Re: Microsoft to remove WoSign and StartCom certificates in Windows 10

This blog post is very vague, one can understood from it that Microsoft will not trust any new certificates from these two CAs: "Microsoft will begin the natural deprecation of WoSign and StartCom certificates by setting a “NotBefore” date ... Windows 10 will not trust any new certifi

RE: Microsoft to remove WoSign and StartCom certificates in Windows 10

@lists.mozilla.org] On Behalf Of Percy via dev-security-policy Sent: Wednesday, August 9, 2017 2:03 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Microsoft to remove WoSign and StartCom certificates in Windows 10 https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft

Microsoft to remove WoSign and StartCom certificates in Windows 10

https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/ Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed

Final removal of trust in WoSign and StartCom Certificates

Hello M.D.S.P., We've posted the following update regarding Chrome's treatment of WoSign and StartCom certificates to Chromium's Security-dev and net-dev groups. I've included both links below in case you'd like to follow the discussion there. https://groups.google.com/a/chromium.org/forum

Please restrict/remove WoSign and StartCom CA from Android

WoSign and StartCom has been included as root CA in official Android builds. (https://code.google.com/p/android/issues/detail?id=71363 https://code.google.com/p/android/issues/detail?id=21632) Apple has restrict/remove WoSign and StartCom from iOS 10.2. "Google has determined that tw

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote: > The security blog about Distrusting New WoSign and StartCom Certificates has > been published: > > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ > > Ch

Re: Remediation Plan for WoSign and StartCom

Just came across the following Phishing site which is using a StartCom cert: hXXps://serviices-intl.com/webapps/6fa9b/websrc On 11/2/16, 6:32 PM, "dev-security-policy on behalf of Itzhak Daniel"

Re: Remediation Plan for WoSign and StartCom

On Wednesday, November 2, 2016 at 5:22:30 PM UTC+2, Gervase Markham wrote: > Hi Daniel, > > On 02/11/16 14:11, Itzhak Daniel wrote: > As far as the DigiCert certs go, it is far too early to have an opinion > on what Mozilla is or isn't doing. I have to agree, the time span is too short (at least

Re: Remediation Plan for WoSign and StartCom

ltiple instances of flat-out lying to Mozilla. I would expect non-lying CAs to get a different treatment from lying ones. > I wonder if WoSign/StartCom had ignored Mozilla Security > Community at some degree, the same way Comodo and DigiCert are doing, > would it saved them. I'm not sur

Re: Remediation Plan for WoSign and StartCom

igned on 22 > October or later will be not verified by their future browser > versions. Both StartCom and WoSign were aware in advance that this was the deadline we were proposing. How they communicated that to their customers (or not) is up to them. If you are unhappy with them for selling you a cert w

Re: Remediation Plan for WoSign and StartCom

Interesting that Comodo and DigiCert are getting a different treatment, I wonder if WoSign/StartCom had ignored Mozilla Security Community at some degree, the same way Comodo and DigiCert are doing, would it saved them. (I don't know if there are chatters in the back, maybe I missed something

Re: Remediation Plan for WoSign and StartCom

I think that the steps against StartCom are too extreme and I would like to tell my personal opinion. First of all, I want to say that I don't have any benefits when I tell this opinion, since I personally already switched to a different CA. (1) I did find any public answer from Apple, Google

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

On Monday, October 31, 2016 at 4:40:49 PM UTC-7, Percy wrote: > Ryan, > It's great Chrome will distrust WoSign and StartCom. Google's blog post > stated that "Due to a number of technical limitations and concerns, Google > Chrome is unable to trust all pre-existing certificates w

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

On Monday, October 31, 2016 at 5:07:06 PM UTC-7, nessun...@gmail.com wrote: > I see that Google's response (and Apple's) is harsher than Mozilla, by > caterogically distrusts WoSign and StartCom without granting the option, as > Mozilla does, to resubmit a new CA application after a s

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

I see that Google's response (and Apple's) is harsher than Mozilla, by caterogically distrusts WoSign and StartCom without granting the option, as Mozilla does, to resubmit a new CA application after a set period of time through which they work to correct their flawed procedures

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

Ryan, It's great Chrome will distrust WoSign and StartCom. Google's blog post stated that "Due to a number of technical limitations and concerns, Google Chrome is unable to trust all pre-existing certificates while ensuring our users are sufficiently protected from further misissuance.".

