Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
> not doing verification? Could you say more about that? > And how do you know there is a manual audit about this? I issued a certificate even if it is free, but still passed the audit,follow-up notice to my mailbox,I know the reason for the manual audit is because the email notification to me. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
On Wednesday, December 14, 2016 at 8:29:24 PM UTC-8, zbw...@gmail.com wrote: > 在 2016年12月15日星期四 UTC+8上午9:53:29,Percy写道: > > lslqtz, > > Could you host a subdomain say wosign.loliwiki.org with this cert? So we > > can test the blocking is functioning correctly. > > I was pulled into the black list. What do you mean? Are you the original poster? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
在 2016年12月15日星期四 UTC+8上午9:53:29,Percy写道: > lslqtz, > Could you host a subdomain say wosign.loliwiki.org with this cert? So we can > test the blocking is functioning correctly. I was pulled into the black list. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
lslqtz, Could you host a subdomain say wosign.loliwiki.org with this cert? So we can test the blocking is functioning correctly. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
Thanks for your advice. As I said, we closed it completely in PKI side. Best Regards, Richard -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Percy Sent: Tuesday, December 13, 2016 3:40 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it. If you made a promise to close it "due to some security consideration", then you don't have the right to just enable and disable it at will, or disable it at one channel but not another channel, which ultimately has the same security if WoSign is doing the validation. On Sunday, December 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote: > As I said, we have the right to keep it or close it at any time. > > > Best Regards, > > Richard > > > On 11 Dec 2016, at 12:47, Percy <percyal...@gmail.com> wrote: > > > >> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote: > >> Our promise is close the free SSL application in our own website: > >> buy.wosign.com. > >> > >> And now we closed it in our PKI side. > >> > >> > >> Best Regards, > >> > >> Richard > >> > >>>> On 9 Dec 2016, at 04:17, Gervase Markham <g...@mozilla.org> wrote: > >>>> > >>>> On 05/12/16 13:41, Richard Wang wrote: > >>>> We checked our system, this order is from one of the reseller. We > >>>> have many resellers that used the API, we noticed all resellers > >>>> to close the free SSL, but they need some time to update the system. > >>> > >>> More than two months? > >>> > >>> Has this reseller given a timeline by which they expect to have > >>> ceased to use the API? > >>> > >>>> The > >>>> most important thing is this certificate is issued by proper way > >>>> that this subscriber finished the domain validation, so this is > >>>> not a mis-issuance, not "deceiving". > >>> > >>> This is narrowly true, from a Mozilla perspective. Mozilla has not > >>> required that WoSign stop issuing certificates. We have just said > >>> that we no longer trust them. Of course, I don't know what > >>> commitments WoSign has made to other root stores. And indeed, > >>> no-one has suggested that this certificate is mis-issued from a domain > >>> validation perspective. > >>> > >>> There is an issue relating to the difference between WoSign's > >>> public statement on their website that they have ceased free SSL > >>> issuance, and the reality that they have not. We expect CAs who > >>> make public statements about their actions to abide by those statements. > >>> > >>> Gerv > > Sorry. You just said there is no deadline? Which is it? > > > > - > > > > Sorry, we don't have deadline. > > And no plan to close it in PKI side, we keep the right to active it at any > > time, and we can issue this free SSL certificate for subscribers at any > > time if customers need it. > > > > ___ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
