Accountapprovers, antispam, confirm, emeritus
4,925
edits
Changes
Fix CDN info
WoSign has issued two pairs of intermediates with the same issuer duplicate serial numbers - [https://crt.sh/?serial=44807b207cf2052e8d3411770266d295&iCAID=1450 one pair] with a notBefore in May 2015, and [https://crt.sh/?serial=3adec402270bf4ee9e892cc65e0ada21&iCAID=1450 one pair] with a notBefore in July 2015. All four certificates were issued by WoSign's "CA 沃通根证书" root. This is a violation of RFC 5280.
One of each pair has CRL and OCSP URLs with domains such as cr.wscrl.cn, oc.wsocsp.cn and ai.wscrl.cn. These domains no longer exist. The other one of each pair has CRL and OCSP URLs at subdomains of wosign.cn; these subdomains do exist, and point to the either Akamai 's CDN or what appears to be Qihoo 360's CDN. In the case of one of the pairs, the first cert was logged in the 'pilot' CT log about a month before the second one. One possibility is that WoSign was planning to adopt one strategy for CRL and OCSP hosting, and then changed strategy, which necessitated re-issuing the intermediates with new URLs. If that is the case, it raises the question of why the notBefore date for both certificates is the same.
Given that intermediates are issued manually rather than in an automated fashion, and should normally be surrounded by strong controls, reusing a serial number for two intermediates is disappointing.
