Mill
Cc: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org; Kurt Roeckx
Subject: Re: WoSign Root Renewal Request
This was explored in the past (several Japanese CAs collaborated and translated
the documents), but it ended up working badly when the translations weren't
following
@lists.mozilla.org] On
Behalf Of Martin Rublik
Sent: Tuesday, June 30, 2015 2:29 PM
To: dev-security-policy@lists.mozilla.org
Subject: Re: WoSign Root Renewal Request
On 30. 6. 2015 3:00, Richard Wang wrote:
Very thanks for your question.
This two root is a new root CA that only issued one test SSL for test
Of Richard Wang
Sent: Wednesday, July 1, 2015 9:11 AM
To: Kurt Roeckx; mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: WoSign Root Renewal Request
Hi Kurt, Hi Jesus, Hi Martin,
Very thanks for your help.
I think we misunderstanding the CRL number definition due our engineer bad
English
According to this clues, as I said in Zurich CABF meeting, China will also come
out a trust list that request browser and OS support.
And other countries will come a list, then Browser and OS need to maintain
hundreds trust list.
Is it a good idea?
Best Regards,
Richard
-Original
I also found some mistakes for the list:
1. I see some client certificate in the report that it say the email as common
name is wrong;
2. IP address is allowed by BR;
3. IDN is allowed, but also in the report
Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:jeremy.row...@digicert.com]
Sent: Wednesday, November 18, 2015 5:17 AM
To: Rob Stradling <rob.stradl...@comodo.com>
Cc: Richard Wang <rich...@wosign.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Peter Bowen
<pzbo...@gmail.com>; Peter Gutmann <pgut...@cs.auckland.ac.nz>
Su
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Wednesday, November 18, 2015 12:33 AM
To: Richard Wang <rich...@wosign.com>
Cc: Rob Stradling <rob.stradl...@comodo.com>; Peter Gutmann
<pgut...@cs.auckland.ac.nz>; mozilla-dev-security-pol...@lists.mozil
: Wednesday, November 18, 2015 10:28 AM
To: Richard Wang <rich...@wosign.com>
Cc: Rob Stradling <rob.stradl...@comodo.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann
<pgut...@cs.auckland.ac.nz>
Subject: Re: [FORGED] Name issues in public certificates
Rich
Yes, I think it should be kept. If some CA don't like this bit, then don't
apply it, so simple. No necessary to remove it in NSS.
Regards,
Richard
> On Sep 23, 2015, at 21:34, Adriano Santoni
> wrote:
>
> There's one thing that I still do not understand.
>
>
+100, should keep.
Regards,
Richard
> On Sep 23, 2015, at 06:12, Kathleen Wilson wrote:
>
> On 9/22/15 9:29 AM, Kathleen Wilson wrote:
>>>
>>> First, we need to determine if the Email trust bit should remain part of
>>> Mozilla's CA Certificate Policy.
>>
>> To be
I think FireFox plugin XPI need to be signed, this is the usage.
Regards,
Richard
> On Sep 24, 2015, at 20:53, Gervase Markham wrote:
>
>> On 24/09/15 02:58, Peter Kurrasch wrote:
>> I suppose my comment was not as clear as I intended but, yes, I think
>> Mozilla's
@lists.mozilla.org] On
Behalf Of Richard Wang
Sent: Wednesday, November 18, 2015 10:41 AM
To: Peter Bowen <pzbo...@gmail.com>
Cc: Rob Stradling <rob.stradl...@comodo.com>;
mozilla-dev-security-pol...@lists.mozilla.org; Peter Gutmann
<pgut...@cs.auckland.ac.nz>
Subject: RE: [FORGED] Nam
Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Richard Wang
Sent: Wednesday, November 18, 2015 7:55 PM
To: Peter Bowen <pzbo...@gmail.com>
Cc: Rob Stradling <rob.stradl...@c
.mozilla.org; Richard Wang <rich...@wosign.com>
Subject: Re: Incidents involving the CA WoSign
On Wed, Aug 24, 2016 at 9:30 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 24/08/16 17:12, Jeremy Rowley wrote:
>> On incident 2, it sounds like they are both using the same
>&g
this cert is revoked in the same once it is issued.
Thanks for posting to CT.