If you made a promise to close it "due to some security consideration", then you don't have the right to just enable and disable it at will, or disable it at one channel but not another channel, which ultimately has the same security if WoSign is doing the validation. On Sunday, December 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote: > As I said, we have the right to keep it or close it at any time. > > > Best Regards, > > Richard > > > On 11 Dec 2016, at 12:47, Percywrote: > > > >> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote: > >> Our promise is close the free SSL application in our own website: > >> buy.wosign.com. > >> > >> And now we closed it in our PKI side. > >> > >> > >> Best Regards, > >> > >> Richard > >> > On 9 Dec 2016, at 04:17, Gervase Markham wrote: > > On 05/12/16 13:41, Richard Wang wrote: > We checked our system, this order is from one of the reseller. We > have many resellers that used the API, we noticed all resellers to > close the free SSL, but they need some time to update the system. > >>> > >>> More than two months? > >>> > >>> Has this reseller given a timeline by which they expect to have ceased > >>> to use the API? > >>> > The > most important thing is this certificate is issued by proper way that > this subscriber finished the domain validation, so this is not a > mis-issuance, not "deceiving". > >>> > >>> This is narrowly true, from a Mozilla perspective. Mozilla has not > >>> required that WoSign stop issuing certificates. We have just said that > >>> we no longer trust them. Of course, I don't know what commitments WoSign > >>> has made to other root stores. And indeed, no-one has suggested that > >>> this certificate is mis-issued from a domain validation perspective. > >>> > >>> There is an issue relating to the difference between WoSign's public > >>> statement on their website that they have ceased free SSL issuance, and > >>> the reality that they have not. We expect CAs who make public statements > >>> about their actions to abide by those statements. > >>> > >>> Gerv > > Sorry. You just said there is no deadline? Which is it? > > > > - > > > > Sorry, we don't have deadline. > > And no plan to close it in PKI side, we keep the right to active it at any > > time, and we can issue this free SSL certificate for subscribers at any > > time if customers need it. > > > > ___ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
在 2016年12月10日星期六 UTC+8上午9:34:50,zbw...@gmail.com写道: > 在 2016年12月6日星期二 UTC+8上午6:50:04,Percy写道: > > lslqtz, > > How did you obtain this certificate from WoSign? Through the public website > > or some other means? > > I get this certificate through the dealer's website, but the dealer and > WoSign API are not doing the verification, the final manual audit also passed. not doing verification? Could you say more about that? And how do you know there is a manual audit about this? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
As I said, we have the right to keep it or close it at any time. Best Regards, Richard > On 11 Dec 2016, at 12:47, Percywrote: > >> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote: >> Our promise is close the free SSL application in our own website: >> buy.wosign.com. >> >> And now we closed it in our PKI side. >> >> >> Best Regards, >> >> Richard >> On 9 Dec 2016, at 04:17, Gervase Markham wrote: On 05/12/16 13:41, Richard Wang wrote: We checked our system, this order is from one of the reseller. We have many resellers that used the API, we noticed all resellers to close the free SSL, but they need some time to update the system. >>> >>> More than two months? >>> >>> Has this reseller given a timeline by which they expect to have ceased >>> to use the API? >>> The most important thing is this certificate is issued by proper way that this subscriber finished the domain validation, so this is not a mis-issuance, not "deceiving". >>> >>> This is narrowly true, from a Mozilla perspective. Mozilla has not >>> required that WoSign stop issuing certificates. We have just said that >>> we no longer trust them. Of course, I don't know what commitments WoSign >>> has made to other root stores. And indeed, no-one has suggested that >>> this certificate is mis-issued from a domain validation