Re: Incidents involving the CA WoSign

Some facts for Mozilla to consider. WoSign Root is never trusted by Apple https://support.apple.com/en-ca/HT205205 https://support.apple.com/en-ca/HT205204 However, all WoSign leaf certs are trusted on Apple devices because WoSign intermediate authority is signed by StartCom.

Re: Incidents involving the CA WoSign

On Friday, September 2, 2016 at 3:07:46 AM UTC-7, Gervase Markham wrote: > Hi Richard, > > On 01/09/16 04:04, Richard Wang wrote: > > First, please treat WoSign as a global trusted CA, DON'T stamp as > > China CA. We need a fair treatment as other worldwide CAs that I am > > sure WoSign is not

Re: Incidents involving the CA WoSign

Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex=0xF30D100F7FE124AE>) On Fri, Sep 2, 2016 at 5:04 PM, Richard Wang <rich...@wosign.com> wrote: > From the screenshot, we know why Percy hate WoSign so deeply, we know he > represent which CA, everything is clear now.

Re: Incidents involving the CA WoSign

On Friday, September 2, 2016 at 9:57:24 PM UTC-7, Percy wrote: > Richard, > You claimed on weibo (https://pbs.twimg.com/media/CrZ1Oc6WIAABtrg.jpg:large > )that "WoSign has been oppressed by large American companies over the years > but has been growing steadily over the past 10

Re: Incidents involving the CA WoSign

Richard, You claimed on weibo (https://pbs.twimg.com/media/CrZ1Oc6WIAABtrg.jpg:large )that "WoSign has been oppressed by large American companies over the years but has been growing steadily over the past 10 years and is now the 8th largest CA in the world". Is EFF one of your so called

Re: Incidents involving the CA WoSign

! StartResell is in the background, you focus your sales, we do everything for you including PKI system, CRL and OCSP distribution, identity validation etc., we will use your company name to call your customer for identity validation, no other contact to your customer Percy Alpha(PGP <https://pgp.mit.

Re: StartCom's StartPKI

Yeah, their entire website is designed and implemented by someone in China. See my analysis here http://www.percya.com/2016/09/startcom-operated-solely-in-china.html On Thursday, August 25, 2016 at 10:11:21 AM UTC-7, rugk wrote: > Hi, > I stumbled across this service by StartCom: >

Re: StartCom's StartPKI

Based on the disclosure WoSign/StartCom is trying to bury, WoSign CEO is now also in control of StartCom. Hence, the actively misleading information spread by him should be taken into consideration when talking about StartCom as well. ___

Re: Incidents involving the CA WoSign

, the CEO of WoSign, stated "From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now." The screenshot refers to https://groups.google.com/d/msg/mozilla.dev.security.policy/k9PBmyLCi8I/5Lelu0oyDQAJ and the screenshot proves WoSign i

Re: Incidents involving the CA WoSign

On Monday, September 5, 2016 at 3:58:34 PM UTC-7, Peter Bowen wrote: > On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham wrote: > > Several incidents have come to our attention involving the CA "WoSign". > > Mozilla is considering what action it should take in response to these >

Re: Incidents involving the CA WoSign

In page 11, you mentioned that "System blocked many illegal request every day, the following screen shot is the reject order log", in which you attached a log with Google, Microsoft, QQ domains. Those domains are rejected because of the top domain whitelist. Does that mean those attempts passed

Re: Incidents involving the CA WoSign

On Friday, August 26, 2016 at 12:57:56 PM UTC-7, 233sec Team wrote: > Wosign's Issue mechanism is high risking for large enterprise. > This is one prove: > > https://gist.github.com/xiaohuilam/8589f2dfaac435bae4bf8dfe0984f69e > > Alicdn.com is the cdn asset domain name of Taobao/tmall who belong

Re: [FORGED] Re: Incidents involving the CA WoSign

UTN – DATACorp SGC <https://www.comodo.com/> 46A762F3C3CF3732DE22A8BA1EBBA3BC048F9B8C WoTrust Client Authority UTN-USERFirst-Client Authentication and Email <https://www.comodo.com/> 38CFE78D9F1F0B0637AFCAAA3D5549D87C0AA1D0 Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex=0xF30D100F7FE124AE>) On Tue, Sep 6

