Changes

Jump to: navigation, search

CA/WoSign Issues

568 bytes added, 11:19, 28 September 2016
Update Issue O with WoSign response
One of each pair has CRL and OCSP URLs with domains such as cr.wscrl.cn, oc.wsocsp.cn and ai.wscrl.cn. These domains no longer exist. The other one of each pair has CRL and OCSP URLs at subdomains of wosign.cn; these subdomains do exist, and point to either Akamai's CDN or what appears to be Qihoo 360's CDN. In the case of one of the pairs, the first cert was logged in the 'pilot' CT log about a month before the second one. One possibility is that WoSign was planning to adopt one strategy for CRL and OCSP hosting, and then changed strategy, which necessitated re-issuing the intermediates with new URLs. If that is the case, it raises the question of why the notBefore date for both certificates is the same.
 
Given that intermediates are issued manually rather than in an automated fashion, and should normally be surrounded by strong controls, reusing a serial number for two intermediates is disappointing.
Thanks to Kurt Roeckx and Rob Stradling for their help with this issue.
===WoSign Response===
This issue has not yet been formally brought By private mail, Richard Wang of WoSign said that the plan was to use a CDN with a different domain, but in discussions with the CDN provider there was no need to change domain, so they changed the plan to use the existing domain and reissued the intermediate certificate. At that point, they "forgot to change the serial number". The old one issued only test certificates for two months. WoSign's attentionplan to revoke "this two intermediate CA and all issued certificates soon" (by which I assume he means the two certificates with the older domain names).
===Further Comments and Conclusion===
N/AGiven that intermediates are issued manually rather than in an automated fashion, and should normally be surrounded by strong controls as they involve issuance directly from the root, reusing a serial number for two intermediates shows a disappointing lack of care and appropriate processes.
==Issue P: Use of SM2 Algorithm (Nov 2015)==
Accountapprovers, antispam, confirm, emeritus
4,925
edits

Navigation menu