM UTC-7, Richard Wang wrote: > We released replacement notice in Chinese in our website: > https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm > https://www.wosign.com/news/announcement-about-Google-Action-201

RE: Remove old WoSign root certs from NSS

We released replacement notice in Chinese in our website: https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm And we have

RE: Microsoft to remove WoSign and StartCom certificates in Windows 10

Notice to WoSign customers: This announcement is for WoSign old roots: 1) CN=CA 沃通根证书, O=WoSign CA Limited, C=CN 2) CN=Certification Authority of WoSign, O=WoSign CA Limited, C=CN 3) CN=Certification Authority of WoSign G2, O=WoSign CA Limited, C=CN 4) CN=CA WoSign ECC Root, O=WoSign CA Limited,

RE: StartCom cross-signs disclosed by Certinomis

For adding Richard Wang back to StartCom UK director is for the completion separation, this is a temporally adding as director for signing bank document to change the bank signer person from Richard Wang to New CEO Inigo. It will be removed soon once the bank signer change is done. Mr. Jon Luk

RE: WoSign new system passed Cure 53 system security audit

Hi Peter, Thanks for your guesses. Buy no those issues in our system. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Friday, July 14, 2017 8:55 AM To: Richard Wang <rich...@wosign.com> Cc: r...@sleevi.com; Jonathan Rudenberg

Re: WoSign new system passed Cure 53 system security audit

in #1 cannot pass #4. That's why working with an auditor to do a readiness assessment in conjunction with or before the security assessment can help ensure you can meet the BRs, and then ensure you can meet them securely. On Thu, Jul 13, 2017 at 11:04 AM, Richard Wang <rich...@wosign.

Re: WoSign new system passed Cure 53 system security audit

y trusted CA. On Wed, Jul 12, 2017 at 10:24 PM, Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>> wrote: Hi Ryan, We got confirmation from Cure 53 that new system passed the full security audit. Please contact Cure 53 directly to verify this, thanks. We don't start the BR

Re: WoSign new system passed Cure 53 system security audit

;> wrote: On Tue, Jul 11, 2017 at 8:18 PM, Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>> wrote: Hi all, Your reported BR issues is from StartCom, not WoSign, we don't use the new system to issue any certificate now since the new root is not generated. PLEASE DO N

Re: WoSign new system passed Cure 53 system security audit

olicy <dev-security-policy@lists.mozilla.org> wrote: >>> >>>> On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: >>>> >>>> Please note this email topic is just for releasing the news that WoSign >> new system passed the security au

RE: WoSign new system passed Cure 53 system security audit

, 2017 at 9:00:04 AM UTC+3, Richard Wang wrote: > " 5. Provide auditor[3] attestation that a full security audit of the CA’s > issuing infrastructure has been successfully completed. " > " [3] The auditor must be an external company, and approved by Mozilla. " What

RE: WoSign new system passed Cure 53 system security audit

it very well -- PASS the full security audit. And Richard Wang leading the RD team have done a good job for the new system development and passed the security audit. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign..

RE: WoSign new system passed Cure 53 system security audit

The important thing is by the board of directors, the Company Legal Representative is changed to Mr. Shi Xiaohong, VP of 360. The daily operation thing is by COO. Best Regards, Richard From: Eric Mill [mailto:e...@konklone.com] Sent: Monday, July 10, 2017 10:12 AM To: Richard Wang

RE: WoSign new system passed Cure 53 system security audit

of the document, what is Richard Wang current official responsibility of Mr. Wang at WoSign? According to the incident report, release on October 2016 [1], Mr. Wang was suppose to be relieved of his duties as CEO, this is mentioned in 3 separate paragraphs (P.17,P.25,P.26). Links: 1. https

RE: Symantec Conclusions and Next Steps

From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, April 27, 2017 8:38 PM To: Richard Wang <rich...@wosign.com> Cc: Steve Medin <steve_me...@symantec.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Symantec Conclusions and Next Steps Hi Richard, On

RE: Symantec Conclusions and Next Steps

I like to share the experience we suffered from distrust, it is disastrous for CA and its customers to replace the certificate that exceed your imagination that we are still working for this since October 2016 that nearly six months now. Due to the quantity of Symantec customers is more than

RE: Criticism of Google Re: Google Trust Services roots

Qihoo 360 CSO Mr. Tan updated this in the recent CAB Forum meeting in USA : CEO of WoSign is NA, Richard Wang is the COO. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of urijah