Re: (Optional) list of participants

Percy Alpha; Researcher on Internet security and censorship in China http://percya.com ; CA related stuff: Broke the news on China's large scale MITM of Github in 2013, iCloud, Outlook, Yahoo in 2014; victim of Great Cannon (hijacking HTTP request) DDOS of the website and Github in 2015; called

Re: Incidents involving the CA WoSign

They have confirmed that it's a fake cert. Alibaba knew this prior to my contact and said they already contacted WoSign. Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex=0xF30D100F7FE124AE>) On Wed, Aug 31, 2016 at 3:15 AM, Gervase Markham <g...@mozilla.org> wrote: > On

Re: Incidents involving the CA WoSign

On Thursday, September 1, 2016 at 11:36:13 PM UTC-7, Richard Wang wrote: > Please remember this sentence: > Every re-distribution the wrong information will heavy his penalty (including > site cache or mirror site). > > You are harming him! You stated that he was a former employee of

Re: Incidents involving the CA WoSign

I did an analysis of the new StartCom website and determined that it was designed and implemented solely in China. http://www.percya.com/2016/09/startcom-operated-solely-in-china.html I'm further concerned with the security of "StartResell - Setup your own website, start to sell your brand

Re: Incidents involving the CA WoSign

"Some certificates are revoked after getting report from subscriber, but some still valid, if any subscriber think it must be revoked and replaced new one, please contact us in the system, thanks" WoSign seems to lack the basic understanding of how a certificate is used in authentication,

Re: Incidents involving the CA WoSign

On Monday, August 29, 2016 at 10:26:20 AM UTC-7, Gervase Markham wrote: > On 29/08/16 09:48, 蓝小灰 wrote: > > Of course I have private key of this certificate > > I have asked 蓝小灰 for cryptographic proof of this. > > Gerv Gerv, I've notified the security team in Alibaba about this possible fake

Re: formal reply RE: Incidents involving the CA WoSign

We classified this 33 misissuance certificate into two types: one type is we think this misissuance certificate is obviously not from the domain owner, we revoked this type certificates instantly after we know the misissuance Your statement is contradicted by the fact that the other two

Re: Incidents involving the CA WoSign

https://crt.sh is down. Maybe someone can check with comodo to see whether they got DDOSed? Here are the Google CT for the possibly mis-issued certs mentioned in this thread. It would be a lot harder to take down the Google CT. Possible fake cert for Github

Re: Incidents involving the CA WoSign

On Wednesday, September 7, 2016 at 3:08:33 AM UTC-7, Richard Wang wrote: > Hi Gerv, Kathleen and Richard, > > This discuss has been lasting two weeks, I think it is time to end it, it > doesn’t worth to waste everybody’s precious time. > I make my confession that our system and management do

Re: Incidents involving the CA WoSign

On Tuesday, August 30, 2016 at 7:47:43 PM UTC-7, itk9...@gmail.com wrote: > Wosign indirectly bought StartSSL, https://www.letsphish.org Ha! It makes so much sense now why StartEncrypt is such a catastrophe(https://www.google.com/search?q=StartEncrypt). I've revoked all StarCom certs in my OS.

Re: [FORGED] Re: WoSign’s Ownership of StartCom

I found the following info about Andy Ligg. 1) Interestingly, he used addresses/email/phone in HK, UK and Israel various domains. 2) He registered various StartEncrypt and StartResell domains in April 2016. He is the owner of a list of domains epki.cloud 2016-03-25 GODADDY sccrl.com

Re: WoSign’s Ownership of StartCom

On Friday, September 9, 2016 at 2:49:07 AM UTC-7, Gervase Markham wrote: > Dear m.d.s.policy, > > We have been actively investigating reports that WoSign and StartCom may > have failed to comply with our policy on change of control notification. > Below is a summary representing the best of our

Re: Sanctions short of distrust

On Monday, September 12, 2016 at 2:46:40 PM UTC-7, Ryan Sleevi wrote: > On Wednesday, August 31, 2016 at 12:43:50 PM UTC-7, Nick Lamb wrote: > > I have spent some time thinking about this, but I am only one person, and > > one with relatively little in-depth knowledge of the Mozilla project, so I