perspective. >>> >>> There is an issue relating to the difference between WoSign's public >>> statement on their website that they have ceased free SSL issuance, and >>> the reality that they have not. We expect CAs who make public statements >>> about their actions to abide by those statements. >>> >>> Gerv > Sorry. You just said there is no deadline? Which is it? > > - > > Sorry, we don't have deadline. > And no plan to close it in PKI side, we keep the right to active it at any > time, and we can issue this free SSL certificate for subscribers at any time > if customers need it. > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote: > Our promise is close the free SSL application in our own website: > buy.wosign.com. > > And now we closed it in our PKI side. > > > Best Regards, > > Richard > > > On 9 Dec 2016, at 04:17, Gervase Markhamwrote: > > > >> On 05/12/16 13:41, Richard Wang wrote: > >> We checked our system, this order is from one of the reseller. We > >> have many resellers that used the API, we noticed all resellers to > >> close the free SSL, but they need some time to update the system. > > > > More than two months? > > > > Has this reseller given a timeline by which they expect to have ceased > > to use the API? > > > >> The > >> most important thing is this certificate is issued by proper way that > >> this subscriber finished the domain validation, so this is not a > >> mis-issuance, not "deceiving". > > > > This is narrowly true, from a Mozilla perspective. Mozilla has not > > required that WoSign stop issuing certificates. We have just said that > > we no longer trust them. Of course, I don't know what commitments WoSign > > has made to other root stores. And indeed, no-one has suggested that > > this certificate is mis-issued from a domain validation perspective. > > > > There is an issue relating to the difference between WoSign's public > > statement on their website that they have ceased free SSL issuance, and > > the reality that they have not. We expect CAs who make public statements > > about their actions to abide by those statements. > > > > Gerv Sorry. You just said there is no deadline? Which is it? - Sorry, we don't have deadline. And no plan to close it in PKI side, we keep the right to active it at any time, and we can issue this free SSL certificate for subscribers at any time if customers need it. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
Our promise is close the free SSL application in our own website: buy.wosign.com. And now we closed it in our PKI side. Best Regards, Richard > On 9 Dec 2016, at 04:17, Gervase Markhamwrote: > >> On 05/12/16 13:41, Richard Wang wrote: >> We checked our system, this order is from one of the reseller. We >> have many resellers that used the API, we noticed all resellers to >> close the free SSL, but they need some time to update the system. > > More than two months? > > Has this reseller given a timeline by which they expect to have ceased > to use the API? > >> The >> most important thing is this certificate is issued by proper way that >> this subscriber finished the domain validation, so this is not a >> mis-issuance, not "deceiving". > > This is narrowly true, from a Mozilla perspective. Mozilla has not > required that WoSign stop issuing certificates. We have just said that > we no longer trust them. Of course, I don't know what commitments WoSign > has made to other root stores. And indeed, no-one has suggested that > this certificate is mis-issued from a domain validation perspective. > > There is an issue relating to the difference between WoSign's public > statement on their website that they have ceased free SSL issuance, and > the reality that they have not. We expect CAs who make public statements > about their actions to abide by those statements. > > Gerv smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