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote: > The security blog about Distrusting New WoSign and StartCom Certificates has > been published: > > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ > > Ch

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

Kathleen, This coverage is very encouraging! Among the sites you included, huanqiu, which is a newspaper operated by the central government is notable. So far, no censorship has been observed, contrary to the blanket censorship of the previous CNNIC case.

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

Kathleen, This coverage is very encouraging! Among the sites you included, huanqiu, which is a newspaper operated by the central government is notable. So far, no censorship has been observed, contrary to the blanket censorship of the previous CNNIC case.

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

response: https://linux.cn/article-7898-1.html https://www.sslchina.com/news20161025-mozilla-distrusted-new-wosign-and-startcom-certificates/ http://www.pcpop.com/doc/3/3522/3522780.shtml http://www.solidot.org/story?sid=50116 http://www.cnbeta.com/articles/551603.htm http://digi.163.com/16/1025/13

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

On Tuesday, 25 October 2016 4:30:39 PM UTC Percy wrote: > StartCom on the other hand, issued no announcement > (https://startssl.com/News) even under multiple explicit inquires from > multiple users > (https://forum.startcomca.com/viewforum.php?f=16=549011a08d3a081898f1e1 > 542d3ecc10). There is

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

That you have to ask WoSign. The exact wording is "将增加一个产品选项，用户可以选购从新的沃通（WoSign）中级根证书下签发的支持所有浏览器（包括火狐浏览器）的SSL证书，在过渡期八折优惠。此中级根证书将由全球信任的其他CA根证书签发，支持所有浏览器和所有新老终端设备。此项产品升级计划一个月内完成并为广大用户提供证书服务；" My translation: [WoSign] will add a new product selection. Users can choose SSL certs signed by the new

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

On 26/10/16 01:27, Percy wrote: > WoSign will roll out a globally trusted intermediate cert to sign new > certs with the existing WoSign system that had so many control > failures. > > Does Mozilla and this community accept such a work-around for WoSign? > If we do, then what's the point of

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

StartCom on the other hand, issued no announcement (https://startssl.com/News) even under multiple explicit inquires from multiple users (https://forum.startcomca.com/viewforum.php?f=16=549011a08d3a081898f1e1542d3ecc10). ___ dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

WoSign has posted an announcement regarding Mozilla's decision. In the announcement, WoSign stated WoSign actively cooperated with the investigation and has always fix all the issues immediately after the discovery and called Mozilla's decision "exceptionally severe". Certs issued by

Re: Remediation Plan for WoSign and StartCom

On 24/10/16 06:55, Samuel Pinder wrote: > There's some good questions there, actually. OEM SSL, does that mean > another CA would be doing the validation and issuing using their own > infrastructure and team, which you would be reselling via a > constrained intermediate? I suspect he means

Re: Remediation Plan for WoSign and StartCom

ard > > From: Eric Mill [mailto:e...@konklone.com] > Sent: Monday, October 24, 2016 12:05 PM > To: Richard Wang <rich...@wosign.com> > Cc: Kathleen Wilson <kwil...@mozilla.com>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Remediation Plan for WoSign a

RE: Remediation Plan for WoSign and StartCom

: Monday, October 24, 2016 12:05 PM To: Richard Wang <rich...@wosign.com> Cc: Kathleen Wilson <kwil...@mozilla.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Remediation Plan for WoSign and StartCom Hi Richard, A few questions - 1) Your post says "Ther

Re: Remediation Plan for WoSign and StartCom

> To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Remediation Plan for WoSign and StartCom > > On Thursday, October 20, 2016 at 6:59:08 PM UTC-7, Percy wrote: > > Kathleen, > > As most users affected by this decision are Chinese, will you be able to > make th

RE: Remediation Plan for WoSign and StartCom

to translate. > > As I stated earlier, there are almost no news of the distrust of > WoSign/StartCom on the Chinese Internet and WoSign/StartCom has not posted > anything related to this. I believe it's paramount to prepare Chinese website > owners for the phasing out of th