Re: Ambiguous wording or the Mozilla CA security reporting requirement

I agree with Jakob. This is similar to case laws vs statutory law. Even though we can get the same understandings from various cases, I believe in this situation, it will be clearer to codify such requirements clearly. On Monday, September 12, 2016 at 10:38:48 AM UTC-7, Jakob Bohm wrote: > On

Re: Comodo issued a certificate for an extension

Ha! @Showfom perhaps you should try getting a widecard cert from them and consequently obtain a cert for all *.sb domains. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: WoSign and StartCom

On Wednesday, September 28, 2016 at 12:16:51 AM UTC-7, Peter Gutmann wrote: > Percy <percyal...@gmail.com> writes: > >On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote: > >> Participants may be interested in this blog post from Tyro: > >&g

Re: Incidents involving the CA WoSign

On Tuesday, October 4, 2016 at 4:41:18 AM UTC-7, Rob Stradling wrote: > Today we have revoked (via CRL and OCSP) all 3 of the cross-certificates > that we'd issued to WoSign: > > https://crt.sh/?id=3223853 > https://crt.sh/?id=12716343 > https://crt.sh/?id=12716433 > > See also: >

Re: WoSign: updated report and discussion

His writing style is very similar to StartCom's website which is produced in China. As we're examining the infrastructure of the two companies, could Mozilla ask Qihoo 360 to disclose the current personnel and technical infrastructure shared between WoSign and StartCom. WoSign has denied that

Re: WoSign and StartCom

"anyone issuing certificates for .cn, .hk or .mo domain *MUST* submit those certificate to the CT server set (with similar constraints as you require for WoSign/StartCom) " This means you're rather ill-informed about the Chinese Internet. Most Chinese sites still use .com domains. But this is

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

On Wednesday, August 3, 2016 at 2:45:23 PM UTC-7, Kathleen Wilson wrote: > This request from Guangdong Certificate Authority (GDCA) is to include the > "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and > enabled EV treatment. > > GDCA is a nationally recognized CA that

Re: Incidents involving the CA WoSign

On Monday, September 19, 2016, Richard Wang wrote: > Thanks for your pointing out one of the very important evidence for the > transaction is NOT completed till yesterday that we released the news after > it is finished at the first phase. We just finished the UK company >

Re: Incidents involving the CA WoSign

is claiming Chinese law mandate such testing/deployment, please refer to such laws here and perhaps the community can take the local law into account. If however no such law exists, as far as I know, the such commitment to BR violation is not acceptable. On Friday, September 23, 2016, Percy <perc

Re: Incidents involving the CA WoSign

Richard, On behalf of most Chinese Internet users who do not speak English, I'm asking why WoSign is only making the final statement available in Chinese, but not the incident report. WoSign doesn't even have any statement, announcement or press release in Chinese regarding any of the incidents

Re: Sanctions short of distrust

Ha. I was the OP of that email. Richard's reply was " From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now. " On Thursday, September 22, 2016 at 11:55:43 AM UTC-7, Eric Mill wrote: > On Wed, Sep 21, 2016 at 6:18 PM,

Re: WoSign and StartCom

"However, many eyes are on the Web PKI and if such additional back-dating is discovered (by any means), Mozilla will immediately and permanently revoke trust in all WoSign and StartCom roots." Could you elaborate a bit on concrete ways of discovering such backdating? As WoSign itself

Re: WoSign and StartCom

On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote: > On 26/09/16 15:20, Gervase Markham wrote: > > However, this forum is the appropriate place for discussing it. Please > > feel free to cut and paste any parts you wish to quote and comment on. > > Participants may be

Re: WoSign and StartCom

WoSign's official website stated that "For Free SSL Certificate, it support 20 domain names for 3 years period" (https://buy.wosign.com/free/freeEmailcert.html). In order to identify possible backdated certs in the future, I suggest that WoSign/StartCom be mandated to upload all unexpired

Re: Apple's response to the WoSign incidents

On Saturday, October 1, 2016 at 9:03:38 PM UTC-7, Kurt Roeckx wrote: > On Sat, Oct 01, 2016 at 11:35:06AM -0700, Percy wrote: > > "Apple products will trust individual existing certificates issued from > > this intermediate CA and published to public Certificate Transpare

Re: WoSign and StartCom

On Monday, September 26, 2016 at 7:21:13 AM UTC-7, Gervase Markham wrote: > Today, Mozilla is publishing an additional document containing further > research into the back-dating of SHA-1 certificates, in violation of the > CAB Forum Baseline Requirements, to avoid browser blocks. It also >