As I said before, you finished the domain validation. This is DV SSL that no need to do the manual validation. Best Regards, Richard > On 10 Dec 2016, at 09:33, "zbw...@gmail.com"wrote: > > 在 2016年12月6日星期二 UTC+8上午6:50:04,Percy写道: >> lslqtz, >> How did you obtain this certificate from WoSign? Through the public website >> or some other means? > > I get this certificate through the dealer's website, but the dealer and > WoSign API are not doing the verification, the final manual audit also passed. > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
在 2016年12月6日星期二 UTC+8上午6:50:04,Percy写道: > lslqtz, > How did you obtain this certificate from WoSign? Through the public website > or some other means? I get this certificate through the dealer's website, but the dealer and WoSign API are not doing the verification, the final manual audit also passed. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
在 2016年12月9日星期五 UTC+8上午4:19:31,Gervase Markham写道: > On 05/12/16 13:41, Richard Wang wrote: > > We checked our system, this order is from one of the reseller. We > > have many resellers that used the API, we noticed all resellers to > > close the free SSL, but they need some time to update the system. > > More than two months? > > Has this reseller given a timeline by which they expect to have ceased > to use the API? > > > The > > most important thing is this certificate is issued by proper way that > > this subscriber finished the domain validation, so this is not a > > mis-issuance, not "deceiving". > > This is narrowly true, from a Mozilla perspective. Mozilla has not > required that WoSign stop issuing certificates. We have just said that > we no longer trust them. Of course, I don't know what commitments WoSign > has made to other root stores. And indeed, no-one has suggested that > this certificate is mis-issued from a domain validation perspective. > > There is an issue relating to the difference between WoSign's public > statement on their website that they have ceased free SSL issuance, and > the reality that they have not. We expect CAs who make public statements > about their actions to abide by those statements. > > Gerv Before the incident of Wosign, lots of cloud service in China is using Wosign's API to issue SSL cerificates for their consumers. And in this practicular domain I think someone intended to issue a certificate from Wosign's Free Certificate G2 via somewhere and they succeeded. Because I saw other valid certificate on this domain. P.S. seems like Wosign updated their system for there is embedded SCT in this cert. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
On 05/12/16 13:41, Richard Wang wrote: > We checked our system, this order is from one of the reseller. We > have many resellers that used the API, we noticed all resellers to > close the free SSL, but they need some time to update the system. More than two months? Has this reseller given a timeline by which they expect to have ceased to use the API? > The > most important thing is this certificate is issued by proper way that > this subscriber finished the domain validation, so this is not a > mis-issuance, not "deceiving". This is narrowly true, from a Mozilla perspective. Mozilla has not required that WoSign stop issuing certificates. We have just said that we no longer trust them. Of course, I don't know what commitments WoSign has made to other root stores. And indeed, no-one has suggested that this certificate is mis-issued from a domain validation perspective. There is an issue relating to the difference between WoSign's public statement on their website that they have ceased free SSL issuance, and the reality that they have not. We expect CAs who make public statements about their actions to abide by those statements. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
