Re: [FORGED] Re: Incidents involving the CA WoSign

m <g...@mozilla.org> Cc: Richard Wang <rich...@wosign.com>, "mozilla-dev-security-pol...@lists.mozilla.org" <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: [FORGED] Re: Incidents involving the CA WoSign Message-ID: <1473170991071.38...@

Re: [FORGED] Re: Incidents involving the CA WoSign

On 06/09/2016 16:10, Peter Gutmann wrote: Peter Bowen writes: In addition to the direct impact, I note that WoSign is the subject of cross- signatures from a number of other CAs that chain back to roots in the Mozilla program (or were in the program). This is incredible,

Re: [FORGED] Re: Incidents involving the CA WoSign

On 06/09/16 15:10, Peter Gutmann wrote: > Why would a public CA even need cross-certification from other CAs? To inherit trust on legacy platforms that don't have an automatic root update mechanism. -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online

Re: Incidents involving the CA WoSign

On 06/09/2016 15:58, Peter Gutmann wrote: Matt Palmer writes: Our of curiosity, is anyone keeping a tally of the number of times WoSign has said, "yep, they're all logged now", only to have more unlogged certificates turn up? This is starting to feel like a bit of a

Re: [FORGED] Re: Incidents involving the CA WoSign

Peter Bowen writes: >In addition to the direct impact, I note that WoSign is the subject of cross- >signatures from a number of other CAs that chain back to roots in the Mozilla >program (or were in the program). This is incredible, it's like a hydra. Do the BRs say anything

Re: Incidents involving the CA WoSign

Matt Palmer writes: >Our of curiosity, is anyone keeping a tally of the number of times WoSign has >said, "yep, they're all logged now", only to have more unlogged certificates >turn up? This is starting to feel like a bit of a repeat of DigiNotar, We apologise for the

Re: Incidents involving the CA WoSign

Hi Peter. Since you mentioned Comodo's cross-certification of the "Certification Authority of WoSign" root, we thought we should respond... On 05/09/16 23:58, Peter Bowen wrote: > Cross issued to /C=CN/O=WoSign CA Limited/CN=Certification Authority > of WoSign by /C=US/ST=UT/L=Salt Lake

RE: Incidents involving the CA WoSign

y, September 6, 2016 4:56 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On 2016-09-05 22:37, Percy wrote: > In page 11, you mentioned that "System blocked many illegal request every > day, the following screen shot is the reject order

Re: Incidents involving the CA WoSign

On 2016-09-05 22:37, Percy wrote: In page 11, you mentioned that "System blocked many illegal request every day, the following screen shot is the reject order log", in which you attached a log with Google, Microsoft, QQ domains. Those domains are rejected because of the top domain whitelist.

Re: Incidents involving the CA WoSign

On 06/09/16 07:20, Henri Sivonen wrote: > In the table on page 13, line 6 looks different from the others. > Should that line be in the table on page 14 instead? Also line 2? Gerv ___ dev-security-policy mailing list

Re: Incidents involving the CA WoSign

On Sun, Sep 4, 2016 at 12:49 PM, Richard Wang wrote: > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf > > This report has 20 pages, please let me if you still have any questions, >

RE: Incidents involving the CA WoSign

zilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > Hi all, > > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_repor

Re: Incidents involving the CA WoSign

On Monday, September 5, 2016 at 3:58:34 PM UTC-7, Peter Bowen wrote: > On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham wrote: > > Several incidents have come to our attention involving the CA "WoSign". > > Mozilla is considering what action it should take in response to these >

Re: Incidents involving the CA WoSign

On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham wrote: > Several incidents have come to our attention involving the CA "WoSign". > Mozilla is considering what action it should take in response to these > incidents. This email sets out our understanding of the situation. > >

Re: Incidents involving the CA WoSign

On Friday, August 26, 2016 at 12:57:56 PM UTC-7, 233sec Team wrote: > Wosign's Issue mechanism is high risking for large enterprise. > This is one prove: > > https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e > > Alicdn.com is the cdn asset domain name of Taobao/tmall who belong