Re: Remediation Plan for WoSign and StartCom

Bonjour, Le vendredi 21 octobre 2016 12:48:21 UTC+2, marc@gmail.com a écrit : [...] > Just the opinion of a user who is securing services, websites and his mails > with certificates but is not capable of paying hundreds of Euros / Dollars > for achieving this goal every year. DV

Re: Remediation Plan for WoSign and StartCom

On Thu, Oct 20, 2016 at 1:57 PM, Kathleen Wilson wrote: > 1) Distrust certificates with a notBefore date after October 21, 2016 which > chain up to the following affected roots. If additional back-dating is > discovered (by any means) to circumvent this control, then

Re: Remediation Plan for WoSign and StartCom

On Sat, 22 Oct 2016 16:26:51 +0200, Jakob Bohm wrote: > Thus the need for those who obtaind OV code > signing certificates from StartCom to start looking for alternatives, > and my suggestion, as a public service, that someone here might chime > in with the names of small/individual developer

Re: Remediation Plan for WoSign and StartCom

g distrust of WoSign and StartCom. Thus the need for those who obtaind OV code signing certificates from StartCom to start looking for alternatives, and my suggestion, as a public service, that someone here might chime in with the names of small/individual developer friendly issuers of code signing ce

Re: Remediation Plan for WoSign and StartCom

On Saturday, October 22, 2016 at 5:11:29 AM UTC-7, Jakob Bohm wrote: > Talking of codesigning, which root store does Chrome use to validate > signatures on the PPAPI plug ins it is currently forcing developers to > switch to? I've mentioned to you repeatedly that no one uses the code signing

Re: Remediation Plan for WoSign and StartCom

On 22/10/2016 00:57, Jernej Simončič wrote: On Fri, 21 Oct 2016 10:03:46 -0700 (PDT), Han Yuwei wrote: I am also a StartCom's SSL & S/MIME certificate user. The only problem for me is that I must re-config nginx. S/MIME have a lot of alternatives for free. Code Signing may only works on

Re: Remediation Plan for WoSign and StartCom

Following on from my previous posting, I have found that Startcom are still issuing certificates past the 21st of October that should be subject to blocking in an upcoming version of Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 . I have therefore obtained such a certificate via my

Re: Remediation Plan for WoSign and StartCom

Samuel, I absolutely agree with what you're saying. That's why I suggested to Mozilla that it mandates WoSign/StartCom to disclose such information on its websites or otherwise inform their customers. Currently, new customers have no way to know until it's too late, i.e when Firefox releases

Re: Remediation Plan for WoSign and StartCom

Startcom nor WoSign are publicly announcing these measures on their websites, I have even contacted Startcom about this via live chat. Their only responses seem to be that they are waiting for 'upper management' to make an announcement, despite me directly sending links to the filed bug reports clearly

Re: Remediation Plan for WoSign and StartCom

Isn't that something you should take up with StartCom? Bottom line you payed them for your certificate, didn't you. Not Mozilla. Perhaps StartCom should have been a bit more careful so they could keep serving their customers. CU Hans ___

Re: Remediation Plan for WoSign and StartCom

在 2016年10月21日星期五 UTC+8下午6:48:21，marc@gmail.com写道： > Am Freitag, 21. Oktober 2016 03:59:08 UTC+2 schrieb Percy: > > Kathleen, > > As most users affected by this decision are Chinese, will you be able to > > make the blog post available in Chinese on the security blog as well? You > > can ask

Re: Remediation Plan for WoSign and StartCom

On Friday, 21 October 2016 11:48:21 UTC+1, marc@gmail.com wrote: > Just the opinion of a user who is securing services, websites and his mails > with certificates but is not capable of paying hundreds of Euros / Dollars > for achieving this goal every year. This is the "too big to fail"

Re: Remediation Plan for WoSign and StartCom

Am Freitag, 21. Oktober 2016 03:59:08 UTC+2 schrieb Percy: > Kathleen, > As most users affected by this decision are Chinese, will you be able to make > the blog post available in Chinese on the security blog as well? You can ask > the Chinese firefox community or me to translate. Hi, only the

Re: Remediation Plan for WoSign and StartCom

to translate. > > As I stated earlier, there are almost no news of the distrust of > WoSign/StartCom on the Chinese Internet and WoSign/StartCom has not posted > anything related to this. I believe it's paramount to prepare Chinese website > owners for the phasing out of the affected