Sorry, we don't have deadline. And no plan to close it in PKI side, we keep the right to active it at any time, and we can issue this free SSL certificate for subscribers at any time if customers need it. Best Regards, Richard > On 6 Dec 2016, at 07:49, Percywrote: > > When I was trying to inform Apple to put a time constrain on the intermediate > CA, you implied such constrain not necessary because no new certs will be > issued. Clearly, you know already that the users can still get certs from > reseller and potentially abuse it due to all the control failures > investigated by Mozilla. Otherwise, you could have closed the issuing certs > in the PKI, and no resellers would be able to issue new certs. > > Since new certs are still issued by WoSign, could you please give a timeline > on when such no new certs will be issued, via wosign, resellers, no any other > method? > >> On Monday, December 5, 2016 at 3:43:35 PM UTC-8, Richard Wang wrote: >> We checked our system, this order is from one of the reseller. We have many >> resellers that used the API, we noticed all resellers to close the free SSL, >> but they need some time to update the system. >> The most important thing is this certificate is issued by proper way that >> this subscriber finished the domain validation, so this is not a >> mis-issuance, not "deceiving". >> >> Best Regards, >> >> Richard >> >>> On 6 Dec 2016, at 06:57, Percy wrote: >>> >>> WoSign is actively deceiving this community again. >>> >>> In Nov. 13th, in the thread Apple's response to the WoSign incidents, I >>> stated that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate >>> should be time constrained by Apple. But Richard stated that "WoSign >>> stopped to issue free SSL certificate from those two intermediate CAs since >>> Sept 29. " >>> (https://groups.google.com/d/msg/mozilla.dev.security.policy/lWJ1zdUJPLI/z1sxa6WRCAAJ) >>> >>> I'm asking WoSign please explain why on the public website and on this >>> forum, you stated no new certs will be issued under this very intermediate >>> CA, but now you said this is not a issue? >>> ___ >>> dev-security-policy mailing list >>> dev-security-policy@lists.mozilla.org >>> https://lists.mozilla.org/listinfo/dev-security-policy > > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
When I was trying to inform Apple to put a time constrain on the intermediate CA, you implied such constrain not necessary because no new certs will be issued. Clearly, you know already that the users can still get certs from reseller and potentially abuse it due to all the control failures investigated by Mozilla. Otherwise, you could have closed the issuing certs in the PKI, and no resellers would be able to issue new certs. Since new certs are still issued by WoSign, could you please give a timeline on when such no new certs will be issued, via wosign, resellers, no any other method? On Monday, December 5, 2016 at 3:43:35 PM UTC-8, Richard Wang wrote: > We checked our system, this order is from one of the reseller. We have many > resellers that used the API, we noticed all resellers to close the free SSL, > but they need some time to update the system. > The most important thing is this certificate is issued by proper way that > this subscriber finished the domain validation, so this is not a > mis-issuance, not "deceiving". > > Best Regards, > > Richard > > > On 6 Dec 2016, at 06:57, Percywrote: > > > > WoSign is actively deceiving this community again. > > > > In Nov. 13th, in the thread Apple's response to the WoSign incidents, I > > stated that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate > > should be time constrained by Apple. But Richard stated that "WoSign > > stopped to issue free SSL certificate from those two intermediate CAs since > > Sept 29. " > > (https://groups.google.com/d/msg/mozilla.dev.security.policy/lWJ1zdUJPLI/z1sxa6WRCAAJ) > > > > I'm asking WoSign please explain why on the public website and on this > > forum, you stated no new certs will be issued under this very intermediate > > CA, but now you said this is not a issue? > > ___ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