Best Regards,
Richard
From: Eric Mill [mailto:e...@konklone.com]
Sent: Thursday, August 25, 2016 12:08 AM
To: Gervase Markham <g...@mozilla.org>
Cc: mozilla-dev-security-pol...@lists.mozilla.org; Richard Wang
e Markham <g...@mozilla.org>
Cc: Richard Wang <rich...@wosign.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Incidents involving the CA WoSign
Also, I think the biggest concern is the mis issuance issues were not reported
to Mozilla but were reported to Google. A fai
.mozilla.org; Richard Wang
<rich...@wosign.com>
Subject: RE: Incidents involving the CA WoSign
That's true. I think WoSign should chime in and provide clarity about what
happened. There's far too many innocent explanations to start crying foul.
However, the fact a researcher was able to obt
We revoked this certificate, and we know this certificate is for test only.
For transparency, WoSign announced full transparency for all SSL certificate
from July 5th that post all issued SSL certificate to Google log server,
browsers can distrust WoSign issued SSL certificate after that day if
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Matt Palmer
Sent: Thursday, August 25, 2016 2:48 PM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Thu, Aug 25, 2016 at 04:03:04AM +, Richard Wang wrote
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Friday, September 2, 2016 6:07 PM
To: Richard Wang <rich...@wosign.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
> And, as others have pointed out in th
Yes, we plan to post to one of the Google log server tommorrow.
Regards,
Richard
> On 2 Sep 2016, at 22:54, Peter Bowen <pzbo...@gmail.com> wrote:
>
>> On Fri, Sep 2, 2016 at 12:37 AM, Richard Wang <rich...@wosign.com> wrote:
>> We finished the CT posting, a
e. Thanks a million.
Best Regards,
Richard Wang
CEO
WoSign CA Limited
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Ryan Sleevi
Sent: Thursday, September 1, 2016 2:14 AM
To: mozilla-dev-se
We will check this tomorrow.
Now our time is 23:32 at night.
Regards,
Richard
> On 2 Sep 2016, at 23:20, Peter Bowen <pzbo...@gmail.com> wrote:
>
>> On Fri, Sep 2, 2016 at 8:11 AM, Richard Wang <rich...@wosign.com> wrote:
>> Yes, we posted all 2015 issue
From the screenshot, we know why Percy hate WoSign so deeply, we know he
represent which CA, everything is clear now.
BTW, as I said that the two related pages in our website are deleted.
Regards,
Richard
> On 3 Sep 2016, at 02:16, Percy wrote:
>
>> On Friday,
: Sunday, September 4, 2016 5:19 AM
To: Richard Wang <rich...@wosign.com>
Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Richard,
Can you also please check the following two certificates? It looks like they
uiry email. Some question will be replied in the second report.
Best Regards,
Richard
-Original Message-
From: Kurt Roeckx [mailto:k...@roeckx.be]
Sent: Monday, September 5, 2016 1:34 AM
To: Richard Wang <rich...@wosign.com>
Cc: Gervase Markham <g...@mozilla.org>;
mo
Thanks for your comment.
For Github case:
1. what happened: issued the certificate that included un-validated domain,
and found out this mistake in the next day review, and revoked this
certificate.
2. why this happened: this is bug as you described, and due to many orders need
to review
WoSign is volunteering to "Require CT", see this:
https://bugs.chromium.org/p/chromium/issues/detail?id=626338
And we even plan to log code signing certificate and client certificate in the
future once our system upgrade is ready.
We think CT is a good solution for any mis-issued problem.
I am sure it is revoked, please check it again, thanks.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Patrick T
Sent: Thursday, September 1, 2016 5:07 PM
To:
ay, September 2, 2016 9:59 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: website control validation problem
On Thursday, September 1, 2016 at 6:16:53 PM UTC-7, Richard Wang wrote:
> For this case, WoSign notice Alibaba after getting report.
>
> I think this case is another
Richard
-Original Message-
From: Ryan Sleevi [mailto:r...@sleevi.com]
Sent: Friday, September 2, 2016 12:01 AM
To: Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>>
Cc:
mozilla-dev-security-pol...@lists.mozilla.org<mailto:mozilla-dev-security-pol...@lists.
The posting to log server still not finished.
Best Regards,
Richard
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Thursday, September 1, 2016 11:11 PM
To: Richard Wang <rich...@wosign.com>
Cc: Ryan Sleevi <r...@sleevi.com>; mozilla-dev-
@lists.mozilla.org] On
Behalf Of Matt Palmer
Sent: Friday, September 2, 2016 4:51 PM
To: dev-security-policy@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Fri, Sep 02, 2016 at 06:53:23AM +, Richard Wang wrote:
> I think we are out of topic.