Re: Remediation Plan for WoSign and StartCom

/StartCom on the Chinese Internet and WoSign/StartCom has not posted anything related to this. I believe it's paramount to prepare Chinese website owners for the phasing out of the affected roots. ___ dev-security-policy mailing list dev-security-policy

Re: Remediation Plan for WoSign and StartCom

All, I have filed the following two bugs. WoSign Action Items: https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 StartCom Action Items: https://bugzilla.mozilla.org/show_bug.cgi?id=1311832 I will work on a security blog that will probably get posted early next week. It will point to these

Re: Remediation Plan for WoSign and StartCom

On 19/10/16 15:13, okaphone.elektron...@gmail.com wrote: > Perhaps "haste" is not what you want here. How about "urgency"? I was using it in the sense of the English phrase "more haste, less speed": http://dictionary.cambridge.org/dictionary/english/more-haste-less-speed But yes, urgency is

Re: Remediation Plan for WoSign and StartCom

On Wednesday, October 19, 2016 at 3:13:50 PM UTC-7, okaphone.e...@gmail.com wrote: > Perhaps "haste" is not what you want here. How about "urgency"? > Yep. Changed in the wiki page. Thanks, Kathleen ___ dev-security-policy mailing list

Re: Remediation Plan for WoSign and StartCom

Perhaps "haste" is not what you want here. How about "urgency"? CU Hans ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remediation Plan for WoSign and StartCom

On Wednesday, October 19, 2016 at 11:50:55 AM UTC-7, Gervase Markham wrote: > > Today at the CAB Forum I outlined some of Mozilla's thinking on how we > rate the severity of incidents. It might be helpful to reproduce that > here. This is what I said: > Thanks, Gerv! I added that text to the

Re: Remediation Plan for WoSign and StartCom

On 19/10/16 11:35, longol...@gmail.com wrote: > Hey Kathleen, hey list, > > I really don't get why Mozilla is pushing so hard on the Chinese and > at the same time let others get away. For example the Comodo case > from today. Isn't that a much worse incident than what has happened > here.

Re: Remediation Plan for WoSign and StartCom

On Wednesday, October 19, 2016 at 12:58:49 AM UTC-7, Kurt Roeckx wrote: > I at least have some concerns about the current gossip draft and talked > a little to dkg about this. I should probably bring this up on the trans > list. > Please do, we would like to see this brought to closure soon

Re: Remediation Plan for WoSign and StartCom

On 19 October 2016 at 02:58, Kurt Roeckx <k...@roeckx.be> wrote: > On 2016-10-19 01:37, Rob Stradling wrote: >> >> On 18/10/16 23:49, Gervase Markham wrote: >>> >>> On 18/10/16 15:42, Ryan Hurst wrote: >>>> >>>> I do not underst

Re: Remediation Plan for WoSign and StartCom

On 2016-10-19 01:37, Rob Stradling wrote: On 18/10/16 23:49, Gervase Markham wrote: On 18/10/16 15:42, Ryan Hurst wrote: I do not understand the desire to require StartCom / WoSign to not utilize their own logs as part of the associated quorum policy. My original logic was that it could

Re: Remediation Plan for WoSign and StartCom

It is true, that without gossip, CT is dependent on browsers monitoring the log ecosystem, this is one reason why in the Chrome policy the one Google log is required. I would argue, with the monitoring Google does and the one Google log policy that this risk is mitigated sufficiently, even

Re: Remediation Plan for WoSign and StartCom

Kurt Roeckx wrote: > Since the previous audit wasn't one that covered a whole year, I > expect the new audit to start where the previous one stopped and > have it a year from that point. this might be more of a question for cabforum but why do audits have to be non-overlapping? i would think

Re: Remediation Plan for WoSign and StartCom

On Tue, 18 Oct 2016 15:49:26 -0700 Gervase Markham <g...@mozilla.org> wrote: > On 18/10/16 15:42, Ryan Hurst wrote: > > I do not understand the desire to require StartCom / WoSign to not > > utilize their own logs as part of the associated quorum policy. > > My origi