Re: WoSign and StartCom: next steps

On Thursday, September 29, 2016 at 10:12:37 AM UTC-7, Han Yuwei wrote: > 在 2016年9月29日星期四 UTC+8下午11:41:12，Gervase Markham写道： > > Hi everyone, > > > > Following the publication of the recent investigative report, > > representatives of Qihoo 360 and StartCom have requested a face-to-face > >

Re: Apple's response to the WoSign incidents

"Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19" It seems that Apple has taken the explicit white-listed approach despite the size drawback mentioned in the other thread. I

Re: StartCom & Qihoo Incidents

So this is it? Qihoo can continue to get away with this MITM browser? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

That you have to ask WoSign. The exact wording is "将增加一个产品选项，用户可以选购从新的沃通（WoSign）中级根证书下签发的支持所有浏览器（包括火狐浏览器）的SSL证书，在过渡期八折优惠。此中级根证书将由全球信任的其他CA根证书签发，支持所有浏览器和所有新老终端设备。此项产品升级计划一个月内完成并为广大用户提供证书服务；" My translation: [WoSign] will add a new product selection. Users can choose SSL certs signed by the new

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

Kathleen, This coverage is very encouraging! Among the sites you included, huanqiu, which is a newspaper operated by the central government is notable. So far, no censorship has been observed, contrary to the blanket censorship of the previous CNNIC case.

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

Kathleen, This coverage is very encouraging! Among the sites you included, huanqiu, which is a newspaper operated by the central government is notable. So far, no censorship has been observed, contrary to the blanket censorship of the previous CNNIC case.

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

StartCom on the other hand, issued no announcement (https://startssl.com/News) even under multiple explicit inquires from multiple users (https://forum.startcomca.com/viewforum.php?f=16=549011a08d3a081898f1e1542d3ecc10). ___ dev-security-policy

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

WoSign has posted an announcement regarding Mozilla's decision. In the announcement, WoSign stated WoSign actively cooperated with the investigation and has always fix all the issues immediately after the discovery and called Mozilla's decision "exceptionally severe". Certs issued by

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

On Thursday, October 27, 2016 at 3:22:03 AM UTC-7, wangs...@gmail.com wrote: > 在 2016年10月27日星期四 UTC+8上午8:09:06，Peter Kurrasch写道： > > I think these are both good points and my recommendation is that Mozilla > > deny GDCA's request for inclusion. > > > > > > We should not have to explain

Re: StartCom & Qihoo Incidents

On Thursday, October 27, 2016 at 5:26:23 PM UTC-7, Erwann Abalea wrote: > Le jeudi 27 octobre 2016 09:55:09 UTC+2, Percy a écrit : > > So this is it? Qihoo can continue to get away with this MITM browser? > > I'm afraid that can't be solved by Mozilla. Qihoo is free to

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

"When facing any requirements of laws and regulations or any demands for undergoing legal process of court and other agencies, GDCA must provide confidential information in this CP" Can GDCA specify what other agencies are included? In China, many requests are relayed simply through a phone

Re: WoSign: updated report and discussion

Gerv, I believe I found the new updated report still has intentional deception. Issue P: Use of SM2 Algorithm (Nov 2015) WoSign stated that it's only used for testing purposes. However, on the official website (https://www.wosign.com/about/Why_WoSign.htm) WoSign stated that

Re: StartCom & Qihoo Incidents

So 400 million Chinese users[1] are left vulnerable to MITM by even a casual attacker and we cannot do anything about it!? [1]: http://se.360.cn/ ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: StartCom & Qihoo Incidents

Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the entire company into question. And such trust, in my view, should be evaluated when WoSign/StartCom submit their re-inclusion requests in the future. Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vin

Re: StartCom & Qihoo Incidents

On Saturday, October 29, 2016 at 5:54:10 PM UTC-7, Matt Palmer wrote: > On Sat, Oct 29, 2016 at 02:59:07PM -0700, Percy wrote: > > Perhaps not. However, Qihoo 360's behavior calls the trustworthiness of the > > entire company into question. And such trust, in my view, should be >