RE: Criticism of Google Re: Google Trust Services roots

To be transparent, WoSign are NOT "acquiring the HARICA root" that we NEVER contact HARICA, and we don't think our brand is "tarnishing", we are working hard to try to regain the trust and confidence in this community. Best Regards, Richard -Original Message- From:

RE: Google Trust Services roots

- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Friday, March 10, 2017 2:16 PM To: Richard Wang <rich...@wosign.com> Cc: Ryan Sleevi <r...@sleevi.com>; Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Google Trust Services roots O

Re: Google Trust Services roots

Clear, thanks. Best Regards, Richard > On 9 Mar 2017, at 22:05, Gervase Markham via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > >> On 09/03/17 12:38, Richard Wang wrote: >> As my understanding, if WoSign buy an trusted EV enabled ro

Re: Google Trust Services roots

ase Markham <g...@mozilla.org> wrote: > >> On 09/03/17 02:15, Richard Wang wrote: >> So the policy can make clear that the root key transfer can't >> transfer the EV OID, the receiver must use its own EV policy OID for >> its EV SSL, the receiver can't use the trans

RE: Google Trust Services roots

...@gmail.com] Sent: Thursday, March 9, 2017 1:11 PM To: Richard Wang <rich...@wosign.com> Cc: Ryan Sleevi <r...@sleevi.com>; Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Google Trust Services roots Richard, I'm afraid a few things are con

RE: Google Trust Services roots

, not by Symantec. Best Regards, Richard From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, March 9, 2017 12:21 PM To: Gervase Markham <g...@mozilla.org>; Richard Wang <rich...@wosign.com>; Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org S

RE: Google Trust Services roots

this EV OID for its own EV SSL, Google must use its own EV OID for its EV SSL. So, no EV OID transfer issue for root key transfer. Best Regards, Richard From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, March 9, 2017 11:14 AM To: Gervase Markham <g...@mozilla.org>;

RE: Google Trust Services roots

As I understand, the EV SSL have two policy OID, one is the CABF EV OID, another one is the CA's EV OID, so the root key transfer doesn't have the EV OID transfer case, CA can't transfer its own EV OID to other CA exception the CA is full acquired. So the policy can make clear that the root

Re: 360 team hacks Chrome

Sorry, I posted an old news that I just saw it. Please ignore it. Best Regards, Richard > On 6 Mar 2017, at 21:45, Richard Wang via dev-security-policy > <dev-security-policy@lists.mozilla.org> wrote: > > Pwn2Own 2016: Chinese Researcher Hacks Google Chrome within

360 team hacks Chrome

Pwn2Own 2016: Chinese Researcher Hacks Google Chrome within 11 minutes http://www.prnewswire.com/news-releases/pwn2own-2016-chinese-researcher-hacks-google-chrome-within-11-minutes-300237705.html Best Regards, Richard ___ dev-security-policy mailing

RE: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

Palmer via dev-security-policy Sent: Friday, February 24, 2017 10:35 AM To: dev-security-policy@lists.mozilla.org Subject: Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist On Fri, Feb 24, 2017 at 01:12:38AM +, Richard Wang via dev-security-policy wrote: > I

RE: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

] On Behalf Of Gervase Markham via dev-security-policy Sent: Friday, February 24, 2017 2:13 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Let's Encrypt appears to issue a certificate for a domain that doesn't exist On 22/02/17 17:08, Richard Wang wrote: > I think "apple-

RE: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

nt: Thursday, February 23, 2017 11:53 AM To: Richard Wang <rich...@wosign.com> Cc: r...@sleevi.com; mozilla-dev-security-pol...@lists.mozilla.org; Tony Zhaocheng Tan <t...@tonytan.io>; Gervase Markham <g...@mozilla.org> Subject: Re: Let's Encrypt appears to issue a certificate for a d

RE: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

that such requests are properly verified under these Requirements.” Please clarify this request, thanks. Best Regards, Richard From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, February 23, 2017 11:21 AM To: Richard Wang <rich...@wosign.com> Cc: Gervase Markham <g...@mo

RE: Let's Encrypt appears to issue a certificate for a domain that doesn't exist

I think "apple-id-2.com" is a high risk domain that must be blocked to issue DV SSL to those domains. Here is the list of some high risk domains related to Microsoft and Google that Let's Encrypt issued DV SSL certificates to those domains: https://crt.sh/?id=77034583 for