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 23:49, Gervase Markham wrote: > On 18/10/16 15:42, Ryan Hurst wrote: >> I do not understand the desire to require StartCom / WoSign to not >> utilize their own logs as part of the associated quorum policy. > > My original logic was that it could be se

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 16:04, Han Yuwei wrote: > For the CT support, is there any plan to implement it into effect in > Firefox? And if implemented, what would happen if server's > certificate don't have enough SCTs? The mechanism is being implemented. When it's closer to being implemented, there will be a

Re: Remediation Plan for WoSign and StartCom

在 2016年10月19日星期三 UTC+8上午6:42:18，Ryan Hurst写道： > All, > > I do not understand the desire to require StartCom / WoSign to not utilize > their own logs as part of the associated quorum policy. > > Certificate Transparency's idempotency is for not dependent on the practices

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 15:42, Ryan Hurst wrote: > I do not understand the desire to require StartCom / WoSign to not > utilize their own logs as part of the associated quorum policy. My original logic was that it could be seen that the log owner is trustworthy. However, you are right that C

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 14:33, Ryan Sleevi wrote: > I think there's some confusion there. CNNIC's audits "expire" on Feb > "29" 2017 (I say "29" because of ambiguity on "1 year"). That is, > within 3 months of Feb "29", 2017, CNNIC would be expected to provide > a new audit, which covers February 29, 2016

Re: Remediation Plan for WoSign and StartCom

All, I do not understand the desire to require StartCom / WoSign to not utilize their own logs as part of the associated quorum policy. Certificate Transparency's idempotency is for not dependent on the practices of the operator. By requiring the use of a third-party log (in this case

Re: Remediation Plan for WoSign and StartCom

On Tue, Oct 18, 2016 at 01:35:59PM -0700, Gervase Markham wrote: > On 18/10/16 12:46, Kurt Roeckx wrote: > > Are you saying you're expecting an audit report from November 2015 > > to November 2016, and so have the period from November to March > > covered twice? > > There seems to be a persistent

Re: Remediation Plan for WoSign and StartCom

On Tue, Oct 18, 2016 at 2:33 PM, Ryan Sleevi wrote: > > I think there's some confusion there. CNNIC's audits "expire" on Feb "29" > 2017 (I say "29" because of ambiguity on "1 year"). That is, within 3 months > of Feb "29", 2017, CNNIC would be expected to provide a new audit,

Re: Remediation Plan for WoSign and StartCom

On Tuesday, October 18, 2016 at 1:36:37 PM UTC-7, Gervase Markham wrote: > On 18/10/16 12:46, Kurt Roeckx wrote: > > Are you saying you're expecting an audit report from November 2015 > > to November 2016, and so have the period from November to March > > covered twice? > > There seems to be a

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 12:46, Kurt Roeckx wrote: > Are you saying you're expecting an audit report from November 2015 > to November 2016, and so have the period from November to March > covered twice? There seems to be a persistent misunderstanding here. https://cert.webtrust.org/SealFile?seal=2092=pdf

Re: Remediation Plan for WoSign and StartCom

On Tue, Oct 18, 2016 at 10:02:00AM -0700, Gervase Markham wrote: > On 18/10/16 09:03, Kurt Roeckx wrote: > > You said the period was until February 29, 2016. I assume the next > > period starts on March 1, 2016 and is for 1 year. I don't expect it to > > from from March to November, it would be an

Re: Remediation Plan for WoSign and StartCom

ly one (leaving aside WoSign/StartCom) which should appear on the list. Am I right? Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remediation Plan for WoSign and StartCom

Measure with a micrometer, mark with chalk and cut with an axe... it's the best you can do. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remediation Plan for WoSign and StartCom

Hi Peter, On 18/10/16 06:02, Peter Bowen wrote: > I think making it clear which entries in certdata.txt have additional > constraints would be very helpful. Is it maybe possible to do so by > adding new attributes to the NSS_TRUST object instead of simply > putting it on a webpage? That way it

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 09:03, Kurt Roeckx wrote: > You said the period was until February 29, 2016. I assume the next > period starts on March 1, 2016 and is for 1 year. I don't expect it to > from from March to November, it would be an 8 month period. Surely if audits last one year, one would be auditing