Re: StartCom & Qihoo Incidents

by default. Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex=0xF30D100F7FE124AE>) On Sat, Oct 29, 2016 at 11:36 PM, 谭晓生 <tanxiaosh...@360.cn> wrote: > Is there anybody thought about why it happens in China? Why the local > browser did not block the self-issued certif

WoSign still trusted somehow on Mac even after manual distrust of StartCom

You can see from image1 that all StartCom roots are marked distrust systemwide. No WoSign roots are included on Mac. However when I'm accessing https://www.schrauger.com/ in Chrome, the HTTPS connection is marked as valid (image2) and the certification authority of WoSign is regarded as a

Re: WoSign still trusted somehow on Mac even after manual distrust of StartCom

Yeah, I suspected so but I didn't find it in the security content (https://support.apple.com/en-ca/HT207275). I remember when Gerv discussed the idea on whitelisting intermediate cert, he mentioned that firefox didn't want to undermine user sovereignty by overriding the user's trust choice. I

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote: > The security blog about Distrusting New WoSign and StartCom Certificates has > been published: > > https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/ > > Chinese translations of

Re: StartCom & Qihoo Incidents

I'd also like to point out the Qihoo 360 cheated in all anti-virus tests http://www.computerworld.com/article/2917384/malware-vulnerabilities/antivirus-test-labs-call-out-chinese-security-company-as-cheat.html When Qihoo was caught out, Qihoo turned it into a market campaign, calling AV-C

Re: Remediation Plan for WoSign and StartCom

> I’m not sure what I could reasonably require (and enforce) of the CA in > regards to communicating with their customers. > I recall that my security blog about CNNIC got censored in China, so I'm not > sure what Mozilla can do about informing the CA's customers of this pending >

Re: Remediation Plan for WoSign and StartCom

Samuel, I absolutely agree with what you're saying. That's why I suggested to Mozilla that it mandates WoSign/StartCom to disclose such information on its websites or otherwise inform their customers. Currently, new customers have no way to know until it's too late, i.e when Firefox releases

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

Thanks for bringing the discrepancy into our attention. Even the cover page of the English and Chinese version of CPS are dated differently. English Global Digital Cybersecurity Authority CO., LTD. Certification Practice Statement (CPS) Version: V4.3 Effective Date: July 1, 2016 Chinese

Re: Remediation Plan for WoSign and StartCom

Kathleen, As most users affected by this decision are Chinese, will you be able to make the blog post available in Chinese on the security blog as well? You can ask the Chinese firefox community or me to translate. As I stated earlier, there are almost no news of the distrust of

Re: Guang Dong Certificate Authority (GDCA) root inclusion request

On Wednesday, August 3, 2016 at 2:45:23 PM UTC-7, Kathleen Wilson wrote: > This request from Guangdong Certificate Authority (GDCA) is to include the > "GDCA TrustAUTH R5 ROOT" certificate, turn on the Websites trust bit, and > enabled EV treatment. > > GDCA is a nationally recognized CA that

Re: Apple's response to the WoSign incidents

On Tuesday, November 15, 2016 at 12:37:56 AM UTC-8, Thijs Alkemade wrote: > On 13 Nov 2016, at 10:08, Percy <percyal...@gmail.com> wrote: > > > > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA > > even though Apple limit

Re: Apple's response to the WoSign incidents

I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA even though Apple limited "WoSign CA Free SSL Certificate G2" intermediate CA. An example of site signed by"CA 沃通免费SSL证书 G2" intermediate CA is https://www.chelenet.com/ Those two intermediate certs are treated by

Re: Apple's response to the WoSign incidents

On Saturday, October 1, 2016 at 2:02:25 AM UTC-7, certificate-au...@group.apple.com wrote: > Blocking Trust for WoSign CA Free SSL Certificate G2 > > Certificate Authority WoSign experienced multiple control failures in their > certificate issuance processes for the WoSign CA Free SSL

Re: Distrusting New WoSign and StartCom Certificates -- Mozilla Security Blog

the early removal process. Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex=0xF30D100F7FE124AE>) On Mon, Oct 31, 2016 at 4:18 PM, Ryan Sleevi <r...@sleevi.com> wrote: > On Monday, October 24, 2016 at 6:09:50 PM UTC-7, Kathleen Wilson wrote: > > The security bl

Re: Something About CFCA (China Financial Certification Authority)