Re: Incidents involving the CA WoSign

Message- > From: Gervase Markham [mailto:g...@mozilla.org] > Sent: Wednesday, August 24, 2016 9:08 PM > To: mozilla-dev-security-pol...@lists.mozilla.org > Cc: Richard Wang <rich...@wosign.com> > Subject: Incidents involving the CA WoSign > > Dear m.d.s.policy, >

Re: Incidents involving the CA WoSign

On 04/09/16 17:40, Andrew Ayer wrote: > On Sat, 3 Sep 2016 21:50:51 -0700 > Peter Bowen wrote: > >> The log entries for the SM2 certificates are >> https://ctlog.wosign.com/ct/v1/get-entries?start=109239=109240; >> crt.sh doesn't have them. x509lint was segfaulting when

RE: [FORGED] Re: Incidents involving the CA WoSign

Eddy Nigg writes: >On 09/04/2016 09:20 AM, Peter Gutmann wrote: >> This is great stuff, it's like watching a rerun of Diginotar > >.says the audience on the backbenches gleefully Well, it doesn't exactly paint the best picture of a competently-run CA, same as

Re: Incidents involving the CA WoSign

Hi Eddy, On 04/09/16 09:51, Eddy Nigg wrote: > On 09/03/2016 11:02 PM, Percy wrote: >> I agree completely that we shouldn't imply fundamental guilt by >> association. However, WoSign threatened legal actions against Itzhak >> Daniel's disclosure compiled purely from public sources. I just want to

Re: [FORGED] Re: Incidents involving the CA WoSign

On 09/04/2016 09:20 AM, Peter Gutmann wrote: Peter Bowen writes: It was brought to my attention that there is another incident. This is great stuff, it's like watching a rerun of Diginotar .says the audience on the backbenches gleefully but no, what are you

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > Hi all, > > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf In section 2.2 you explain that there is a mail at 9:01 and 9:38, where I

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 02:53:01PM +0200, Kurt Roeckx wrote: > On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > > Hi all, > > > > We finished the investigation and released the incidents report today: > > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf > > > >

Re: Incidents involving the CA WoSign

On Sat, 3 Sep 2016 21:50:51 -0700 Peter Bowen wrote: > The log entries for the SM2 certificates are > https://ctlog.wosign.com/ct/v1/get-entries?start=109239=109240; > crt.sh doesn't have them. The matching serial numbers are > https://crt.sh/?id=30613201 and

Re: Incidents involving the CA WoSign

On Sat, Sep 3, 2016 at 10:11 PM, Richard Wang wrote: > It is posted, just Peter not find it that I told him the Log id. Richard, Thank you for providing the log ids. I am glad to see these are now logged, but I will point out the log timestamps for these two certificates

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 10:05:11AM +0100, Gijs Kruitbosch wrote: > So if I understand correctly, you've published all certificates issued in > 2015 to CT, and any cert with a notBefore of/after July 5th 2016. Is that > correct? > > > As noted in >

Re: Incidents involving the CA WoSign

On Sun, Sep 04, 2016 at 09:49:25AM +, Richard Wang wrote: > Hi all, > > We finished the investigation and released the incidents report today: > https://www.wosign.com/report/wosign_incidents_report_09042016.pdf > > This report has 20 pages, please let me if you still have any questions,

RE: Incidents involving the CA WoSign

com> Subject: Incidents involving the CA WoSign Dear m.d.s.policy, Several incidents have come to our attention involving the CA "WoSign". Mozilla is considering what action it should take in response to these incidents. This email sets out our understanding of the situation. Before w

Re: Incidents involving the CA WoSign

2016. Best Regards, Richard -Original Message- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Sunday, September 4, 2016 5:19 AM To: Richard Wang <rich...@wosign.com> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incident

Re: Incidents involving the CA WoSign

On 09/03/2016 11:02 PM, Percy wrote: I agree completely that we shouldn't imply fundamental guilt by association. However, WoSign threatened legal actions against Itzhak Daniel's disclosure compiled purely from public sources. I just want to make sure the disclosure was not buried after the

RE: [FORGED] Re: Incidents involving the CA WoSign

Peter Bowen writes: >It was brought to my attention that there is another incident. This is great stuff, it's like watching a rerun of Diginotar. Definitely the best web soap in the last few weeks... Peter. ___

Re: Incidents involving the CA WoSign

It is posted, just Peter not find it that I told him the Log id. We are also checking system again to double check if we missed some. Please be patient for our full 20 pages report, thanks, Regards, Richard > On 4 Sep 2016, at 12:12, Matt Palmer wrote: > >> On Sat,

Re: Incidents involving the CA WoSign

This is another case that we will include it in our report. We issued two test cert using SM2 algorithm that used the same serial number as the RSA cert (same subject) to test if we can setup a gateway that install this two type cert, it can shake hand automatically using different cert based on

Re: Incidents involving the CA WoSign

On Thu, Sep 1, 2016 at 9:00 AM, Ryan Sleevi wrote: > On Wed, August 31, 2016 10:09 pm, Richard Wang wrote: >> Thanks for your so detail instruction. >> Yes, we are improved. The two case is happened in 2015 and the mis-issued >> certificate period is only 5 months that we

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 02:18:44PM -0700, Peter Bowen wrote: > Can you also please check the following two certificates? It looks > like they were missed when logging all the 2015 certs. > > https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2 >

RE: Incidents involving the CA WoSign

: Sunday, September 4, 2016 5:19 AM To: Richard Wang <rich...@wosign.com> Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Richard, Can you also please check the following two certificates? It looks like they

Re: Incidents involving the CA WoSign

Richard, Can you also please check the following two certificates? It looks like they were missed when logging all the 2015 certs. https://www.censys.io/certificates/c04748c89de2bf73d56b601cf61db32953dfeca5ef62e0281d326c4ce9035fe2

Re: Incidents involving the CA WoSign

Trust me, the disclosure was not buried, and the factual details are being sorted. However, it would be better for the tone and focus of the thread that we make sure to focus on the factual elements, which, as you note, can be publicly obtained easily, than to try to imply there's something

Re: Incidents involving the CA WoSign

Ryan, I agree completely that we shouldn't imply fundamental guilt by association. However, WoSign threatened legal actions against Itzhak Daniel's disclosure compiled purely from public sources. I just want to make sure the disclosure was not buried after the content was taken down. Richard, the

Re: Incidents involving the CA WoSign

Andy, are you from the UK office? Can you explain why your office in UK fails to identify even the most obvious mistakes on the StartCom website as outlined in http://www.percya.com/2016/09/startcom-operated-solely-in-china.html ? E.g Start to sell, make big money! Setup your own website, start

Re: Incidents involving the CA WoSign

You are completely wrong! StartCom not only have office in Israel and in China, but also have office in UK, welcome to visit our UK office: T05, Castlemead, Lower Castle Street, Bristol, BS1 3AG, UK. And We will setup office in Bilbao, Spain in this month, Inigo Barreia is the general

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 11:45:21AM +0200, Kurt Roeckx wrote: > On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote: > > On 02/09/16 16:21, Peter Bowen wrote: > > > It seems then there is a newly exposed bug. > > >

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 09:29:45AM +0100, Gervase Markham wrote: > On 02/09/16 16:21, Peter Bowen wrote: > > It seems then there is a newly exposed bug. > > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad > > shows a certificate issued by your CA

Re: Incidents involving the CA WoSign

On 02/09/16 16:21, Peter Bowen wrote: > It seems then there is a newly exposed bug. > https://www.censys.io/certificates/e2665bb07940b5bee73145f47c99dcf5781edbe9d78f9cada8f1d702d5e340ad > shows a certificate issued by your CA that has a notBefore in March > 2015. It does not appear in the CT log.