Re: SHA-1 serverAuth cert issued by Trustis in November 2016

Check the SSL Labs test: https://www.ssllabs.com/ssltest/analyze.html?d=hmrcset.trustis.com, rate F that even enabled SSL v2. Best Regards, Richard On 16 Feb 2017, at 19:04, Nick Lamb via dev-security-policy

RE: Public disclosure of root ownership transfers (was: Re: Google Trust Services roots)

I think Mozilla should have a very clear policy for: (1) If a company that not a public trusted CA acquired a trusted root key, what the company must do? (2) If a company is a public trusted CA that acquired a trusted root key, what the company must do? (3) If a company is a public trusted CA,

RE: Google Trust Services roots

I can't see this sentence " I highlight this because we (the community) see the occasional remark like this; most commonly, it's directed at organizations in particular countries, on the basis that we shouldn't trust "them" because they're in one of "those countries". However, the Mozilla

RE: Incident Report – Certificates issued without proper domain validation

The nest.com certificate subject is: CN = www.nest.com O = Google Inc L = Mountain View S = California C = US This means this website owned by Google Inc. Right? Best Regards, Richard -Original Message- From: dev-security-policy

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

In this case, no any CA named as letsencrypt similar name, and no any CA want to impersonate, most CA program require the root CA have a unique friendly name in the CA program. Best Regards, Richard -Original Message- From: dev-security-policy

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

interaction about it and we're happy to hear that Richard would like to help us out by transferring the domains. Thanks Richard, I'll be in touch. On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote: > I wish everyone can talk about this case friendly and equally. > > I

RE: wosign and letsencrypt.cn / letsencrypt.com.cn

I wish everyone can talk about this case friendly and equally. It is very common that everyone can register any domain based on the first come and first service rule. We know Let's Encrypt is released after the public announcement, but two day later, its .cn domain is still not registered, I

RE: CA Public Key Material

You are right, you have done the test same as my test, this don't mean you own our intermediate CA root key. For CSR, yes, our system doesn't validate the CSR self-signature. We think it is better to validate it, so we will update our system to validate it soon. For this test certificate

RE: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

or disable it at one channel but not another channel, which ultimately has the same security if WoSign is doing the validation. On Sunday, December 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote: > As I said, we have the right to keep it or close it at any time. > > > Bes

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

As I said, we have the right to keep it or close it at any time. Best Regards, Richard > On 11 Dec 2016, at 12:47, Percy <percyal...@gmail.com> wrote: > >> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote: >> Our promise is close the free SS

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

Our promise is close the free SSL application in our own website: buy.wosign.com. And now we closed it in our PKI side. Best Regards, Richard > On 9 Dec 2016, at 04:17, Gervase Markham <g...@mozilla.org> wrote: > >> On 05/12/16 13:41, Richard Wang wrote: >> We checke

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

As I said before, you finished the domain validation. This is DV SSL that no need to do the manual validation. Best Regards, Richard > On 10 Dec 2016, at 09:33, "zbw...@gmail.com" wrote: > > 在 2016年12月6日星期二 UTC+8上午6:50:04，Percy写道： >> lslqtz, >> How did you obtain this

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

s will be issued, via wosign, resellers, no any other > method? > >> On Monday, December 5, 2016 at 3:43:35 PM UTC-8, Richard Wang wrote: >> We checked our system, this order is from one of the reseller. We have many >> resellers that used the API, we noticed all reselle

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

We checked our system, this order is from one of the reseller. We have many resellers that used the API, we noticed all resellers to close the free SSL, but they need some time to update the system. The most important thing is this certificate is issued by proper way that this subscriber

RE: WoSign has new roots?

This is a common way for all CAs that issued many intermediate CAs for its resellers. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Ryan Sleevi Sent: Wednesday, November 23,

RE: WoSign has new roots?