We checked our system, this order is from one of the reseller. We have many resellers that used the API, we noticed all resellers to close the free SSL, but they need some time to update the system. The most important thing is this certificate is issued by proper way that this subscriber finished the domain validation, so this is not a mis-issuance, not "deceiving". Best Regards, Richard > On 6 Dec 2016, at 06:57, Percywrote: > > WoSign is actively deceiving this community again. > > In Nov. 13th, in the thread Apple's response to the WoSign incidents, I > stated that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate should > be time constrained by Apple. But Richard stated that "WoSign stopped to > issue free SSL certificate from those two intermediate CAs since Sept 29. " > (https://groups.google.com/d/msg/mozilla.dev.security.policy/lWJ1zdUJPLI/z1sxa6WRCAAJ) > > I'm asking WoSign please explain why on the public website and on this forum, > you stated no new certs will be issued under this very intermediate CA, but > now you said this is not a issue? > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy smime.p7s Description: S/MIME cryptographic signature ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
在 2016年12月5日星期一 UTC+8下午9:06:13,lslqtz写道: > Certificate: > -BEGIN CERTIFICATE- > MIIFwTCCBKmgAwIBAgIQH6W3+xfuFD8074LcZJFjLjANBgkqhkiG9w0BAQsFADBP > MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJDAiBgNV > BAMMG0NBIOayg+mAmuWFjei0uVNTTOivgeS5piBHMjAeFw0xNjEyMDUwNTU4NDJa > Fw0xNzEyMDUwNTU4NDJaMCQxCzAJBgNVBAYTAkNOMRUwEwYDVQQDDAxsb2xpd2lr > aS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtdPYBYZsX15zm > Pb3GAcWYgLRZjTk/o/MfE1erTLUY8laPQLo1wYwoTWbTN1z6C0WRDcs23eoXZaJ9 > PA1HUAnWCmoNOMDI1AfKcOPcPn4jbi/3U/CvYGPdbqXn7uuD0By6bi3JSsHNvmEZ > NxKDeLuKLEJVeKzTUh99cRJc5Bsl/+zGnBFmv9nsgJnW17s3rhCyzPyUm5UvNlNn > 8Oj+zk5ls29ZyaeSIc+wwHFKp2gqz2J+a4OIf5qhNPZSTxBhls2eaqSDln7Y0WBD > y19R8OX6y4VgGupZMAfzbX1a1tApaUpDNHwLQs3zdSEhBoS0HfF6X1lkKjnR5C9k > uGKxExiTAgMBAAGjggLCMIICvjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI > KwYBBQUHAwIGCCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBLGE9J1gMQ9 > ySkbZRU9/6mr3Gv2MB8GA1UdIwQYMBaAFDDadIbzKJBWntcxMcK9Wc2TEjkdMH8G > CCsGAQUFBwEBBHMwcTA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLndvc2lnbi5j > bi9jYTJnMi9zZXJ2ZXIxL2ZyZWUwOAYIKwYBBQUHMAKGLGh0dHA6Ly9haWEyLndv > c2lnbi5jbi9jYTJnMi5zZXJ2ZXIxLmZyZWUuY2VyMD4GA1UdHwQ3MDUwM6AxoC+G > LWh0dHA6Ly9jcmxzMi53b3NpZ24uY24vY2EyZzItc2VydmVyMS1mcmVlLmNybDAp > BgNVHREEIjAgggxsb2xpd2lraS5vcmeCEHd3dy5sb2xpd2lraS5vcmcwTwYDVR0g > BEgwRjAIBgZngQwBAgEwOgYLKwYBBAGCm1EBAQIwKzApBggrBgEFBQcCARYdaHR0 > cDovL3d3dy53b3NpZ24uY29tL3BvbGljeS8wggEDBgorBgEEAdZ5AgQCBIH0BIHx > AO8AdgBBstwuieY85K8bp7spv2jG3ub58cwEfjDf+uOzuiWSYwAAAVjNpMAvAAAE > AwBHMEUCIQCd5EZg2DiAaKXZoPtB/X6vuC+HBMSgpAnwA4/3q/kEVQIgCazYAFhk > pL44t4Om6JqCFEi90qQqNzeO0rzIzJ11pisAdQCkuQmQtBhYFIe7E6LMZ3AKPDWY > BPkb37jjd80OyA3cEVjNpMNmAAAEAwBGMEQCIDefIVxN6HxTm9zX72Mb9TbM > jxdwKWzLg7qf8juX54/eAiAmqrlF0qlXuqYmQ+UnjHlT+8pODGw9m78jtCJiE+ct > xTANBgkqhkiG9w0BAQsFAAOCAQEAAetL1ygxl83AAgRsCw3wwzRiXgSDAn8U6cVa > LjmrQOnksi8PfepBvMiP8lJMsNVeOcXMTiSdIjyqeOR2eK1dzmdcuGTZvU/qVPv+ > WY8VHzb9+4dB0QLPMCXH6ZI0V3x368fSsA6RzTuQETt28BkF7wo2UL524R5la9Rv > vKlg7h09tuFlvdVy+YgY3jM4zTMejnW6w1kG2GlhJMIOewJK6X1kKMmdORmRx9rK > yYEA6puiv9pbYmxCo9YBw4Zgvq6wpfSEtB/bxwU+flGpBwqIX9plk8iDDZGiDKRy > f3s0fVrB7/8+0DxIv/vs/ug43TjCNIpCW03I+ijiwsR12XCk8w== > -END CERTIFICATE- Could you tell us how do you get it? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
WoSign is actively deceiving this community again. In Nov. 13th, in the thread Apple's response to the WoSign incidents, I stated that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate should be time constrained by Apple. But Richard stated that "WoSign stopped to issue free SSL certificate from those two intermediate CAs since Sept 29. " (https://groups.google.com/d/msg/mozilla.dev.security.policy/lWJ1zdUJPLI/z1sxa6WRCAAJ) I'm asking WoSign please explain why on the public website and on this forum, you stated no new certs will be issued under this very intermediate CA, but now you said this is not a issue? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
lslqtz, How did you obtain this certificate from WoSign? Through the public website or some other means? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.
On the WoSign website https://buy.wosign.com/free/?lan=en , it clearly states that "Sorry, due to some security consideration, WoSign decide to close the free SSL certificate application temporarily. Sept. 29th 2016." ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
In September 29, 2016,WoSign stop issuing free certificate,but I still successfully get it.