On Sunday, October 30, 2016 at 4:19:12 AM UTC-7, Han Yuwei wrote: > According to their CPS (Chinese version 3.2 Jul.2016), > > 1. All CAs can issue SM2 certificates and uses SM3 Hash. > > 2. There is a "signing key" generated by subscriber and "encryption key" > generated by CFCA which

Re: WoSign: updated report and discussion

According to http://se.360.cn/event/gmzb.html, the browser needs to send a http header Accept-Protocal: SM-SSL. Perhaps someone can do an Internet scan against Chinese sites (especially gov) to observe SM2 certs Percy Alpha(PGP <https://pgp.mit.edu/pks/lookup?op=vindex=0xF30D100F7FE12

Re: WoSign: updated report and discussion

On Sunday, October 30, 2016 at 6:15:48 AM UTC-7, Gervase Markham wrote: > On 29/10/16 22:42, Percy wrote: > > However, on the official website > > (https://www.wosign.com/about/Why_WoSign.htm) WoSign stated that "沃通是 > > 中国唯一一家也是全球唯一一家能签发全球信任的采用国产加密算法(SM2) 的

Re: StartCom & Qihoo Incidents

On Wednesday, October 12, 2016 at 12:12:08 PM UTC-7, Ryan Sleevi wrote: > As Gerv suggested this was the official call for incidents with respect to > StartCom, it seems appropriate to start a new thread. > > It would seem that, in evaluating the relationship with WoSign and Qihoo, we >

Re: Remediation Plan for WoSign and StartCom

> Others have noted the mismatch here with an October 1 date elsewhere in > the document. I think we should pick a single date in the future, to > allow the CAs concerned to wind down operations without leaving > customers having just obtained certs which will stop working in a few > months.

Re: WoSign: updated report and discussion

Tan said, for StartCom and WoSign’s infrastructure, the PKI servers were/are shared, the CRL/OCSP, TSA code were cloned and the StartCom and WoSign shared the software development team. Also some management team are shared I assume since Richard Wang approved Tyro's backdated cert from

Re: StartCom & Qihoo Incidents

The Chinese wikipedia has well documented controversies surrounding Qihoo 360. Unfortunately, it's not translated into the English Wikipedia. So please go to https://zh.wikipedia.org/wiki/%E5%A5%87%E8%99%8E360#.E5.95.86.E4.B8.9A.E7.9F.9B.E7.9B.BE.E4.B8.8E.E4.BA.89.E8.AE.AE.E4.BA.8B.E4.BB.B6 and

Re: WoSign: updated report and discussion

On Monday, October 10, 2016 at 2:16:53 PM UTC-7, Matt Palmer wrote: > On Mon, Oct 10, 2016 at 10:33:15AM -0700, Nick Lamb wrote: > > Would anybody here _seriously_ be shocked to read next month that a black > > hat group is auctioning some StartCom private keys ? On the evidence > > available we

Re: WoSign: updated report and discussion

(Hmm, my previous comment about two faced WoSign disappeared from Google group probably due to anti-spam. Gerv, can you recover it for me?) I also want to point out that WoSign is currently asking customers to go to StartCom to get DV certs. If we continue to trust StartCom, then WoSign

Re: Remediation Plan for WoSign and StartCom

On Wednesday, October 12, 2016 at 8:12:29 PM UTC-7, Percy wrote: > WoSign has so far announced nothing about those incidents or immediate > distrust (Apple and Mozilla) to its end users. On the contrary, WoSign had a > press release dated Oct 8th > (https://www.wosign.com/news/

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote: > Our promise is close the free SSL application in our own website: > buy.wosign.com. > > And now we closed it in our PKI side. > > > Best Regards, > > Richard > > > On 9 Dec 2016, at 04:17, Gervase Markham

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

ecember 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote: > As I said, we have the right to keep it or close it at any time. > > > Best Regards, > > Richard > > > On 11 Dec 2016, at 12:47, Percy <percyal...@gmail.com> wrote: > > > >> On Saturday,

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

lslqtz, Could you host a subdomain say wosign.loliwiki.org with this cert? So we can test the blocking is functioning correctly. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