Re: Remediation Plan for WoSign and StartCom

On 2016-10-18 17:26, Gervase Markham wrote: On 18/10/16 07:17, Kurt Roeckx wrote: On 2016-10-18 14:51, Gervase Markham wrote: The audit report CNNIC has submitted covers the period from November 2, 2015 to February 29, 2016. Therefore, we would expect them to be starting the process of

Re: Remediation Plan for WoSign and StartCom

is more detailed information > on the next steps to be done. > > Here´s the link again: > https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf > > So, regarding the situation of StartCom I think that some people has > lost what happened and it´s considering Wosi

Re: Remediation Plan for WoSign and StartCom

Hi Inigo, On 18/10/16 07:34, Inigo Barreira wrote: > So, regarding the situation of StartCom I think that some people has > lost what happened and it´s considering Wosign and Startcom the same. Kathleen may also respond, but my understanding is that (based on her consideration of the arg

Re: Remediation Plan for WoSign and StartCom

On 18/10/16 07:17, Kurt Roeckx wrote: > On 2016-10-18 14:51, Gervase Markham wrote: >> >> The audit report CNNIC has submitted covers the period from November 2, >> 2015 to February 29, 2016. Therefore, we would expect them to be >> starting the process of getting another yearly audit in about 2

Re: Remediation Plan for WoSign and StartCom

.pdf So, regarding the situation of StartCom I think that some people has lost what happened and it´s considering Wosign and Startcom the same. Let´s focus on the 3 issues for which StartCom has been proposed to a sanction (hopefully we can change that), and these are: 1.- Bad coding of a new

Re: Remediation Plan for WoSign and StartCom

On 2016-10-18 14:51, Gervase Markham wrote: The audit report CNNIC has submitted covers the period from November 2, 2015 to February 29, 2016. Therefore, we would expect them to be starting the process of getting another yearly audit in about 2 weeks anyway, although it won't be done until next

Re: Remediation Plan for WoSign and StartCom

On 17/10/16 16:26, Kathleen Wilson wrote: > ones who use NSS validation. I’m not sure what we can do about other > consumers of the NSS root store, other than publish what we are doing > and hope those folks read the news and update their version of their > root store as they see appropriate for

Re: Remediation Plan for WoSign and StartCom

eed to be CT-less, although both CAs have committed to full CT from now on, and both have loaded "every" cert since a certain date into CT. If loads of CT-less older WoSign or StartCom certs with long lifetimes started turning up on their customers sites, it would be fairly obviou

Re: Remediation Plan for WoSign and StartCom

won't be trusted) and that QiHoo 360/ WoSign/ StartCom accept this as legitimate. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remediation Plan for WoSign and StartCom

ng > change/impact. Because 360 safe browser is the most dominant browser in China. Qihoo, the parent company of WoSign/StartCom produced this browser. I assume Qihoo's browser will not take any action against its own CAs. So If Mozilla or other parties is not mandating WoSign/St

Re: Remediation Plan for WoSign and StartCom

Oh, I read too quickly and saw it as a list of certificates whose expiration dates were within each month. In retrospect, that was not the most likely way the numbers would be distributed -- apologies for causing confusion. On Sat, Oct 15, 2016 at 6:20 PM, Kurt Roeckx wrote: >

Re: Remediation Plan for WoSign and StartCom

On Sat, Oct 15, 2016 at 06:07:50PM -0400, Eric Mill wrote: > For the convenience of the thread -- assuming that a 1-year-oriented policy > covered the certs up to and including those listed as 2017-10-01, then > summing up Kurt's numbers: > > * Certs expiring by Oct 2017: 2,088,329 > * Certs

Re: Remediation Plan for WoSign and StartCom

because there > > are too many of them. > > > > *however* from what I remember almost all the time the free options of > > startcom/wosign were limited to one year. (I think there was a short > > period of time when it was possible to get 3-year-certs from wosign for >

Re: Remediation Plan for WoSign and StartCom

t remove the affected roots > > until 2019. > > Hi, > > From my understanding the problem here is that the alternative of simply > whitelisting the existing certificates isn't feasible, because there > are too many of them. > > *however* from what I remember almost all th

Re: Remediation Plan for WoSign and StartCom

t I remember almost all the time the free options of > startcom/wosign were limited to one year. (I think there was a short > period of time when it was possible to get 3-year-certs from wosign for > free, but they removed that shortly afterwards.) It was quite some time, and outside o

