Re: Apple's response to the WoSign incidents

2016-11-15 Thread Percy
On Tuesday, November 15, 2016 at 12:37:56 AM UTC-8, Thijs Alkemade wrote: > On 13 Nov 2016, at 10:08, Percy wrote: > > > > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA > > even though Apple limited "WoSign CA Free SSL Certificate G2"

Re: Apple's response to the WoSign incidents

2016-11-15 Thread Thijs Alkemade
On 13 Nov 2016, at 10:08, Percy wrote: > > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA > even though Apple limited "WoSign CA Free SSL Certificate G2" intermediate > CA. An example of site signed by"CA 沃通免费SSL证书 G2" intermediate CA is >

Re: Apple's response to the WoSign incidents

2016-11-14 Thread Tarah Wheeler
undisclosed intermediates (Peter Bowen) > 2. Re: Action on undisclosed intermediates (Rob Stradling) > 3. Re: Comodo issued a certificate for an extension (Eric Mill) > 4. Re: Apple's response to the WoSign incidents (Percy) > > > -

Re: Apple's response to the WoSign incidents

2016-11-13 Thread Richard Wang
I said many times that I am the Acting CEO of Wo sign now till the new CEO arrives. Even I am not the CEO instead of an employee, I think I can response the email about WoSign that just tell everyone the fact, not representing the company making any new decision. Please check my previous

Re: Apple's response to the WoSign incidents

2016-11-13 Thread Percy
On Saturday, October 1, 2016 at 2:02:25 AM UTC-7, certificate-au...@group.apple.com wrote: > Blocking Trust for WoSign CA Free SSL Certificate G2 > > Certificate Authority WoSign experienced multiple control failures in their > certificate issuance processes for the WoSign CA Free SSL

Re: Apple's response to the WoSign incidents

2016-11-13 Thread Richard Wang
WoSign stopped to issue free SSL certificate from those two intermediate CAs since Sept 29. Best Regards, Richard > On 13 Nov 2016, at 17:07, Percy wrote: > > I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA > even though Apple limited

Re: Apple's response to the WoSign incidents

2016-11-13 Thread Percy
I just found out that Apple doesn't limit "CA 沃通免费SSL证书 G2" intermediate CA even though Apple limited "WoSign CA Free SSL Certificate G2" intermediate CA. An example of site signed by"CA 沃通免费SSL证书 G2" intermediate CA is https://www.chelenet.com/ Those two intermediate certs are treated by

Re: Apple's response to the WoSign incidents

2016-10-02 Thread Percy
On Saturday, October 1, 2016 at 9:03:38 PM UTC-7, Kurt Roeckx wrote: > On Sat, Oct 01, 2016 at 11:35:06AM -0700, Percy wrote: > > "Apple products will trust individual existing certificates issued from > > this intermediate CA and published to public Certificate Transparency log > > servers by

Re: Apple's response to the WoSign incidents

2016-10-01 Thread Kurt Roeckx
On Sat, Oct 01, 2016 at 11:35:06AM -0700, Percy wrote: > "Apple products will trust individual existing certificates issued from this > intermediate CA and published to public Certificate Transparency log servers > by 2016-09-19" > > It seems that Apple has taken the explicit white-listed

Re: Apple's response to the WoSign incidents

2016-10-01 Thread Eric Mill
On Sat, Oct 1, 2016 at 6:40 AM, wrote: > Do you have a link to that process and is it automated. Reason is I have a > few hundred startSSL certs that my clients rely on. > Apple's statement was limited specifically to WoSign. StartSSL certificates won't be affected, though

Re: Apple's response to the WoSign incidents

2016-10-01 Thread Percy
"Apple products will trust individual existing certificates issued from this intermediate CA and published to public Certificate Transparency log servers by 2016-09-19" It seems that Apple has taken the explicit white-listed approach despite the size drawback mentioned in the other thread. I

Re: Apple's response to the WoSign incidents

2016-10-01 Thread Peter Bowen
On Sat, Oct 1, 2016 at 6:40 AM, wrote: > Do you have a link to that process and is it automated. Reason is I have a > few hundred startSSL certs that my clients rely on. I can't speak for the specific process Apple is using, but in general you can use https://crt.sh/ or

Apple's response to the WoSign incidents

2016-10-01 Thread ramriot
Do you have a link to that process and is it automated. Reason is I have a few hundred startSSL certs that my clients rely on. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org

Apple's response to the WoSign incidents

2016-10-01 Thread certificate-authority-prog...@group.apple.com
Blocking Trust for WoSign CA Free SSL Certificate G2 Certificate Authority WoSign experienced multiple control failures in their certificate issuance processes for the WoSign CA Free SSL Certificate G2 intermediate CA. Although no WoSign root is in the list of Apple trusted roots, this