On the contrary, the trustworthin
<vtly...@gmail.com> writes:
>I think Eddy Nigg (founder of StartCom) and/or Richard Wang (of WoSign)
>should make a statement about this.
+1. I'd already asked for something like this earlier and got silence
+as a
response, which isn't inspiring
@lists.mozilla.org] On
Behalf Of Percy
Sent: Friday, September 2, 2016 2:23 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Thursday, September 1, 2016 at 11:01:08 PM UTC-7, Richard Wang wrote:
> OK I try to say some that I wish I do
>> On 2016-09-07 13:00, Gervase Markham wrote:
>> Hi Richard,
>>
>>> On 07/09/16 11:06, Richard Wang wrote:
>>> This discuss has been lasting two weeks, I think it is time to end
>>> it, it doesn’t worth to waste everybody’s precious time.
>>
&g
Got it, thanks.
We will reply to you soon.
By the way, the link you used in the page to our report is not correct.
Regards,
Richard
> On 7 Sep 2016, at 18:58, Gervase Markham <g...@mozilla.org> wrote:
>
> Hi Richard,
>
>> On 07/09/16 11:06, Richard Wang wrote:
>>
report for
another incident X soon.
Best Regards,
Richard Wang
CEO
WoSign CA Limited
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Wednesday, August 24, 2016 9:08 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Cc: Richard Wang <rich...@wosign.
It is posted, just Peter not find it that I told him the Log id.
We are also checking system again to double check if we missed some.
Please be patient for our full 20 pages report, thanks,
Regards,
Richard
> On 4 Sep 2016, at 12:12, Matt Palmer wrote:
>
>> On Sat,
on
the browser algorithm support.
Regards,
Richard
> On 4 Sep 2016, at 12:49, Peter Bowen <pzbo...@gmail.com> wrote:
>
>> On Thu, Sep 1, 2016 at 9:00 AM, Ryan Sleevi <r...@sleevi.com> wrote:
>>> On Wed, August 31, 2016 10:09 pm, Richard Wang wrote:
>>
once it is about to expire at every three years for OV SSL.
I wish Mozilla could accept my suggestion, and I am sure WoSign will do it
better after getting this so big lesson.
Thank you.
Best Regards,
Richard Wang
CEO
WoSign CA Limited
-Original Message-
From: dev-security-policy
1. All certs are revoked in time, please check our CRL;
2. WoSign logged all SSL cert since July 5th;
3. I know you are Chinese with good English, welcome to join WoSign, we need
good talent like you.
Regards,
Richard
> On 31 Aug 2016, at 01:33, Percy wrote:
>
> We
ty-pol...@lists.mozilla.org; Richard Wang
<rich...@wosign.com>
Subject: Re: Incidents involving the CA WoSign
On Wed, Aug 24, 2016 at 6:08 AM, Gervase Markham <g...@mozilla.org> wrote:
> Dear m.d.s.policy,
>
> Several incidents have come to our attention involving
Repost to the same subject.
Regards,
Richard
> On 30 Aug 2016, at 15:11, Richard Wang <rich...@wosign.com> wrote:
>
> Dear all,
>
> This email is the formal reply from WoSign for this 3 incidents.
>
> First, thank you all very much to help WoSign to improve our sys
nbingb...@gmail.com> wrote:
>
> 在 2016年9月7日星期三 UTC+8下午6:08:33,Richard Wang写道:
>> Hi Gerv, Kathleen and Richard,
>>
>> This discuss has been lasting two weeks, I think it is time to end it, it
>> doesn’t worth to waste everybody’s precious time.
>> I make my confessio
Hi all,
We will publish a more comprehensive report in the next several days that will
attempt to cover most / all issues.
Thanks for your patience.
Regards,
Richard
> On 7 Sep 2016, at 18:58, Gervase Markham <g...@mozilla.org> wrote:
>
> Hi Richard,
>
>> On 07/0
Please don't mix StartCom with WoSign case, StartCom is 100% independent at
2015.
Even now, it still independent in the system, in the validation team and
management team, we share the CRL/OCSP distribution resource only.
Best Regards,
Richard
-Original Message-
From:
Hi Gerv,
This is the final report:
https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
Please let me if you have any questions about the report, thanks.