Re: Remediation Plan for WoSign and StartCom

he problem here is that the alternative of simply whitelisting the existing certificates isn't feasible, because there are too many of them. *however* from what I remember almost all the time the free options of startcom/wosign were limited to one year. (I think there was a short period of time when it was possibl

Re: Remediation Plan for WoSign and StartCom

mass-deployed versions, lack more extensive capabilities). As a consequence of this - which, to be fair, is not a problem of Mozilla's creation - there exists the ecosystem risk that in order to minimize any incompatibilities, these applications will need to continue to trust WoSign and StartCom for

Re: Remediation Plan for WoSign and StartCom

m%2Freport%2FWoSign_Incident_Report_Update_07102016.pdf=D=1=AFQjCNGRzAxwYrEEiA_SN5gfcsftSst0nA) > and that the CEO Richard Wang to be relieved of its duties. > > I'm calling WoSign out on this two-faced behavior towards Chinese end users > and foreign security researchers. WoSig

Re: Remediation Plan for WoSign and StartCom

On 14/10/16 15:46, Gervase Markham wrote: > On 14/10/16 11:37, Rob Stradling wrote: >> Sure, but aren't we talking about specifying criteria for which log(s) >> StartCom/WoSign _can't_ use in future? >> >> If Mozilla would prefer to forbid StartCom/WoSign from using t

Re: Remediation Plan for WoSign and StartCom

On 14/10/16 11:37, Rob Stradling wrote: > Sure, but aren't we talking about specifying criteria for which log(s) > StartCom/WoSign _can't_ use in future? > > If Mozilla would prefer to forbid StartCom/WoSign from using their own > or each other's logs, then ISTM that it would be

Re: Remediation Plan for WoSign and StartCom

99% uptime sounds good but it allows being down for three and half days in a year. It's not actually a very high availabillity. ;-) CU Hans ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: Remediation Plan for WoSign and StartCom

On 14/10/16 10:50, Gervase Markham wrote: > On 14/10/16 10:41, Rob Stradling wrote: >> Gerv, does Mozilla need to make a final decision on this point immediately? >> >> I very much hope that there will be more CT logs by the time StartCom >> and/or WoSign are readmitte

Re: Remediation Plan for WoSign and StartCom

On 13/10/16 23:42, Nick Lamb wrote: > Please can Mozilla ensure that both EY Hong Kong and the overarching > parent organisation in the United Kingdom (in Southwark) are informed > of this ban and get a copy of Mozilla's findings if they haven't > already ? This is a good idea; I will try and

Re: Remediation Plan for WoSign and StartCom

On 14/10/16 10:41, Rob Stradling wrote: > Gerv, does Mozilla need to make a final decision on this point immediately? > > I very much hope that there will be more CT logs by the time StartCom > and/or WoSign are readmitted into Mozilla's trust list. Why not delay > making this

Re: Remediation Plan for WoSign and StartCom

On 13/10/16 20:52, Gervase Markham wrote: > StartCom/WoSign have indicated ro me that they may have trouble > complying with the non-Google log requirement because it's hard to find > a non-Google log which can scale sufficiently. I suggest we allow them > some leeway on this b

Re: Remediation Plan for WoSign and StartCom

On 2016-10-14 10:19, Nick Lamb wrote: On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote: Will there be any requirements around the qualification status of the logs, or could anyone who wanted to be "nice" just stand up a log, and have these CAs obtain precerts from them? I don't

Re: Remediation Plan for WoSign and StartCom

On 2016-10-14 03:20, Matt Palmer wrote: On Thu, Oct 13, 2016 at 09:49:50AM -0700, Kathleen Wilson wrote: 5. 100% embedded CT for all issued certificates, with embedded SCTs from at least one Google and one non-Google log not controlled by the CA. Will there be any requirements around the

Re: Remediation Plan for WoSign and StartCom

On Friday, 14 October 2016 02:21:36 UTC+1, Matt Palmer wrote: > Will there be any requirements around the qualification status of the logs, > or could anyone who wanted to be "nice" just stand up a log, and have these > CAs obtain precerts from them? I don't think Mozilla has declared any

  1   2   >