Re: Chinese root CA issues rogue/fake certificates

On Wed, Sep 07, 2016 at 04:15:47PM -0700, Eric Kuhnke wrote: > Further update on all known suspicious activity from Wosign: > > https://wiki.mozilla.org/CA:WoSign_Issues > > Seriously, what level of malice and/or incompetence does one have to rise > to in order to be removed from the Mozilla

Re: Chinese root CA issues rogue/fake certificates

> On Sep 1, 2016, at 3:10 AM, Matt Palmer wrote: > > How the hell do you get from "the world does not work that way" to "please > pitch me your consulting services"? You appear ignorant of what real DR / resiliency can do, as do your local providers if they said that.

Re: Chinese root CA issues rogue/fake certificates

> On Sep 1, 2016, at 3:19 AM, Stephane Bortzmeyer wrote: > > On Thu, Sep 01, 2016 at 11:36:57AM +1000, > Matt Palmer wrote > a message of 45 lines which said: > >> I'd be surprised if most business continuity people could even name >> their cert

Re: Chinese root CA issues rogue/fake certificates

Further update on all known suspicious activity from Wosign: https://wiki.mozilla.org/CA:WoSign_Issues Seriously, what level of malice and/or incompetence does one have to rise to in order to be removed from the Mozilla (and hopefully Microsoft and Chrome) trusted root CA store? Is this not

Re: Chinese root CA issues rogue/fake certificates

On Thu, Sep 01, 2016 at 11:36:57AM +1000, Matt Palmer wrote a message of 45 lines which said: > I'd be surprised if most business continuity people could even name > their cert provider, And they're right because it would be a useless information: without DANE, *any* CA

Re: Chinese root CA issues rogue/fake certificates

On Wed, Aug 31, 2016 at 06:49:17PM -0700, Lyndon Nerenberg wrote: > > On Aug 31, 2016, at 6:36 PM, Matt Palmer wrote: > > > > Thanks, Netscape. Great ecosystem you built. > > Nobody at that time had a clue how this environment was going to scale, > let alone what the

Re: Chinese root CA issues rogue/fake certificates

On Wed, Aug 31, 2016 at 09:33:18PM -0700, George William Herbert wrote: > > On Aug 31, 2016, at 6:36 PM, Matt Palmer wrote: > > there's just wy too many sites using WoSign (and StartCom) for the > > CAs' roots to just be pulled. Sad, but true. > > Not even. Pull away.

Re: Chinese root CA issues rogue/fake certificates

> On Aug 31, 2016, at 6:36 PM, Matt Palmer wrote: > > there's just wy too many sites using WoSign (and StartCom) for the > CAs' roots to just be pulled. Sad, but true. Not even. Pull away. > I'd be surprised if most business continuity people could even name their

Re: Chinese root CA issues rogue/fake certificates

In message , Lyndon Nerenberg writes: > > On Aug 31, 2016, at 6:36 PM, Matt Palmer wrote: > > > > Thanks, Netscape. Great ecosystem you built. > > Nobody at that time had a clue how this environment was going to scale, > let

Re: Chinese root CA issues rogue/fake certificates

> On Aug 31, 2016, at 6:36 PM, Matt Palmer wrote: > > Thanks, Netscape. Great ecosystem you built. Nobody at that time had a clue how this environment was going to scale, let alone what the wide-ranging security issues would be. And where were you back then, not saving

Re: Chinese root CA issues rogue/fake certificates

"Too big to fail" Where have we heard that before? If business risk/continuity people knew not only how much of a single point of failure a root CA is, but other basic stuff like "Maybe it shouldn't be possible to login to your domain registrar's control panel with the password known by Bob

Re: Chinese root CA issues rogue/fake certificates

On Wed, Aug 31, 2016 at 10:45:48AM -0800, Royce Williams wrote: > Hypothetically, it would be an interesting strategy for a CA to > publicly demonstrate this level of competence: > > https://www.schrauger.com/the-story-of-how-wosign-gave-me-an-ssl-certificate-for-github-com > > ... while at the

Re: Chinese root CA issues rogue/fake certificates

On Tue, Aug 30, 2016 at 9:11 PM, Royce Williams wrote: > On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke wrote: >> >> http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html >> >> One of the largest Chinese root certificate authority

Re: Chinese root CA issues rogue/fake certificates

We've received several unsolicited certificate approval requests from wosign sign on high-value domain names we manage. Wosign has never responded to our requests for information about the requesters. There really isn't anything we can do other than ignore the requests, but clearly somebody is

Re: Chinese root CA issues rogue/fake certificates

mozilla.dev.security thread: https://groups.google.com/forum/m/#!topic/mozilla.dev.security.policy/k9PBmyLCi8I/discussion On Aug 30, 2016 10:12 PM, "Royce Williams" wrote: > On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke > wrote: > > > >

Re: Chinese root CA issues rogue/fake certificates

On Tue, Aug 30, 2016 at 8:38 PM, Eric Kuhnke wrote: > > http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html > > One of the largest Chinese root certificate authority WoSign issued many > fake certificates due to an vulnerability. WoSign's free certificate

Chinese root CA issues rogue/fake certificates

http://www.percya.com/2016/08/chinese-ca-wosign-faces-revocation.html One of the largest Chinese root certificate authority WoSign issued many fake certificates due to an vulnerability. WoSign's free certificate service allowed its users to get a certificate for the base domain if they were able