Best Regards,
Richard Wang
CEO
WoSign CA Limited
-Original Message-
From: Gervase Markham
Sent: Wednesday
“StartCom CA Ltd” in the UK are listed as being
> owned by "StartCom CA Ltd".[2] This seems circular, but our
> understanding is it actually refers to StartCom HK, which has the same
> name. StartCom UK is documented as having two directors. One is Gaohua
> (Richard) Wang, who will
This is the recent incident from GlobalSign.
Please notice WoSign incident is occurred in 2015 for free DV SSL, not OV or
EV.
Best Regards,
Richard
Begin forwarded message:
From: Doug Beattie
>
Date: September 21, 2016 at
First, I must make declaration that I don't know "Showfom", and I don't know if
he/she is a WoSign customer.
As I said in my final statement that I wish all Mozilla trusted CA can post
their issued certificate to CT log server for full trenchancy, I am sure not
WoSign mis-issued certificate,
First, I must make declaration that I don't know "Showfom", and I don't know if
he/she is a WoSign customer.
As I said in my final statement that I wish all Mozilla trusted CA can post
their issued certificate to CT log server for full transparency, I am sure not
WoSign mis-issued certificate
I think I know the reason; this may be helpful for your investigation.
This is a code bug from CA issuing system that the engineer mis-understand the
free additional domain added rule. System treat the "www" as a subdomain, most
case it is, but in this case, it is top domain.
Subscriber
Hi Gerv,
This is the updated incident report:
https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf .
Thanks.
Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of
See below inline, thanks.
Best Regards,
Richard
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, September 20, 2016 7:37 PM
To: Richard Wang <rich...@wosign.com<mailto:rich...@wosign.com>>
Subject: Re: Incidents involving the CA
See below inline, thanks.
Best Regards,
Richard
-Original Message-
From: Gervase Markham [mailto:g...@mozilla.org]
Sent: Tuesday, September 20, 2016 7:37 PM
To: Richard Wang <mailto:rich...@wosign.com>
Subject: Re: Incidents involving the CA WoSign
Hi Richard,
On 16/09/16
...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Hi Richard,
Thanks for the additional information.
On 21/09/16 11:11, Richard Wang wrote:
> Some SHA-1 certificate is free SSL certificate that no any reason for
> us to help them get the SHA-1 certificate if we are inten
-09-21 16:26, Richard Wang wrote:
R: You can place order there and don't do the domain validation, 4 months
later, you finished the domain control validation, then issue the certificate.
Please try it by yourself here: https://buy.wosign.com/free/
So the date in the certificate is from when the orde
Lamb
Sent: Tuesday, September 20, 2016 9:06 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
On Tuesday, 20 September 2016 01:25:59 UTC+1, Richard Wang wrote:
> This case is WoSign problem, you found out all related subordinate companies
> a
to do any
comment. Sorry.
Best Regards,
Richard
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Tuesday, September 20, 2016 10:18 AM
To: Richard Wang <rich...@wosign.com>
Cc: Nick Lamb <tialara...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org
of the two released reports.
Please let me if you have any questions about this statement, thanks.
Best Regards,
Richard Wang
CEO
WoSign CA Limited
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Richard
Thanks for your hard work. I wish you can finish check for all other CA's
report ASAP.
For WoSign, the report covered all 4 roots, not 3 roots.
For StartCom, Eddy can say something about it, StartCom is 1000% independent
for everything at 2015.
Best Regards,
Richard
-Original
Hi Gerv,
Please check this news (Feb 25th 2015) in OSCCA website:
http://www.oscca.gov.cn/News/201312/News_1254.htm that all China licensed CA
finished the PKI/CA system upgrade that all licensed CA MUST be able to issue
SM2 certificate to subscribers.
As I said in last year CABF face to face
day) is Dec. 20th for a free DV SSL
certificate that take so long time.
I wish I said this clearly, thanks.
Best Regards,
Richard
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Thursday, September 22, 2016 11:38 AM
To: Richard Wang <rich...@wosign.com&
> Are you saying out of over 40,000 orders over the last year, only six
> "stopped to move forward" for a period of a week or more and these happen to
> all have been ordered on Sunday, December 20, 2015 (China time)?
You mean we issued 40,000 certificates at Dec 20, 2015?
Here is the last two
But you can use OCSP Stapling in your web
server.
We don’t worry about most China online banking system and many ecommerce
website using the foreign CA certificate, what do you worry about? As I said,
we used Akamai CDN service that all hits will go to Akamai Edge servers first.