Hi all, This is the OEM certificate from Certum, Certum own and control everything with its own validation, you can check the test site: https://ovpretest.wosign.com that its CPS/CRL/OCSP/OID all belong to Certum. I don't think WoSign can't be a reseller of other CA. Thanks. Best Regards,

Re: Apple's response to the WoSign incidents

I said many times that I am the Acting CEO of Wo sign now till the new CEO arrives. Even I am not the CEO instead of an employee, I think I can response the email about WoSign that just tell everyone the fact, not representing the company making any new decision. Please check my previous

Re: Apple's response to the WoSign incidents

WoSign stopped to issue free SSL certificate from those two intermediate CAs since Sept 29. Best Regards, Richard > On 13 Nov 2016, at 17:07, Percy wrote: > > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA > even though Apple limited

RE: Remediation Plan for WoSign and StartCom

: Monday, October 24, 2016 12:05 PM To: Richard Wang <rich...@wosign.com> Cc: Kathleen Wilson <kwil...@mozilla.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Remediation Plan for WoSign and StartCom Hi Richard, A few questions - 1) Your post says "Ther

RE: Remediation Plan for WoSign and StartCom

Hi Kathleen, WoSign released the news today since I just came back from USA CABF meeting. http://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm (in Chinese) https://www.wosign.com/english/News/announcement_about_Mozilla_Action_20161024.htm (in English) Best Regards,

RE: WoSign and StartCom: next steps

Hi Gerv, This is the updated incident report: https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf . Thanks. Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of

RE: Comodo issued a certificate for an extension

I think I know the reason; this may be helpful for your investigation. This is a code bug from CA issuing system that the engineer mis-understand the free additional domain added rule. System treat the "www" as a subdomain, most case it is, but in this case, it is top domain. Subscriber

Fwd: [cabfpub] Public disclosure of 68 GlobalSign SSL certificates issued without EKU or KU

This is the recent incident from GlobalSign. Please notice WoSign incident is occurred in 2015 for free DV SSL, not OV or EV. Best Regards, Richard Begin forwarded message: From: Doug Beattie > Date: September 21, 2016 at

RE: Comodo issued a certificate for an extension

First, I must make declaration that I don't know "Showfom", and I don't know if he/she is a WoSign customer. As I said in my final statement that I wish all Mozilla trusted CA can post their issued certificate to CT log server for full transparency, I am sure not WoSign mis-issued certificate

RE: Comodo issued a certificate for an extension

First, I must make declaration that I don't know "Showfom", and I don't know if he/she is a WoSign customer. As I said in my final statement that I wish all Mozilla trusted CA can post their issued certificate to CT log server for full trenchancy, I am sure not WoSign mis-issued certificate,

RE: Incidents involving the CA WoSign

Hi Gerv, Please check this news (Feb 25th 2015) in OSCCA website: http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA finished the PKI/CA system upgrade that all licensed CA MUST be able to issue SM2 certificate to subscribers. As I said in last year CABF face to face

RE: Incidents involving the CA WoSign

of the two released reports. Please let me if you have any questions about this statement, thanks. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard

RE: WoSign and StartCom audit reports

Thanks for your hard work. I wish you can finish check for all other CA's report ASAP. For WoSign, the report covered all 4 roots, not 3 roots. For StartCom, Eddy can say something about it, StartCom is 1000% independent for everything at 2015. Best Regards, Richard -Original

OpenSSL OCSP serious vulnerability

OpenSSL OCSP Status Request extension unbounded memory growth (CVE-2016-6304) http://security.360.cn/cve/CVE-2016-6304/index.html?from=timeline=0 Best Regards, Richard ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

RE: Incidents involving the CA WoSign

Sorry, the random apart time is from 20 minutes to 60 minutes, not to 40 minutes. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Richard Wang Sent: Thursday, September 22, 2016

RE: Incidents involving the CA WoSign

server that need to resign after the internet connection is ok. For normal case, it is OK, good. Thanks. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, September 22, 2016 12:32 PM To: Richard Wang <rich...@wosign.com> Cc: G

RE: Incidents involving the CA WoSign

> Are you saying out of over 40,000 orders over the last year, only six > "stopped to move forward" for a period of a week or more and these happen to > all have been ordered on Sunday, December 20, 2015 (China time)? You mean we issued 40,000 certificates at Dec 20, 2015? Here is the last two

RE: Incidents involving the CA WoSign

day) is Dec. 20th for a free DV SSL certificate that take so long time. I wish I said this clearly, thanks. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Thursday, September 22, 2016 11:38 AM To: Richard Wang <rich...@wosign.com&

Sanctions short of distrust

But you can use OCSP Stapling in your web server. We don’t worry about most China online banking system and many ecommerce website using the foreign CA certificate, what do you worry about? As I said, we used Akamai CDN service that all hits will go to Akamai Edge servers first. Best Regar

Re: Incidents involving the CA WoSign

-09-21 16:26, Richard Wang wrote: R: You can place order there and don't do the domain validation, 4 months later, you finished the domain control validation, then issue the certificate. Please try it by yourself here: https://buy.wosign.com/free/ So the date in the certificate is from when the orde

RE: Incidents involving the CA WoSign

...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Hi Richard, Thanks for the additional information. On 21/09/16 11:11, Richard Wang wrote: > Some SHA-1 certificate is free SSL certificate that no any reason for > us to help them get the SHA-1 certificate if we are inten

RE: Incidents involving the CA WoSign

See below inline, thanks. Best Regards, Richard -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, September 20, 2016 7:37 PM To: Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>> Subject: Re: Incidents involving the CA

RE: Incidents involving the CA WoSign

See below inline, thanks. Best Regards, Richard -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Tuesday, September 20, 2016 7:37 PM To: Richard Wang <mailto:rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign Hi Richard, On 16/09/16

RE: Incidents involving the CA WoSign

to do any comment. Sorry. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Tuesday, September 20, 2016 10:18 AM To: Richard Wang <rich...@wosign.com> Cc: Nick Lamb <tialara...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org

RE: Incidents involving the CA WoSign

Lamb Sent: Tuesday, September 20, 2016 9:06 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote: > This case is WoSign problem, you found out all related subordinate companies > a

RE: Incidents involving the CA WoSign

r Bowen [mailto:pzbo...@gmail.com] Sent: Monday, September 19, 2016 10:31 PM To: Richard Wang <rich...@wosign.com> Cc: Gervase Markham <g...@mozilla.org>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, I'm still somewhat confuse

RE: Incidents involving the CA WoSign

@lists.mozilla.org] On Behalf Of Richard Wang Sent: Friday, September 16, 2016 6:05 PM To: Gervase Markham <g...@mozilla.org> Cc: mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Hi Gerv, This is the final report: https://www.wosign.com/

Re: Incidents involving the CA WoSign

Thank you very much for helping us. For SM2 algorithm, this is out of this thread, I can discuss with you off list. Regards, Richard > On Sep 16, 2016, at 22:32, Vincent Lynch <vtly...@gmail.com> wrote: > >> On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang

Re: Incidents involving the CA WoSign

Please read the report carefully that it is NOT the validation system is hijacked. Regards, Richard > On Sep 16, 2016, at 21:31, Han Yuwei <hanyuwe...@gmail.com> wrote: > > 在 2016年9月16日星期五 UTC+8下午6:07:56，Richard Wang写道： >> Hi Gerv, >> >> This is the final r

RE: Incidents involving the CA WoSign

Hi Gerv, This is the final report: https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf Please let me if you have any questions about the report, thanks. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: Gervase Markham Sent: Wednesday

RE: Sanctions short of distrust

Please don't mix StartCom with WoSign case, StartCom is 100% independent at 2015. Even now, it still independent in the system, in the validation team and management team, we share the CRL/OCSP distribution resource only. Best Regards, Richard -Original Message- From:

Re: Incidents involving the CA WoSign

Hi all, We will publish a more comprehensive report in the next several days that will attempt to cover most / all issues. Thanks for your patience. Regards, Richard > On 7 Sep 2016, at 18:58, Gervase Markham <g...@mozilla.org> wrote: > > Hi Richard, > >> On 07/0

Re: WoSign’s Ownership of StartCom

“StartCom CA Ltd” in the UK are listed as being > owned by "StartCom CA Ltd".[2] This seems circular, but our > understanding is it actually refers to StartCom HK, which has the same > name. StartCom UK is documented as having two directors. One is Gaohua > (Richard) Wang, who will

Re: Incidents involving the CA WoSign

nbingb...@gmail.com> wrote: > > 在 2016年9月7日星期三 UTC+8下午6:08:33，Richard Wang写道： >> Hi Gerv, Kathleen and Richard, >> >> This discuss has been lasting two weeks, I think it is time to end it, it >> doesn’t worth to waste everybody’s precious time. >> I make my confessio

Re: Incidents involving the CA WoSign

>> On 2016-09-07 13:00, Gervase Markham wrote: >> Hi Richard, >> >>> On 07/09/16 11:06, Richard Wang wrote: >>> This discuss has been lasting two weeks, I think it is time to end >>> it, it doesn’t worth to waste everybody’s precious time. >> &g

Re: Incidents involving the CA WoSign

Got it, thanks. We will reply to you soon. By the way, the link you used in the page to our report is not correct. Regards, Richard > On 7 Sep 2016, at 18:58, Gervase Markham <g...@mozilla.org> wrote: > > Hi Richard, > >> On 07/09/16 11:06, Richard Wang wrote: >>

RE: Incidents involving the CA WoSign

once it is about to expire at every three years for OV SSL. I wish Mozilla could accept my suggestion, and I am sure WoSign will do it better after getting this so big lesson. Thank you. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: dev-security-policy

RE: Incidents involving the CA WoSign

Thanks for your comment. For Github case: 1. what happened: issued the certificate that included un-validated domain, and found out this mistake in the next day review, and revoked this certificate. 2. why this happened: this is bug as you described, and due to many orders need to review

RE: Incidents involving the CA WoSign

uiry email. Some question will be replied in the second report. Best Regards, Richard -Original Message- From: Kurt Roeckx [mailto:k...@roeckx.be] Sent: Monday, September 5, 2016 1:34 AM To: Richard Wang <rich...@wosign.com> Cc: Gervase Markham <g...@mozilla.org>; mo

RE: Incidents involving the CA WoSign

report for another incident X soon. Best Regards, Richard Wang CEO WoSign CA Limited -Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Wednesday, August 24, 2016 9:08 PM To: mozilla-dev-security-pol...@lists.mozilla.org Cc: Richard Wang <rich...@wosign.

Re: Incidents involving the CA WoSign

It is posted, just Peter not find it that I told him the Log id. We are also checking system again to double check if we missed some. Please be patient for our full 20 pages report, thanks, Regards, Richard > On 4 Sep 2016, at 12:12, Matt Palmer wrote: > >> On Sat,

Re: Incidents involving the CA WoSign

on the browser algorithm support. Regards, Richard > On 4 Sep 2016, at 12:49, Peter Bowen <pzbo...@gmail.com> wrote: > >> On Thu, Sep 1, 2016 at 9:00 AM, Ryan Sleevi <r...@sleevi.com> wrote: >>> On Wed, August 31, 2016 10:09 pm, Richard Wang wrote: >>

RE: Incidents involving the CA WoSign

: Sunday, September 4, 2016 5:19 AM To: Richard Wang <rich...@wosign.com> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, Can you also please check the following two certificates? It looks like they

Re: Incidents involving the CA WoSign

From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now. BTW, as I said that the two related pages in our website are deleted. Regards, Richard > On 3 Sep 2016, at 02:16, Percy wrote: > >> On Friday,

Re: Incidents involving the CA WoSign

We will check this tomorrow. Now our time is 23:32 at night. Regards, Richard > On 2 Sep 2016, at 23:20, Peter Bowen <pzbo...@gmail.com> wrote: > >> On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <rich...@wosign.com> wrote: >> Yes, we posted all 2015 issue

Re: Incidents involving the CA WoSign

Yes, we plan to post to one of the Google log server tommorrow. Regards, Richard > On 2 Sep 2016, at 22:54, Peter Bowen <pzbo...@gmail.com> wrote: > >> On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang <rich...@wosign.com> wrote: >> We finished the CT posting, a

RE: Incidents involving the CA WoSign

-Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Friday, September 2, 2016 6:07 PM To: Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign > And, as others have pointed out in th

RE: Incidents involving the CA WoSign

@lists.mozilla.org] On Behalf Of Matt Palmer Sent: Friday, September 2, 2016 4:51 PM To: dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Fri, Sep 02, 2016 at 06:53:23AM +, Richard Wang wrote: > I think we are out of topic. On the contrary, the trustworthin

RE: Incidents involving the CA WoSign

@lists.mozilla.org] On Behalf Of Percy Sent: Friday, September 2, 2016 2:23 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Thursday, September 1, 2016 at 11:01:08 PM UTC-7, Richard Wang wrote: > OK I try to say some that I wish I do

RE: Incidents involving the CA WoSign

<vtly...@gmail.com> writes: >I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign) >should make a statement about this. +1. I'd already asked for something like this earlier and got silence +as a response, which isn't inspiring

  1   2   >