On Wednesday, December 14, 2016 at 8:29:24 PM UTC-8, zbw...@gmail.com wrote: > 在 2016年12月15日星期四 UTC+8上午9:53:29，Percy写道： > > lslqtz, > > Could you host a subdomain say wosign.loliwiki.org with this cert? So we > > can test the blocking is functioning correctly. > >

Please restrict/remove WoSign and StartCom CA from Android

WoSign and StartCom has been included as root CA in official Android builds. (https://code.google.com/p/android/issues/detail?id=71363 https://code.google.com/p/android/issues/detail?id=21632) Apple has restrict/remove WoSign and StartCom from iOS 10.2. "Google has determined that two CAs,

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

WoSign is actively deceiving this community again. In Nov. 13th, in the thread Apple's response to the WoSign incidents, I stated that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate should be time constrained by Apple. But Richard stated that "WoSign stopped to issue free SSL

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

On the WoSign website https://buy.wosign.com/free/?lan=en , it clearly states that "Sorry, due to some security consideration, WoSign decide to close the free SSL certificate application temporarily. Sept. 29th 2016." ___ dev-security-policy mailing

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

lslqtz, How did you obtain this certificate from WoSign? Through the public website or some other means? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy

Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

gt; The most important thing is this certificate is issued by proper way that > this subscriber finished the domain validation, so this is not a > mis-issuance, not "deceiving". > > Best Regards, > > Richard > > > On 6 Dec 2016, at 06:57, Percy <percyal...@gma

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

d** marketing emails to websites that use Let's Encrypt cert essentially saying Let's Encrypt might revoke cert at will and ask users to switch to WoSign (Email attached). After I posted on the forum about this, WoSign stated "From the screenshot, we know why Percy hate WoSign so deeply, we know h

Re: wosign and letsencrypt.cn / letsencrypt.com.cn

Well, based on the previous deception of WoSign before, during and after Mozilla's investigation, I'm not remotely surprised to see this. On Friday, December 16, 2016 at 10:18:27 AM UTC-8, tde...@gmail.com wrote: > It seams that wosign has registered the domains letsencrypt.cn and >

Re: Remove old WoSign root certs from NSS

On Thursday, August 3, 2017 at 3:55:34 PM UTC-7, Kathleen Wilson wrote: > On Monday, July 10, 2017 at 12:47:31 PM UTC-7, Kathleen Wilson wrote: > > I also think we should remove the old WoSign root certs from NSS. > > > > Reference: > > https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign

Re: WoSign new system passed Cure 53 system security audit

> You will fail #4. Because your system, as designed, cannot and does not > comply with the Baseline Requirements. Is there a design outline in the security audit as well? No one in the community can judge either yours or WoSign's statement as this information is not shared with us. I suggest

Re: WoSign new system passed Cure 53 system security audit

On Tuesday, July 11, 2017 at 8:16:50 AM UTC-7, Jonathan Rudenberg wrote: > > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy > > wrote: > > > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: > >> > >> Please note

Re: WoSign new system passed Cure 53 system security audit

So it seems that Richard Wang still has the final executive decisions regarding security in daily operations. Basically WoSign simply changed the title of the position from CEO to COO and bypassed Mozilla's requirement? On Sunday, July 9, 2017 at 7:26:28 PM UTC-7, Richard Wang wrote: > The

Re: Symantec Conclusions and Next Steps

On Friday, April 28, 2017 at 1:19:01 AM UTC-7, Richard Wang wrote: > Hi Ryan, > > > > For your question “Do you believe that, during the discussions about how to > respond to WoSign's issues, the scope of impact was underestimated?”, the > answer is YES. > > > > After Oct 21 2016, WoSign

Re: StartCom cross-signs disclosed by Certinomis

On Monday, August 7, 2017 at 2:36:10 PM UTC-7, Itzhak Daniel wrote: > On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote: > > 7. At Quihoo: Actually get rid of Richard Wang, not just change his > >title from CEO to COO. > > I didn't map the new hierarchy of the "Spanish"

Microsoft to remove WoSign and StartCom certificates in Windows 10

https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/ Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign and StartCom have failed to maintain the standards required by our Trusted Root Program. Observed

Re: StartCom continues to sell untrusted certificates

On Monday, May 1, 2017 at 7:49:32 AM UTC-7, Henri Sivonen wrote: > On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > On 01/05/17 07:52, Percy wrote: > >> It seems that StartCom continues to se

  1   2   >