Best Regar
Sorry, the random apart time is from 20 minutes to 60 minutes, not to 40
minutes.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Richard Wang
Sent: Thursday, September 22, 2016
server that need to resign after
the internet connection is ok.
For normal case, it is OK, good.
Thanks.
Best Regards,
Richard
-Original Message-
From: Peter Bowen [mailto:pzbo...@gmail.com]
Sent: Thursday, September 22, 2016 12:32 PM
To: Richard Wang <rich...@wosign.com>
Cc: G
OpenSSL OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
http://security.360.cn/cve/CVE-2016-6304/index.html?from=timeline=0
Best Regards,
Richard
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
Thank you very much for helping us.
For SM2 algorithm, this is out of this thread, I can discuss with you off list.
Regards,
Richard
> On Sep 16, 2016, at 22:32, Vincent Lynch <vtly...@gmail.com> wrote:
>
>> On Friday, September 16, 2016 at 6:07:56 AM UTC-4, Richard Wang
Please read the report carefully that it is NOT the validation system is
hijacked.
Regards,
Richard
> On Sep 16, 2016, at 21:31, Han Yuwei <hanyuwe...@gmail.com> wrote:
>
> 在 2016年9月16日星期五 UTC+8下午6:07:56,Richard Wang写道:
>> Hi Gerv,
>>
>> This is the final r
@lists.mozilla.org] On
Behalf Of Richard Wang
Sent: Friday, September 16, 2016 6:05 PM
To: Gervase Markham <g...@mozilla.org>
Cc: mozilla-dev-security-pol...@lists.mozilla.org
Subject: RE: Incidents involving the CA WoSign
Hi Gerv,
This is the final report:
https://www.wosign.com/
r Bowen [mailto:pzbo...@gmail.com]
Sent: Monday, September 19, 2016 10:31 PM
To: Richard Wang <rich...@wosign.com>
Cc: Gervase Markham <g...@mozilla.org>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Incidents involving the CA WoSign
Richard,
I'm still somewhat confuse
I checked the certificate that it is a client certificate issued the personal
-- PANG Ming Sum:
CN = PANG Ming Sum
E = todd.p...@autotoll.com.hk
OU = AUTOTOLL LIMITED
OU = 21506338215100635386
OU = 0001890584
O = Hongkong Post e-Cert (Organisational)
C = HK
The problem is this certificate
This is the standard way in China Internet, if a west company say something to
China company, all will support the west company.
PLEASE don’t move this technical problem to political issue, thanks.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
I checked our system that this is a standard order in our system that passes
the website control validation.
We issued more than 300K certificates for worldwide customers including many
famous company.
For Aliyun, it's our reseller partner, see this news:
As I explained, we use same script using API, different parameter point to
different API post URL for different CA, no any PKI hosting related.
Regards,
Richard
> On 29 Aug 2016, at 16:25, Gervase Markham wrote:
>
>> On 24/08/16 17:44, Peter Bowen wrote:
>> I think you are
Yes, we plan to revoke all after getting confirmation from subscriber. We are
doing this.
Regards,
Richard
> On 29 Aug 2016, at 16:38, Gervase Markham <g...@mozilla.org> wrote:
>
>> On 29/08/16 05:46, Richard Wang wrote:
>> For incident 1 - mis-issued certificate wit
Sure, all issued cert is passed the domain control validations.
Regards,
Richard
> On 29 Aug 2016, at 16:30, Gervase Markham <g...@mozilla.org> wrote:
>
>> On 25/08/16 04:38, Richard Wang wrote:
>> R: NOT this case you think. Due to root inclusion problem, WoSign
On Thursday, August 25, 2016 at 12:14:10 AM UTC-7, Richard Wang wrote:
> We can post all 2015 issued SSL certificate to CT log server if necessary.
Is there any reason not to do that proactively?
R: OK, we will post all 2015 issued SSL certificates to CT log server, but this
take time since
Yes, sorry for this.
As I admitted that this discussion gives us a big lesson that we know when we
need to report incident to all browsers. We guarantee we will do it better.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
cloudapp.net, which belongs to Microsoft
> Azure. I'm fairly certain this certificate was not authorized by Microsoft:
>
> https://crt.sh/?id=2980
>
> Thanks,
>
> Patrick
>
>> On 29/08/16 11:30, Richard Wang wrote:
>> Yes, we plan to revoke all
Hi Kathleen,
WoSign released the news today since I just came back from USA CABF meeting.
http://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm (in
Chinese)
https://www.wosign.com/english/News/announcement_about_Mozilla_Action_20161024.htm
(in English)
Best Regards,
: Monday, October 24, 2016 12:05 PM
To: Richard Wang <rich...@wosign.com>
Cc: Kathleen Wilson <kwil...@mozilla.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Remediation Plan for WoSign and StartCom
Hi Richard,
A few questions -
1) Your post says "Ther
Hi all,
This is the OEM certificate from Certum, Certum own and control everything with
its own validation, you can check the test site: https://ovpretest.wosign.com
that its CPS/CRL/OCSP/OID all belong to Certum.
I don't think WoSign can't be a reseller of other CA.
Thanks.
Best Regards,
This is a common way for all CAs that issued many intermediate CAs for its
resellers.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Ryan Sleevi
Sent: Wednesday, November 23,
I said many times that I am the Acting CEO of Wo sign now till the new CEO
arrives.
Even I am not the CEO instead of an employee, I think I can response the email
about WoSign that just tell everyone the fact, not representing the company
making any new decision.
Please check my previous
WoSign stopped to issue free SSL certificate from those two intermediate CAs
since Sept 29.
Best Regards,
Richard
> On 13 Nov 2016, at 17:07, Percy wrote:
>
> I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA
> even though Apple limited
Our promise is close the free SSL application in our own website:
buy.wosign.com.
And now we closed it in our PKI side.
Best Regards,
Richard
> On 9 Dec 2016, at 04:17, Gervase Markham <g...@mozilla.org> wrote:
>
>> On 05/12/16 13:41, Richard Wang wrote:
>> We checke
As I said before, you finished the domain validation.
This is DV SSL that no need to do the manual validation.
Best Regards,
Richard
> On 10 Dec 2016, at 09:33, "zbw...@gmail.com" wrote:
>
> 在 2016年12月6日星期二 UTC+8上午6:50:04,Percy写道:
>> lslqtz,
>> How did you obtain this
As I said, we have the right to keep it or close it at any time.
Best Regards,
Richard
> On 11 Dec 2016, at 12:47, Percy <percyal...@gmail.com> wrote:
>
>> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote:
>> Our promise is close the free SS
or disable it
at one channel but not another channel, which ultimately has the same security
if WoSign is doing the validation.
On Sunday, December 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote:
> As I said, we have the right to keep it or close it at any time.
>
>
> Bes
You are right, you have done the test same as my test, this don't mean you own
our intermediate CA root key.
For CSR, yes, our system doesn't validate the CSR self-signature. We think it
is better to validate it, so we will update our system to validate it soon.
For this test certificate
The nest.com certificate subject is:
CN = www.nest.com
O = Google Inc
L = Mountain View
S = California
C = US
This means this website owned by Google Inc. Right?
Best Regards,
Richard
-Original Message-
From: dev-security-policy
We checked our system, this order is from one of the reseller. We have many
resellers that used the API, we noticed all resellers to close the free SSL,
but they need some time to update the system.
The most important thing is this certificate is issued by proper way that this
subscriber
s will be issued, via wosign, resellers, no any other
> method?
>
>> On Monday, December 5, 2016 at 3:43:35 PM UTC-8, Richard Wang wrote:
>> We checked our system, this order is from one of the reseller. We have many
>> resellers that used the API, we noticed all reselle
interaction about it and we're happy to hear that
Richard would like to help us out by transferring the domains.
Thanks Richard, I'll be in touch.
On Sunday, December 18, 2016 at 7:45:16 PM UTC-6, Richard Wang wrote:
> I wish everyone can talk about this case friendly and equally.
>
> I
I wish everyone can talk about this case friendly and equally.
It is very common that everyone can register any domain based on the first come
and first service rule.
We know Let's Encrypt is released after the public announcement, but two day
later, its .cn domain is still not registered, I
In this case, no any CA named as letsencrypt similar name, and no any CA want
to impersonate, most CA program require the root CA have a unique friendly
name in the CA program.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
] On
Behalf Of Gervase Markham via dev-security-policy
Sent: Friday, February 24, 2017 2:13 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Let's Encrypt appears to issue a certificate for a domain that
doesn't exist
On 22/02/17 17:08, Richard Wang wrote:
> I think "apple-
1 - 100 of 137 matches
Mail list logo