Re: Incidents involving the CA WoSign

I did an analysis of the new StartCom website and determined that it was designed and implemented solely in China. http://www.percya.com/2016/09/startcom-operated-solely-in-china.html I'm further concerned with the security of "StartResell - Setup your own website, start to sell your brand

Re: Incidents involving the CA WoSign

On 02/09/16 18:00, Andrew Ayer wrote: > I don't think relying on the notBefore date is a viable option. > WoSign seems to have such a poor handle on their operations that I > think it would be inevitable that someone would find a certificate in > the wild with a notBefore date in the past that had

Re: Incidents involving the CA WoSign

On Friday, September 2, 2016 at 9:57:24 PM UTC-7, Percy wrote: > Richard, > You claimed on weibo (https://pbs.twimg.com/media/CrZ1Oc6WIAABtrg.jpg:large > )that "WoSign has been oppressed by large American companies over the years > but has been growing steadily over the past 10 years and is now

Re: Incidents involving the CA WoSign

Richard, You claimed on weibo (https://pbs.twimg.com/media/CrZ1Oc6WIAABtrg.jpg:large )that "WoSign has been oppressed by large American companies over the years but has been growing steadily over the past 10 years and is now the 8th largest CA in the world". Is EFF one of your so called

Re: Incidents involving the CA WoSign

Percy Alpha(PGP ) On Fri, Sep 2, 2016 at 5:04 PM, Richard Wang wrote: > From the screenshot, we know why Percy hate WoSign so deeply, we know he > represent which CA, everything is clear now. > Are you f**king

Re: Incidents involving the CA WoSign

On Fri, Sep 2, 2016 at 5:04 PM, Richard Wang wrote: > From the screenshot, we know why Percy hate WoSign so deeply, we know he > represent which CA, everything is clear now. Richard, With all due respect, many of the people who participate in this dev-security-policy group

Re: Incidents involving the CA WoSign

From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now. BTW, as I said that the two related pages in our website are deleted. Regards, Richard > On 3 Sep 2016, at 02:16, Percy wrote: > >> On Friday,

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 01:31:39AM +0200, Kurt Roeckx wrote: > On Sat, Sep 03, 2016 at 09:24:33AM +1000, Matt Palmer wrote: > > On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote: > > > Do you also plan to submit these to at least one Google-operated log? > > > > Did you mean

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 10:27:04AM +, Richard Wang wrote: > (2) What I mean is please think about the current users if any action; 10% > from government website, 6 customers is the top 10 eCommerce website in > China; I'm reminded of a line from an old episode of a rather crass TV show, which

Re: Incidents involving the CA WoSign

On Sat, Sep 03, 2016 at 09:24:33AM +1000, Matt Palmer wrote: > On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote: > > Do you also plan to submit these to at least one Google-operated log? > > Did you mean "non-Google-operated log"? I was under the impression that we > didn't want

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 07:55:36AM -0700, Peter Bowen wrote: > Do you also plan to submit these to at least one Google-operated log? Did you mean "non-Google-operated log"? I was under the impression that we didn't want everything being stuffed into just Google logs. - Matt -- I really didn't

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 09:01:47AM +, Richard Wang wrote: > You mean if a Chinese, a Chinese company own a USA CA, then the USA CA become > un-trustworthiness? If the Chinese company or US CA are making legal threats to try and suppress disclosure of the ownership, and the Chinese company is

Re: Incidents involving the CA WoSign

Le vendredi 2 septembre 2016 19:45:37 UTC+2, Percy a écrit : > Some facts for Mozilla to consider. WoSign Root is never trusted by Apple > https://support.apple.com/en-ca/HT205205 > https://support.apple.com/en-ca/HT205204 > > However, all WoSign leaf certs are trusted on Apple devices

Re: Incidents involving the CA WoSign

On Friday, September 2, 2016 at 3:07:46 AM UTC-7, Gervase Markham wrote: > Hi Richard, > > On 01/09/16 04:04, Richard Wang wrote: > > First, please treat WoSign as a global trusted CA, DON'T stamp as > > China CA. We need a fair treatment as other worldwide CAs that I am > > sure WoSign is not

Re: Incidents involving the CA WoSign

Some facts for Mozilla to consider. WoSign Root is never trusted by Apple https://support.apple.com/en-ca/HT205205 https://support.apple.com/en-ca/HT205204 However, all WoSign leaf certs are trusted on Apple devices because WoSign intermediate authority is signed by StartCom.

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 07:27:13PM +0200, Kurt Roeckx wrote: > On Fri, Sep 02, 2016 at 10:00:28AM -0700, Andrew Ayer wrote: > > 2. A certificate has already been found which they didn't log to CT > > despite their assertion that they had logged all certificates, > > Can you please point to those

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 10:00:28AM -0700, Andrew Ayer wrote: > 2. A certificate has already been found which they didn't log to CT > despite their assertion that they had logged all certificates, Can you please point to those that weren't logged? Kurt

Re: Incidents involving the CA WoSign

On Fri, 2 Sep 2016 11:19:18 +0100 Gervase Markham wrote: > On 31/08/16 19:13, Ryan Sleevi wrote: > > A) Remove the CA. Users may manually trust it if they re-add it, > > but it will not be trusted by default. > > > F) Distrust all certs with a notBefore date after date X,

Re: Incidents involving the CA WoSign

We will check this tomorrow. Now our time is 23:32 at night. Regards, Richard > On 2 Sep 2016, at 23:20, Peter Bowen wrote: > >> On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang wrote: >> Yes, we posted all 2015 issued SSL from WoSign trusted root. >> >>>

Re: Incidents involving the CA WoSign

On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang wrote: > Yes, we posted all 2015 issued SSL from WoSign trusted root. > > On 2 Sep 2016, at 22:55, Peter Bowen wrote: >> Based on CT logs, I have seen certificates from the CAs below, all of >> which have

Re: Incidents involving the CA WoSign

Yes, we plan to post to one of the Google log server tommorrow. Regards, Richard > On 2 Sep 2016, at 22:54, Peter Bowen wrote: > >> On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang wrote: >> We finished the CT posting, all 2015 issued SSL certificate is

Re: Incidents involving the CA WoSign

(forgot the list) On Fri, Sep 2, 2016 at 7:55 AM, Peter Bowen wrote: > On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang wrote: >> We finished the CT posting, all 2015 issued SSL certificate is posted to >> WoSign CT log server: https://ctlog.wosign.com,

Re: Incidents involving the CA WoSign

On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang wrote: > We finished the CT posting, all 2015 issued SSL certificate is posted to > WoSign CT log server: https://ctlog.wosign.com, total 101,410 certificates. Richard, Based on CT logs, I have seen certificates from the CAs

RE: Incidents involving the CA WoSign

-Original Message- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Friday, September 2, 2016 6:07 PM To: Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign > And, as others have pointed out in th

Re: Incidents involving the CA WoSign

On 31/08/16 19:13, Ryan Sleevi wrote: > A) Remove the CA. Users may manually trust it if they re-add it, but it will > not be trusted by default. F) Distrust all certs with a notBefore date after date X, and require the CA to apply for re-inclusion to get the distrust lifted. (I.e. what

Re: Incidents involving the CA WoSign

Hi Richard, On 02/09/16 06:59, Richard Wang wrote: > 1. Eddy told me that this guy is the former employee of StartCom, he > violates the signed NDA that he must shutdown the site within the > limit time. Every re-distribution the wrong information will heavy > his penalty (including site cache or

Re: Incidents involving the CA WoSign

Hi Richard, On 01/09/16 04:04, Richard Wang wrote: > First, please treat WoSign as a global trusted CA, DON'T stamp as > China CA. We need a fair treatment as other worldwide CAs that I am > sure WoSign is not the first CA that have incident and not the > serious one; We are keen to treat WoSign

RE: Incidents involving the CA WoSign

@lists.mozilla.org] On Behalf Of Matt Palmer Sent: Friday, September 2, 2016 4:51 PM To: dev-security-policy@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Fri, Sep 02, 2016 at 06:53:23AM +, Richard Wang wrote: > I think we are out of topic. On the contrary, the trustworthin

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 06:53:23AM +, Richard Wang wrote: > I think we are out of topic. On the contrary, the trustworthiness of CAs is *entirely* on topic. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Incidents involving the CA WoSign

On 2016-09-02 05:59, Peter Gutmann wrote: Vincent Lynch writes: I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign) should make a statement about this. +1. I'd already asked for something like this earlier and got silence as a response, which isn't

Re: Incidents involving the CA WoSign

On Thursday, September 1, 2016 at 11:36:13 PM UTC-7, Richard Wang wrote: > Please remember this sentence: > Every re-distribution the wrong information will heavy his penalty (including > site cache or mirror site). > > You are harming him! You stated that he was a former employee of

Re: Incidents involving the CA WoSign

On Fri, Sep 02, 2016 at 05:59:19AM +, Richard Wang wrote: > 1. Eddy told me that this guy is the former employee of StartCom, he > violates the signed NDA that he must shutdown the site within the limit > time. Every re-distribution the wrong information will heavy his penalty > (including

RE: Incidents involving the CA WoSign

@lists.mozilla.org] On Behalf Of Percy Sent: Friday, September 2, 2016 2:23 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Thursday, September 1, 2016 at 11:01:08 PM UTC-7, Richard Wang wrote: > OK I try to say some that I wish I do

RE: Incidents involving the CA WoSign

[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Peter Gutmann Sent: Friday, September 2, 2016 11:59 AM To: Vincent Lynch <vtly...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: RE: Incidents involving the CA WoSign Vincent Lynch

RE: Incidents involving the CA WoSign

security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Wed, Aug 31, 2016 at 8:04 PM, Richard Wang <rich...@wosign.com> wrote: > (1) WoSign totally issued 100K SSL certificates in 2015 that we are > posting to CT log server (not 115K, Sorry, I used the wrong sea

Re: Incidents involving the CA WoSign

They have confirmed that it's a fake cert. Alibaba knew this prior to my contact and said they already contacted WoSign. Percy Alpha(PGP ) On Wed, Aug 31, 2016 at 3:15 AM, Gervase Markham wrote: > On 29/08/16

Re: Incidents involving the CA WoSign

On Thu, 1 Sep 2016 09:00:38 -0700 "Ryan Sleevi" wrote: > Incident -2: 16 January 2015 - 5 March 2015 - 1,132 BR-violating SHA-1 > certificates ( https://cert.webtrust.org/SealFile?seal=2019=pdf ) This was a violation of a "SHOULD NOT" (not a "MUST NOT") issue SHA-1 certificates

Re: Incidents involving the CA WoSign

On Wed, August 31, 2016 10:09 pm, Richard Wang wrote: > Thanks for your so detail instruction. > Yes, we are improved. The two case is happened in 2015 and the mis-issued > certificate period is only 5 months that we fixed 3 big bugs during the 5 > months. > For CT, we will improve the

Re: Incidents involving the CA WoSign

This may be getting a bit ahead of the discussion, but... The exact relationship between WoSign and StartCom seems relevant to how these violations should be handled. Whether browsers decide to distrust WoSign, require CTs for all/future certs, take some other "probationary" decision, or do

Re: Incidents involving the CA WoSign

> It is clear to us, and appears to be clear to > other CAs based on their actions, that misissuances where domain control > checks have failed fall into the category of "serious security concern". > ... > * It seems clear from publicly available information that StartCom's > issuance systems are

Re: Incidents involving the CA WoSign

On Thursday, September 1, 2016 at 5:30:28 AM UTC-7, Erwann Abalea wrote: > The whitelist for EV logged before 01/01/15 contained around 180k > certificates, each one identified by a 64bits digest, the list was compressed > in order to gain 25%, the result was an object slightly larger than 1MB.

Re: Incidents involving the CA WoSign

Bonjour, Le jeudi 1 septembre 2016 09:27:11 UTC+2, Ryan Sleevi a écrit : > On Wednesday, August 31, 2016 at 11:03:11 PM UTC-7, Percy wrote: [...] > > Or we can use an offline whitelist. How about include SHA-2 of existing > > WoSign certificates in the binary? So the browser would first check

Re: Incidents involving the CA WoSign

On 2016-08-31 20:13, Ryan Sleevi wrote: Setting aside for a second whether or not distrusting is the right action, let's think about what possible responses. A) Remove the CA. Users may manually trust it if they re-add it, but it will not be trusted by default. B) Actively distrust the CA.

Re: Incidents involving the CA WoSign

On Wednesday, August 31, 2016 at 11:03:11 PM UTC-7, Percy wrote: > Indeed, WoSign has become too big to fail. I would suggest that the decision > whether to remove WoSign should be independent of whether it's practical to > implement such removal. Otherwise, larger CA basically gained "natural

Re: Incidents involving the CA WoSign

On Wednesday, August 31, 2016 at 8:05:57 PM UTC-7, Richard Wang wrote: > First, please treat WoSign as a global trusted CA, DON'T stamp as China CA. > We need a fair treatment as other worldwide CAs that I am sure WoSign is not > the first CA that have incident and not the serious one; I would

RE: Incidents involving the CA WoSign

curity-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign On Wednesday, August 31, 2016 at 10:07:19 AM UTC-7, watso...@gmail.com wrote: > Dear Richard, > > It's clear WoSign has continuing compliance issues with CA/Browser forum > rules, and has repeatedly failed to cor

Re: Incidents involving the CA WoSign

On Wednesday, August 31, 2016 at 10:07:19 AM UTC-7, watso...@gmail.com wrote: > Dear Richard, > > It's clear WoSign has continuing compliance issues with CA/Browser forum > rules, and has repeatedly failed to correct them. Furthermore there has been > lots of questions about what it would take

Re: Incidents involving the CA WoSign

ozilla.org> > Cc: mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang > <rich...@wosign.com> > Subject: Re: Incidents involving the CA WoSign > > On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <g...@mozilla.org> wrote: > > Dear m.d.s.policy, > > >

Re: Incidents involving the CA WoSign

As an admin I want to check the WoSign Issuer Policy provided by their "WoSign CA Free SSL Certificate G2" certificate. Issuer Policy is linked to http://www.wosign.com/policy/ This page shows the source code instead of actual policy. <% Dim strAcceptLanguage

Re: Incidents involving the CA WoSign

On 24/08/16 14:08, Gervase Markham wrote: > * The issuance of certificates using SHA-1 has been banned by the > Baseline Requirements since January 1st, 2016. Browsers, including > Firefox, planned to enforce this[2] by not trusting certs with a > notBefore date after that date, but in the case of

RE: Incidents involving the CA WoSign

ly, if not, please forgive my bad English, and > please contact me if you still have any question, thanks a million. > > > Best Regards, > > Richard Wang > CEO > WoSign CA Limited > > -Original Message- > From: Gervase Markham [mailto:g...@mozilla.or

Re: Incidents involving the CA WoSign

To the policymakers at Mozilla, my name is Samuel Pinder. I consider myself an computer network analyst and have a degree in Web Systems Development. I also host a small number of websites on a technical level. I have used Startcom's services for a number of years. I only recently came across

Re: Incidents involving the CA WoSign

On 29/08/16 22:53, Percy wrote: > Gerv, I've notified the security team in Alibaba about this possible fake > cert and ask them to confirm that they have not applied a cert. > It's unlikely that Alibaba will use a free cert from WoSign. As a commercial > site, they usually use Verisign or

RE: Incidents involving the CA WoSign

itk98...@gmail.com writes: >Wosign indirectly bought StartSSL, https://www.letsphish.org Has there been any independent investigation into this? We know that CAs are bought and sold like baseball trading cards, but it's usually done publicly and freely acknowledged, whereas

Re: Incidents involving the CA WoSign

On Tuesday, August 30, 2016 at 7:47:43 PM UTC-7, itk9...@gmail.com wrote: > Wosign indirectly bought StartSSL, https://www.letsphish.org Ha! It makes so much sense now why StartEncrypt is such a catastrophe(https://www.google.com/search?q=StartEncrypt). I've revoked all StarCom certs in my OS.

RE: Incidents involving the CA WoSign

ty-pol...@lists.mozilla.org; Richard Wang <rich...@wosign.com> Subject: Re: Incidents involving the CA WoSign On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <g...@mozilla.org> wrote: > Dear m.d.s.policy, > > Several incidents have come to our attention involving

Re: Incidents involving the CA WoSign

Wosign indirectly bought StartSSL, https://www.letsphish.org On Monday, August 29, 2016 at 11:27:59 AM UTC+3, Gervase Markham wrote: > If WoSign are hosting StartCom's infra, it still leaves open the > question of why StartCom are deploying code that WoSign are no longer > using, and haven't

<    1   2   3   >