Certificate: -BEGIN CERTIFICATE- MIIFwTCCBKmgAwIBAgIQH6W3+xfuFD8074LcZJFjLjANBgkqhkiG9w0BAQsFADBP MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJDAiBgNV BAMMG0NBIOayg+mAmuWFjei0uVNTTOivgeS5piBHMjAeFw0xNjEyMDUwNTU4NDJa Fw0xNzEyMDUwNTU4NDJaMCQxCzAJBgNVBAYTAkNOMRUwEwYDVQQDDAxsb2xpd2lr aS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtdPYBYZsX15zm Pb3GAcWYgLRZjTk/o/MfE1erTLUY8laPQLo1wYwoTWbTN1z6C0WRDcs23eoXZaJ9 PA1HUAnWCmoNOMDI1AfKcOPcPn4jbi/3U/CvYGPdbqXn7uuD0By6bi3JSsHNvmEZ NxKDeLuKLEJVeKzTUh99cRJc5Bsl/+zGnBFmv9nsgJnW17s3rhCyzPyUm5UvNlNn 8Oj+zk5ls29ZyaeSIc+wwHFKp2gqz2J+a4OIf5qhNPZSTxBhls2eaqSDln7Y0WBD y19R8OX6y4VgGupZMAfzbX1a1tApaUpDNHwLQs3zdSEhBoS0HfF6X1lkKjnR5C9k uGKxExiTAgMBAAGjggLCMIICvjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI KwYBBQUHAwIGCCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBLGE9J1gMQ9 ySkbZRU9/6mr3Gv2MB8GA1UdIwQYMBaAFDDadIbzKJBWntcxMcK9Wc2TEjkdMH8G CCsGAQUFBwEBBHMwcTA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLndvc2lnbi5j bi9jYTJnMi9zZXJ2ZXIxL2ZyZWUwOAYIKwYBBQUHMAKGLGh0dHA6Ly9haWEyLndv c2lnbi5jbi9jYTJnMi5zZXJ2ZXIxLmZyZWUuY2VyMD4GA1UdHwQ3MDUwM6AxoC+G LWh0dHA6Ly9jcmxzMi53b3NpZ24uY24vY2EyZzItc2VydmVyMS1mcmVlLmNybDAp BgNVHREEIjAgggxsb2xpd2lraS5vcmeCEHd3dy5sb2xpd2lraS5vcmcwTwYDVR0g BEgwRjAIBgZngQwBAgEwOgYLKwYBBAGCm1EBAQIwKzApBggrBgEFBQcCARYdaHR0 cDovL3d3dy53b3NpZ24uY29tL3BvbGljeS8wggEDBgorBgEEAdZ5AgQCBIH0BIHx AO8AdgBBstwuieY85K8bp7spv2jG3ub58cwEfjDf+uOzuiWSYwAAAVjNpMAvAAAE AwBHMEUCIQCd5EZg2DiAaKXZoPtB/X6vuC+HBMSgpAnwA4/3q/kEVQIgCazYAFhk pL44t4Om6JqCFEi90qQqNzeO0rzIzJ11pisAdQCkuQmQtBhYFIe7E6LMZ3AKPDWY BPkb37jjd80OyA3cEVjNpMNmAAAEAwBGMEQCIDefIVxN6HxTm9zX72Mb9TbM jxdwKWzLg7qf8juX54/eAiAmqrlF0qlXuqYmQ+UnjHlT+8pODGw9m78jtCJiE+ct xTANBgkqhkiG9w0BAQsFAAOCAQEAAetL1ygxl83AAgRsCw3wwzRiXgSDAn8U6cVa LjmrQOnksi8PfepBvMiP8lJMsNVeOcXMTiSdIjyqeOR2eK1dzmdcuGTZvU/qVPv+ WY8VHzb9+4dB0QLPMCXH6ZI0V3x368fSsA6RzTuQETt28BkF7wo2UL524R5la9Rv vKlg7h09tuFlvdVy+YgY3jM4zTMejnW6w1kG2GlhJMIOewJK6X1kKMmdORmRx9rK yYEA6puiv9pbYmxCo9YBw4Zgvq6wpfSEtB/bxwU+flGpBwqIX9plk8iDDZGiDKRy f3s0fVrB7/8+0DxIv/vs/ug43TjCNIpCW03I+ijiwsR12XCk8w== -END CERTIFICATE- ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy