Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[zbwasd]

> not doing verification? Could you say more about that?
> And how do you know there is a manual audit about this?

I issued a certificate even if it is free, but still passed the audit,follow-up 
notice to my mailbox,I know the reason for the manual audit is because the 
email notification to me.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Percy]

On Wednesday, December 14, 2016 at 8:29:24 PM UTC-8, zbw...@gmail.com wrote:
> 在 2016年12月15日星期四 UTC+8上午9:53:29，Percy写道：
> > lslqtz,
> > Could you host a subdomain say wosign.loliwiki.org with this cert? So we 
> > can test the blocking is functioning correctly.
> 
> I was pulled into the black list.

What do you mean? Are you the original poster?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[zbwasd]

在 2016年12月15日星期四 UTC+8上午9:53:29，Percy写道：
> lslqtz,
> Could you host a subdomain say wosign.loliwiki.org with this cert? So we can 
> test the blocking is functioning correctly.

I was pulled into the black list.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Percy]

lslqtz,
Could you host a subdomain say wosign.loliwiki.org with this cert? So we can 
test the blocking is functioning correctly. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Richard Wang]

Thanks for your advice.
As I said, we closed it completely in PKI side.


Best Regards,

Richard

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On 
Behalf Of Percy
Sent: Tuesday, December 13, 2016 3:40 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: In September 29, 2016, WoSign stop issuing free certificate, but I 
still successfully get it.

If you made a promise to close it "due to some security consideration", then 
you don't have the right to just enable and disable it at will, or disable it 
at one channel but not another channel, which ultimately has the same security 
if WoSign is doing the validation.

On Sunday, December 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote:
> As I said, we have the right to keep it or close it at any time.
>
>
> Best Regards,
>
> Richard
>
> > On 11 Dec 2016, at 12:47, Percy <percyal...@gmail.com> wrote:
> >
> >> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote:
> >> Our promise is close the free SSL application in our own website: 
> >> buy.wosign.com.
> >>
> >> And now we closed it in our PKI side.
> >>
> >>
> >> Best Regards,
> >>
> >> Richard
> >>
> >>>> On 9 Dec 2016, at 04:17, Gervase Markham <g...@mozilla.org> wrote:
> >>>>
> >>>> On 05/12/16 13:41, Richard Wang wrote:
> >>>> We checked our system, this order is from one of the reseller. We
> >>>> have many resellers that used the API, we noticed all resellers
> >>>> to close the free SSL, but they need some time to update the system.
> >>>
> >>> More than two months?
> >>>
> >>> Has this reseller given a timeline by which they expect to have
> >>> ceased to use the API?
> >>>
> >>>> The
> >>>> most important thing is this certificate is issued by proper way
> >>>> that this subscriber finished the domain validation, so this is
> >>>> not a mis-issuance, not "deceiving".
> >>>
> >>> This is narrowly true, from a Mozilla perspective. Mozilla has not
> >>> required that WoSign stop issuing certificates. We have just said
> >>> that we no longer trust them. Of course, I don't know what
> >>> commitments WoSign has made to other root stores. And indeed,
> >>> no-one has suggested that this certificate is mis-issued from a domain 
> >>> validation perspective.
> >>>
> >>> There is an issue relating to the difference between WoSign's
> >>> public statement on their website that they have ceased free SSL
> >>> issuance, and the reality that they have not. We expect CAs who
> >>> make public statements about their actions to abide by those statements.
> >>>
> >>> Gerv
> > Sorry. You just said there is no deadline? Which is it?
> >
> > -
> >
> > Sorry, we don't have deadline.
> > And no plan to close it in PKI side, we keep the right to active it at any 
> > time, and we can issue this free SSL certificate for subscribers at any 
> > time if customers need it.
> >
> > ___
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Percy]

If you made a promise to close it "due to some security consideration", then 
you don't have the right to just enable and disable it at will, or disable it 
at one channel but not another channel, which ultimately has the same security 
if WoSign is doing the validation. 

On Sunday, December 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote:
> As I said, we have the right to keep it or close it at any time.
> 
> 
> Best Regards,
> 
> Richard
> 
> > On 11 Dec 2016, at 12:47, Percy  wrote:
> > 
> >> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote:
> >> Our promise is close the free SSL application in our own website: 
> >> buy.wosign.com.
> >> 
> >> And now we closed it in our PKI side.
> >> 
> >> 
> >> Best Regards,
> >> 
> >> Richard
> >> 
>  On 9 Dec 2016, at 04:17, Gervase Markham  wrote:
>  
>  On 05/12/16 13:41, Richard Wang wrote:
>  We checked our system, this order is from one of the reseller. We
>  have many resellers that used the API, we noticed all resellers to
>  close the free SSL, but they need some time to update the system. 
> >>> 
> >>> More than two months?
> >>> 
> >>> Has this reseller given a timeline by which they expect to have ceased
> >>> to use the API?
> >>> 
>  The
>  most important thing is this certificate is issued by proper way that
>  this subscriber finished the domain validation, so this is not a
>  mis-issuance, not "deceiving".
> >>> 
> >>> This is narrowly true, from a Mozilla perspective. Mozilla has not
> >>> required that WoSign stop issuing certificates. We have just said that
> >>> we no longer trust them. Of course, I don't know what commitments WoSign
> >>> has made to other root stores. And indeed, no-one has suggested that
> >>> this certificate is mis-issued from a domain validation perspective.
> >>> 
> >>> There is an issue relating to the difference between WoSign's public
> >>> statement on their website that they have ceased free SSL issuance, and
> >>> the reality that they have not. We expect CAs who make public statements
> >>> about their actions to abide by those statements.
> >>> 
> >>> Gerv
> > Sorry. You just said there is no deadline? Which is it? 
> > 
> > -
> > 
> > Sorry, we don't have deadline. 
> > And no plan to close it in PKI side, we keep the right to active it at any 
> > time, and we can issue this free SSL certificate for subscribers at any 
> > time if customers need it. 
> > 
> > ___
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Han Yuwei]

在 2016年12月10日星期六 UTC+8上午9:34:50，zbw...@gmail.com写道：
> 在 2016年12月6日星期二 UTC+8上午6:50:04，Percy写道：
> > lslqtz,
> > How did you obtain this certificate from WoSign? Through the public website 
> > or some other means?
> 
> I get this certificate through the dealer's website, but the dealer and 
> WoSign API are not doing the verification, the final manual audit also passed.

not doing verification? Could you say more about that?
And how do you know there is a manual audit about this?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Richard Wang]

As I said, we have the right to keep it or close it at any time.


Best Regards,

Richard

> On 11 Dec 2016, at 12:47, Percy  wrote:
> 
>> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote:
>> Our promise is close the free SSL application in our own website: 
>> buy.wosign.com.
>> 
>> And now we closed it in our PKI side.
>> 
>> 
>> Best Regards,
>> 
>> Richard
>> 
 On 9 Dec 2016, at 04:17, Gervase Markham  wrote:
 
 On 05/12/16 13:41, Richard Wang wrote:
 We checked our system, this order is from one of the reseller. We
 have many resellers that used the API, we noticed all resellers to
 close the free SSL, but they need some time to update the system. 
>>> 
>>> More than two months?
>>> 
>>> Has this reseller given a timeline by which they expect to have ceased
>>> to use the API?
>>> 
 The
 most important thing is this certificate is issued by proper way that
 this subscriber finished the domain validation, so this is not a
 mis-issuance, not "deceiving".
>>> 
>>> This is narrowly true, from a Mozilla perspective. Mozilla has not
>>> required that WoSign stop issuing certificates. We have just said that
>>> we no longer trust them. Of course, I don't know what commitments WoSign
>>> has made to other root stores. And indeed, no-one has suggested that
>>> this certificate is mis-issued from a domain validation perspective.
>>> 
>>> There is an issue relating to the difference between WoSign's public
>>> statement on their website that they have ceased free SSL issuance, and
>>> the reality that they have not. We expect CAs who make public statements
>>> about their actions to abide by those statements.
>>> 
>>> Gerv
> Sorry. You just said there is no deadline? Which is it? 
> 
> -
> 
> Sorry, we don't have deadline. 
> And no plan to close it in PKI side, we keep the right to active it at any 
> time, and we can issue this free SSL certificate for subscribers at any time 
> if customers need it. 
> 
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Percy]

On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote:
> Our promise is close the free SSL application in our own website: 
> buy.wosign.com.
> 
> And now we closed it in our PKI side.
> 
> 
> Best Regards,
> 
> Richard
> 
> > On 9 Dec 2016, at 04:17, Gervase Markham  wrote:
> > 
> >> On 05/12/16 13:41, Richard Wang wrote:
> >> We checked our system, this order is from one of the reseller. We
> >> have many resellers that used the API, we noticed all resellers to
> >> close the free SSL, but they need some time to update the system. 
> > 
> > More than two months?
> > 
> > Has this reseller given a timeline by which they expect to have ceased
> > to use the API?
> > 
> >> The
> >> most important thing is this certificate is issued by proper way that
> >> this subscriber finished the domain validation, so this is not a
> >> mis-issuance, not "deceiving".
> > 
> > This is narrowly true, from a Mozilla perspective. Mozilla has not
> > required that WoSign stop issuing certificates. We have just said that
> > we no longer trust them. Of course, I don't know what commitments WoSign
> > has made to other root stores. And indeed, no-one has suggested that
> > this certificate is mis-issued from a domain validation perspective.
> > 
> > There is an issue relating to the difference between WoSign's public
> > statement on their website that they have ceased free SSL issuance, and
> > the reality that they have not. We expect CAs who make public statements
> > about their actions to abide by those statements.
> > 
> > Gerv
Sorry. You just said there is no deadline? Which is it? 

-

Sorry, we don't have deadline. 
And no plan to close it in PKI side, we keep the right to active it at any 
time, and we can issue this free SSL certificate for subscribers at any time if 
customers need it. 

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Richard Wang]

Our promise is close the free SSL application in our own website: 
buy.wosign.com.

And now we closed it in our PKI side.


Best Regards,

Richard

> On 9 Dec 2016, at 04:17, Gervase Markham  wrote:
> 
>> On 05/12/16 13:41, Richard Wang wrote:
>> We checked our system, this order is from one of the reseller. We
>> have many resellers that used the API, we noticed all resellers to
>> close the free SSL, but they need some time to update the system. 
> 
> More than two months?
> 
> Has this reseller given a timeline by which they expect to have ceased
> to use the API?
> 
>> The
>> most important thing is this certificate is issued by proper way that
>> this subscriber finished the domain validation, so this is not a
>> mis-issuance, not "deceiving".
> 
> This is narrowly true, from a Mozilla perspective. Mozilla has not
> required that WoSign stop issuing certificates. We have just said that
> we no longer trust them. Of course, I don't know what commitments WoSign
> has made to other root stores. And indeed, no-one has suggested that
> this certificate is mis-issued from a domain validation perspective.
> 
> There is an issue relating to the difference between WoSign's public
> statement on their website that they have ceased free SSL issuance, and
> the reality that they have not. We expect CAs who make public statements
> about their actions to abide by those statements.
> 
> Gerv


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Richard Wang]

As I said before, you finished the domain validation.
This is DV SSL that no need to do the manual validation.

Best Regards,

Richard

> On 10 Dec 2016, at 09:33, "zbw...@gmail.com"  wrote:
> 
> 在 2016年12月6日星期二 UTC+8上午6:50:04，Percy写道：
>> lslqtz,
>> How did you obtain this certificate from WoSign? Through the public website 
>> or some other means?
> 
> I get this certificate through the dealer's website, but the dealer and 
> WoSign API are not doing the verification, the final manual audit also passed.
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[zbwasd]

在 2016年12月6日星期二 UTC+8上午6:50:04，Percy写道：
> lslqtz,
> How did you obtain this certificate from WoSign? Through the public website 
> or some other means?

I get this certificate through the dealer's website, but the dealer and WoSign 
API are not doing the verification, the final manual audit also passed.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Han Yuwei]

在 2016年12月9日星期五 UTC+8上午4:19:31，Gervase Markham写道：
> On 05/12/16 13:41, Richard Wang wrote:
> > We checked our system, this order is from one of the reseller. We
> > have many resellers that used the API, we noticed all resellers to
> > close the free SSL, but they need some time to update the system. 
> 
> More than two months?
> 
> Has this reseller given a timeline by which they expect to have ceased
> to use the API?
> 
> > The
> > most important thing is this certificate is issued by proper way that
> > this subscriber finished the domain validation, so this is not a
> > mis-issuance, not "deceiving".
> 
> This is narrowly true, from a Mozilla perspective. Mozilla has not
> required that WoSign stop issuing certificates. We have just said that
> we no longer trust them. Of course, I don't know what commitments WoSign
> has made to other root stores. And indeed, no-one has suggested that
> this certificate is mis-issued from a domain validation perspective.
> 
> There is an issue relating to the difference between WoSign's public
> statement on their website that they have ceased free SSL issuance, and
> the reality that they have not. We expect CAs who make public statements
> about their actions to abide by those statements.
> 
> Gerv

Before the incident of Wosign, lots of cloud service in China is using Wosign's 
API to issue SSL cerificates for their consumers. And in this practicular 
domain I think someone intended to issue a certificate from Wosign's Free 
Certificate G2 via somewhere and they succeeded. Because I saw other valid 
certificate on this domain.

P.S. seems like Wosign updated their system for there is embedded SCT in this 
cert.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Gervase Markham]

On 05/12/16 13:41, Richard Wang wrote:
> We checked our system, this order is from one of the reseller. We
> have many resellers that used the API, we noticed all resellers to
> close the free SSL, but they need some time to update the system. 

More than two months?

Has this reseller given a timeline by which they expect to have ceased
to use the API?

> The
> most important thing is this certificate is issued by proper way that
> this subscriber finished the domain validation, so this is not a
> mis-issuance, not "deceiving".

This is narrowly true, from a Mozilla perspective. Mozilla has not
required that WoSign stop issuing certificates. We have just said that
we no longer trust them. Of course, I don't know what commitments WoSign
has made to other root stores. And indeed, no-one has suggested that
this certificate is mis-issued from a domain validation perspective.

There is an issue relating to the difference between WoSign's public
statement on their website that they have ceased free SSL issuance, and
the reality that they have not. We expect CAs who make public statements
about their actions to abide by those statements.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Richard Wang]

Sorry, we don't have deadline. 
And no plan to close it in PKI side, we keep the right to active it at any 
time, and we can issue this free SSL certificate for subscribers at any time if 
customers need it.

Best Regards,

Richard

> On 6 Dec 2016, at 07:49, Percy  wrote:
> 
> When I was trying to inform Apple to put a time constrain on the intermediate 
> CA, you implied such constrain not necessary because no new certs will be 
> issued. Clearly, you know already that the users can still get certs from 
> reseller and potentially abuse it due to all the control failures 
> investigated by Mozilla. Otherwise, you could have closed the issuing certs 
> in the PKI, and no resellers would be able to issue new certs. 
> 
> Since new certs are still issued by WoSign, could you please give a timeline 
> on when such no new certs will be issued, via wosign, resellers, no any other 
> method? 
> 
>> On Monday, December 5, 2016 at 3:43:35 PM UTC-8, Richard Wang wrote:
>> We checked our system, this order is from one of the reseller. We have many 
>> resellers that used the API, we noticed all resellers to close the free SSL, 
>> but they need some time to update the system.
>> The most important thing is this certificate is issued by proper way that 
>> this subscriber finished the domain validation, so this is not a 
>> mis-issuance, not "deceiving".
>> 
>> Best Regards,
>> 
>> Richard
>> 
>>> On 6 Dec 2016, at 06:57, Percy  wrote:
>>> 
>>> WoSign is actively deceiving this community again. 
>>> 
>>> In Nov. 13th, in the thread Apple's response to the WoSign incidents, I 
>>> stated that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate 
>>> should be time constrained by Apple. But Richard stated that "WoSign 
>>> stopped to issue free SSL certificate from those two intermediate CAs since 
>>> Sept 29. " 
>>> (https://groups.google.com/d/msg/mozilla.dev.security.policy/lWJ1zdUJPLI/z1sxa6WRCAAJ)
>>> 
>>> I'm asking WoSign please explain why on the public website and on this 
>>> forum, you stated no new certs will be issued under this very intermediate 
>>> CA, but now you said this is not a issue?
>>> ___
>>> dev-security-policy mailing list
>>> dev-security-policy@lists.mozilla.org
>>> https://lists.mozilla.org/listinfo/dev-security-policy
> 
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Percy]

When I was trying to inform Apple to put a time constrain on the intermediate 
CA, you implied such constrain not necessary because no new certs will be 
issued. Clearly, you know already that the users can still get certs from 
reseller and potentially abuse it due to all the control failures investigated 
by Mozilla. Otherwise, you could have closed the issuing certs in the PKI, and 
no resellers would be able to issue new certs. 

Since new certs are still issued by WoSign, could you please give a timeline on 
when such no new certs will be issued, via wosign, resellers, no any other 
method? 

On Monday, December 5, 2016 at 3:43:35 PM UTC-8, Richard Wang wrote:
> We checked our system, this order is from one of the reseller. We have many 
> resellers that used the API, we noticed all resellers to close the free SSL, 
> but they need some time to update the system.
> The most important thing is this certificate is issued by proper way that 
> this subscriber finished the domain validation, so this is not a 
> mis-issuance, not "deceiving".
> 
> Best Regards,
> 
> Richard
> 
> > On 6 Dec 2016, at 06:57, Percy  wrote:
> > 
> > WoSign is actively deceiving this community again. 
> > 
> > In Nov. 13th, in the thread Apple's response to the WoSign incidents, I 
> > stated that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate 
> > should be time constrained by Apple. But Richard stated that "WoSign 
> > stopped to issue free SSL certificate from those two intermediate CAs since 
> > Sept 29. " 
> > (https://groups.google.com/d/msg/mozilla.dev.security.policy/lWJ1zdUJPLI/z1sxa6WRCAAJ)
> > 
> > I'm asking WoSign please explain why on the public website and on this 
> > forum, you stated no new certs will be issued under this very intermediate 
> > CA, but now you said this is not a issue?
> > ___
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Richard Wang]

We checked our system, this order is from one of the reseller. We have many 
resellers that used the API, we noticed all resellers to close the free SSL, 
but they need some time to update the system.
The most important thing is this certificate is issued by proper way that this 
subscriber finished the domain validation, so this is not a mis-issuance, not 
"deceiving".

Best Regards,

Richard

> On 6 Dec 2016, at 06:57, Percy  wrote:
> 
> WoSign is actively deceiving this community again. 
> 
> In Nov. 13th, in the thread Apple's response to the WoSign incidents, I 
> stated that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate should 
> be time constrained by Apple. But Richard stated that "WoSign stopped to 
> issue free SSL certificate from those two intermediate CAs since Sept 29. " 
> (https://groups.google.com/d/msg/mozilla.dev.security.policy/lWJ1zdUJPLI/z1sxa6WRCAAJ)
> 
> I'm asking WoSign please explain why on the public website and on this forum, 
> you stated no new certs will be issued under this very intermediate CA, but 
> now you said this is not a issue?
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Han Yuwei]

在 2016年12月5日星期一 UTC+8下午9:06:13，lslqtz写道：
> Certificate:
> -BEGIN CERTIFICATE-
> MIIFwTCCBKmgAwIBAgIQH6W3+xfuFD8074LcZJFjLjANBgkqhkiG9w0BAQsFADBP
> MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJDAiBgNV
> BAMMG0NBIOayg+mAmuWFjei0uVNTTOivgeS5piBHMjAeFw0xNjEyMDUwNTU4NDJa
> Fw0xNzEyMDUwNTU4NDJaMCQxCzAJBgNVBAYTAkNOMRUwEwYDVQQDDAxsb2xpd2lr
> aS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtdPYBYZsX15zm
> Pb3GAcWYgLRZjTk/o/MfE1erTLUY8laPQLo1wYwoTWbTN1z6C0WRDcs23eoXZaJ9
> PA1HUAnWCmoNOMDI1AfKcOPcPn4jbi/3U/CvYGPdbqXn7uuD0By6bi3JSsHNvmEZ
> NxKDeLuKLEJVeKzTUh99cRJc5Bsl/+zGnBFmv9nsgJnW17s3rhCyzPyUm5UvNlNn
> 8Oj+zk5ls29ZyaeSIc+wwHFKp2gqz2J+a4OIf5qhNPZSTxBhls2eaqSDln7Y0WBD
> y19R8OX6y4VgGupZMAfzbX1a1tApaUpDNHwLQs3zdSEhBoS0HfF6X1lkKjnR5C9k
> uGKxExiTAgMBAAGjggLCMIICvjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
> KwYBBQUHAwIGCCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBLGE9J1gMQ9
> ySkbZRU9/6mr3Gv2MB8GA1UdIwQYMBaAFDDadIbzKJBWntcxMcK9Wc2TEjkdMH8G
> CCsGAQUFBwEBBHMwcTA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLndvc2lnbi5j
> bi9jYTJnMi9zZXJ2ZXIxL2ZyZWUwOAYIKwYBBQUHMAKGLGh0dHA6Ly9haWEyLndv
> c2lnbi5jbi9jYTJnMi5zZXJ2ZXIxLmZyZWUuY2VyMD4GA1UdHwQ3MDUwM6AxoC+G
> LWh0dHA6Ly9jcmxzMi53b3NpZ24uY24vY2EyZzItc2VydmVyMS1mcmVlLmNybDAp
> BgNVHREEIjAgggxsb2xpd2lraS5vcmeCEHd3dy5sb2xpd2lraS5vcmcwTwYDVR0g
> BEgwRjAIBgZngQwBAgEwOgYLKwYBBAGCm1EBAQIwKzApBggrBgEFBQcCARYdaHR0
> cDovL3d3dy53b3NpZ24uY29tL3BvbGljeS8wggEDBgorBgEEAdZ5AgQCBIH0BIHx
> AO8AdgBBstwuieY85K8bp7spv2jG3ub58cwEfjDf+uOzuiWSYwAAAVjNpMAvAAAE
> AwBHMEUCIQCd5EZg2DiAaKXZoPtB/X6vuC+HBMSgpAnwA4/3q/kEVQIgCazYAFhk
> pL44t4Om6JqCFEi90qQqNzeO0rzIzJ11pisAdQCkuQmQtBhYFIe7E6LMZ3AKPDWY
> BPkb37jjd80OyA3cEVjNpMNmAAAEAwBGMEQCIDefIVxN6HxTm9zX72Mb9TbM
> jxdwKWzLg7qf8juX54/eAiAmqrlF0qlXuqYmQ+UnjHlT+8pODGw9m78jtCJiE+ct
> xTANBgkqhkiG9w0BAQsFAAOCAQEAAetL1ygxl83AAgRsCw3wwzRiXgSDAn8U6cVa
> LjmrQOnksi8PfepBvMiP8lJMsNVeOcXMTiSdIjyqeOR2eK1dzmdcuGTZvU/qVPv+
> WY8VHzb9+4dB0QLPMCXH6ZI0V3x368fSsA6RzTuQETt28BkF7wo2UL524R5la9Rv
> vKlg7h09tuFlvdVy+YgY3jM4zTMejnW6w1kG2GlhJMIOewJK6X1kKMmdORmRx9rK
> yYEA6puiv9pbYmxCo9YBw4Zgvq6wpfSEtB/bxwU+flGpBwqIX9plk8iDDZGiDKRy
> f3s0fVrB7/8+0DxIv/vs/ug43TjCNIpCW03I+ijiwsR12XCk8w==
> -END CERTIFICATE-

Could you tell us how do you get it?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Percy]

WoSign is actively deceiving this community again. 

In Nov. 13th, in the thread Apple's response to the WoSign incidents, I stated 
that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate should be time 
constrained by Apple. But Richard stated that "WoSign stopped to issue free SSL 
certificate from those two intermediate CAs since Sept 29. " 
(https://groups.google.com/d/msg/mozilla.dev.security.policy/lWJ1zdUJPLI/z1sxa6WRCAAJ)

I'm asking WoSign please explain why on the public website and on this forum, 
you stated no new certs will be issued under this very intermediate CA, but now 
you said this is not a issue?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Percy]

lslqtz,
How did you obtain this certificate from WoSign? Through the public website or 
some other means?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

[Percy]

On the WoSign website https://buy.wosign.com/free/?lan=en , it clearly states 
that "Sorry, due to some security consideration, 
WoSign decide to close the free SSL certificate application temporarily. Sept. 
29th 2016."
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

In September 29, 2016,WoSign stop issuing free certificate,but I still successfully get it.

[lslqtz]

Certificate:
-BEGIN CERTIFICATE-
MIIFwTCCBKmgAwIBAgIQH6W3+xfuFD8074LcZJFjLjANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJDAiBgNV
BAMMG0NBIOayg+mAmuWFjei0uVNTTOivgeS5piBHMjAeFw0xNjEyMDUwNTU4NDJa
Fw0xNzEyMDUwNTU4NDJaMCQxCzAJBgNVBAYTAkNOMRUwEwYDVQQDDAxsb2xpd2lr
aS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtdPYBYZsX15zm
Pb3GAcWYgLRZjTk/o/MfE1erTLUY8laPQLo1wYwoTWbTN1z6C0WRDcs23eoXZaJ9
PA1HUAnWCmoNOMDI1AfKcOPcPn4jbi/3U/CvYGPdbqXn7uuD0By6bi3JSsHNvmEZ
NxKDeLuKLEJVeKzTUh99cRJc5Bsl/+zGnBFmv9nsgJnW17s3rhCyzPyUm5UvNlNn
8Oj+zk5ls29ZyaeSIc+wwHFKp2gqz2J+a4OIf5qhNPZSTxBhls2eaqSDln7Y0WBD
y19R8OX6y4VgGupZMAfzbX1a1tApaUpDNHwLQs3zdSEhBoS0HfF6X1lkKjnR5C9k
uGKxExiTAgMBAAGjggLCMIICvjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwIGCCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBLGE9J1gMQ9
ySkbZRU9/6mr3Gv2MB8GA1UdIwQYMBaAFDDadIbzKJBWntcxMcK9Wc2TEjkdMH8G
CCsGAQUFBwEBBHMwcTA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLndvc2lnbi5j
bi9jYTJnMi9zZXJ2ZXIxL2ZyZWUwOAYIKwYBBQUHMAKGLGh0dHA6Ly9haWEyLndv
c2lnbi5jbi9jYTJnMi5zZXJ2ZXIxLmZyZWUuY2VyMD4GA1UdHwQ3MDUwM6AxoC+G
LWh0dHA6Ly9jcmxzMi53b3NpZ24uY24vY2EyZzItc2VydmVyMS1mcmVlLmNybDAp
BgNVHREEIjAgggxsb2xpd2lraS5vcmeCEHd3dy5sb2xpd2lraS5vcmcwTwYDVR0g
BEgwRjAIBgZngQwBAgEwOgYLKwYBBAGCm1EBAQIwKzApBggrBgEFBQcCARYdaHR0
cDovL3d3dy53b3NpZ24uY29tL3BvbGljeS8wggEDBgorBgEEAdZ5AgQCBIH0BIHx
AO8AdgBBstwuieY85K8bp7spv2jG3ub58cwEfjDf+uOzuiWSYwAAAVjNpMAvAAAE
AwBHMEUCIQCd5EZg2DiAaKXZoPtB/X6vuC+HBMSgpAnwA4/3q/kEVQIgCazYAFhk
pL44t4Om6JqCFEi90qQqNzeO0rzIzJ11pisAdQCkuQmQtBhYFIe7E6LMZ3AKPDWY
BPkb37jjd80OyA3cEVjNpMNmAAAEAwBGMEQCIDefIVxN6HxTm9zX72Mb9TbM
jxdwKWzLg7qf8juX54/eAiAmqrlF0qlXuqYmQ+UnjHlT+8pODGw9m78jtCJiE+ct
xTANBgkqhkiG9w0BAQsFAAOCAQEAAetL1ygxl83AAgRsCw3wwzRiXgSDAn8U6cVa
LjmrQOnksi8PfepBvMiP8lJMsNVeOcXMTiSdIjyqeOR2eK1dzmdcuGTZvU/qVPv+
WY8VHzb9+4dB0QLPMCXH6ZI0V3x368fSsA6RzTuQETt28BkF7wo2UL524R5la9Rv
vKlg7h09tuFlvdVy+YgY3jM4zTMejnW6w1kG2GlhJMIOewJK6X1kKMmdORmRx9rK
yYEA6puiv9pbYmxCo9YBw4Zgvq6wpfSEtB/bxwU+flGpBwqIX9plk8iDDZGiDKRy
f3s0fVrB7/8+0DxIv/vs/ug43TjCNIpCW03I+ijiwsR12XCk8w==
-END CERTIFICATE-
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy