In September 29, 2016,WoSign stop issuing free certificate,but I still successfully get it.

[lslqtz]

Certificate:
-----BEGIN CERTIFICATE-----
MIIFwTCCBKmgAwIBAgIQH6W3+xfuFD8074LcZJFjLjANBgkqhkiG9w0BAQsFADBP
MQswCQYDVQQGEwJDTjEaMBgGA1UEChMRV29TaWduIENBIExpbWl0ZWQxJDAiBgNV
BAMMG0NBIOayg+mAmuWFjei0uVNTTOivgeS5piBHMjAeFw0xNjEyMDUwNTU4NDJa
Fw0xNzEyMDUwNTU4NDJaMCQxCzAJBgNVBAYTAkNOMRUwEwYDVQQDDAxsb2xpd2lr
aS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtdPYBYZsX15zm
Pb3GAcWYgLRZjTk/o/MfE1erTLUY8laPQLo1wYwoTWbTN1z6C0WRDcs23eoXZaJ9
PA1HUAnWCmoNOMDI1AfKcOPcPn4jbi/3U/CvYGPdbqXn7uuD0By6bi3JSsHNvmEZ
NxKDeLuKLEJVeKzTUh99cRJc5Bsl/+zGnBFmv9nsgJnW17s3rhCyzPyUm5UvNlNn
8Oj+zk5ls29ZyaeSIc+wwHFKp2gqz2J+a4OIf5qhNPZSTxBhls2eaqSDln7Y0WBD
y19R8OX6y4VgGupZMAfzbX1a1tApaUpDNHwLQs3zdSEhBoS0HfF6X1lkKjnR5C9k
uGKxExiTAgMBAAGjggLCMIICvjAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0lBBYwFAYI
KwYBBQUHAwIGCCsGAQUFBwMBMAkGA1UdEwQCMAAwHQYDVR0OBBYEFBLGE9J1gMQ9
ySkbZRU9/6mr3Gv2MB8GA1UdIwQYMBaAFDDadIbzKJBWntcxMcK9Wc2TEjkdMH8G
CCsGAQUFBwEBBHMwcTA1BggrBgEFBQcwAYYpaHR0cDovL29jc3AyLndvc2lnbi5j
bi9jYTJnMi9zZXJ2ZXIxL2ZyZWUwOAYIKwYBBQUHMAKGLGh0dHA6Ly9haWEyLndv
c2lnbi5jbi9jYTJnMi5zZXJ2ZXIxLmZyZWUuY2VyMD4GA1UdHwQ3MDUwM6AxoC+G
LWh0dHA6Ly9jcmxzMi53b3NpZ24uY24vY2EyZzItc2VydmVyMS1mcmVlLmNybDAp
BgNVHREEIjAgggxsb2xpd2lraS5vcmeCEHd3dy5sb2xpd2lraS5vcmcwTwYDVR0g
BEgwRjAIBgZngQwBAgEwOgYLKwYBBAGCm1EBAQIwKzApBggrBgEFBQcCARYdaHR0
cDovL3d3dy53b3NpZ24uY29tL3BvbGljeS8wggEDBgorBgEEAdZ5AgQCBIH0BIHx
AO8AdgBBstwuieY85K8bp7spv2jG3ub58cwEfjDf+uOzuiWSYwAAAVjNpMAvAAAE
AwBHMEUCIQCd5EZg2DiAaKXZoPtB/X6vuC+HBMSgpAnwA4/3q/kEVQIgCazYAFhk
pL44t4Om6JqCFEi90qQqNzeO0rzIzJ11pisAdQCkuQmQtBhYFIe7E6LMZ3AKPDWY
BPkb37jjd80OyA3cEAAAAVjNpMNmAAAEAwBGMEQCIDefIVxN6HxTm9zX72Mb9TbM
jxdwKWzLg7qf8juX54/eAiAmqrlF0qlXuqYmQ+UnjHlT+8pODGw9m78jtCJiE+ct
xTANBgkqhkiG9w0BAQsFAAOCAQEAAetL1ygxl83AAgRsCw3wwzRiXgSDAn8U6cVa
LjmrQOnksi8PfepBvMiP8lJMsNVeOcXMTiSdIjyqeOR2eK1dzmdcuGTZvU/qVPv+
WY8VHzb9+4dB0QLPMCXH6ZI0V3x368fSsA6RzTuQETt28BkF7wo2UL524R5la9Rv
vKlg7h09tuFlvdVy+YgY3jM4zTMejnW6w1kG2GlhJMIOewJK6X1kKMmdORmRx9rK
yYEA6puiv9pbYmxCo9YBw4Zgvq6wpfSEtB/bxwU+flGpBwqIX9plk8iDDZGiDKRy
f3s0fVrB7/8+0DxIv/vs/ug43TjCNIpCW03I+ijiwsR12XCk8w==
-----END CERTIFICATE-----

[Richard Wang]

This is not a issue.
You finished the domain validation that we can issue the cert.

Best Regards,

Richard

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy

[Han Yuwei]

在 2016年12月5日星期一 UTC+8下午9:06:13，lslqtz写道：

Could you tell us how do you get it?

[Richard Wang]

We checked our system, this order is from one of the reseller. We have many resellers that used the API, we noticed all resellers to close the free SSL, but they need some time to update the system.
The most important thing is this certificate is issued by proper way that this subscriber finished the domain validation, so this is not a mis-issuance, not "deceiving".

Best Regards,

Richard

> On 6 Dec 2016, at 06:57, Percy <percy...@gmail.com> wrote:
>
> WoSign is actively deceiving this community again.
>
> In Nov. 13th, in the thread Apple's response to the WoSign incidents, I stated that "CA 沃通免费SSL证书 G2", the intermediate CA of this certificate should be time constrained by Apple. But Richard stated that "WoSign stopped to issue free SSL certificate from those two intermediate CAs since Sept 29. " (https://groups.google.com/d/msg/mozilla.dev.security.policy/lWJ1zdUJPLI/z1sxa6WRCAAJ)
>
> I'm asking WoSign please explain why on the public website and on this forum, you stated no new certs will be issued under this very intermediate CA, but now you said this is not a issue?

[Richard Wang]

Sorry, we don't have deadline.
And no plan to close it in PKI side, we keep the right to active it at any time, and we can issue this free SSL certificate for subscribers at any time if customers need it.

Best Regards,

Richard

> On 6 Dec 2016, at 07:49, Percy <percy...@gmail.com> wrote:
>
> When I was trying to inform Apple to put a time constrain on the intermediate CA, you implied such constrain not necessary because no new certs will be issued. Clearly, you know already that the users can still get certs from reseller and potentially abuse it due to all the control failures investigated by Mozilla. Otherwise, you could have closed the issuing certs in the PKI, and no resellers would be able to issue new certs.
>
> Since new certs are still issued by WoSign, could you please give a timeline on when such no new certs will be issued, via wosign, resellers, no any other method?

[Gervase Markham]

On 05/12/16 13:41, Richard Wang wrote:
> We checked our system, this order is from one of the reseller. We
> have many resellers that used the API, we noticed all resellers to
> close the free SSL, but they need some time to update the system.

More than two months?

Has this reseller given a timeline by which they expect to have ceased
to use the API?

> The
> most important thing is this certificate is issued by proper way that
> this subscriber finished the domain validation, so this is not a
> mis-issuance, not "deceiving".

This is narrowly true, from a Mozilla perspective. Mozilla has not
required that WoSign stop issuing certificates. We have just said that
we no longer trust them. Of course, I don't know what commitments WoSign
has made to other root stores. And indeed, no-one has suggested that
this certificate is mis-issued from a domain validation perspective.

There is an issue relating to the difference between WoSign's public
statement on their website that they have ceased free SSL issuance, and
the reality that they have not. We expect CAs who make public statements
about their actions to abide by those statements.

Gerv

[Han Yuwei]

在 2016年12月9日星期五 UTC+8上午4:19:31，Gervase Markham写道：

Before the incident of Wosign, lots of cloud service in China is using Wosign's API to issue SSL cerificates for their consumers. And in this practicular domain I think someone intended to issue a certificate from Wosign's Free Certificate G2 via somewhere and they succeeded. Because I saw other valid certificate on this domain.

P.S. seems like Wosign updated their system for there is embedded SCT in this cert.

[zbw...@gmail.com]

在 2016年12月6日星期二 UTC+8上午6:50:04，Percy写道：
> lslqtz,
> How did you obtain this certificate from WoSign? Through the public website or some other means?

I get this certificate through the dealer's website, but the dealer and WoSign API are not doing the verification, the final manual audit also passed.

[Richard Wang]

As I said before, you finished the domain validation.
This is DV SSL that no need to do the manual validation.

Best Regards,

Richard

[Richard Wang]

Our promise is close the free SSL application in our own website: buy.wosign.com.

And now we closed it in our PKI side.


Best Regards,

Richard

> On 9 Dec 2016, at 04:17, Gervase Markham <ge...@mozilla.org> wrote:
>
>> On 05/12/16 13:41, Richard Wang wrote:

>> We checked our system, this order is from one of the reseller. We
>> have many resellers that used the API, we noticed all resellers to
>> close the free SSL, but they need some time to update the system.
>

> More than two months?
>
> Has this reseller given a timeline by which they expect to have ceased
> to use the API?
>

>> The
>> most important thing is this certificate is issued by proper way that
>> this subscriber finished the domain validation, so this is not a
>> mis-issuance, not "deceiving".
>

[Richard Wang]

As I said, we have the right to keep it or close it at any time.


Best Regards,

Richard

> On 11 Dec 2016, at 12:47, Percy <percy...@gmail.com> wrote:

> Sorry. You just said there is no deadline? Which is it?
>
> -----

>
> Sorry, we don't have deadline.
> And no plan to close it in PKI side, we keep the right to active it at any time, and we can issue this free SSL certificate for subscribers at any time if customers need it.
>

[Han Yuwei]

在 2016年12月10日星期六 UTC+8上午9:34:50，zbw...@gmail.com写道：

not doing verification? Could you say more about that?
And how do you know there is a manual audit about this?

[Richard Wang]

Thanks for your advice.
As I said, we closed it completely in PKI side.


Best Regards,

Richard

-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosig...@lists.mozilla.org] On Behalf Of Percy
Sent: Tuesday, December 13, 2016 3:40 PM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Re: In September 29, 2016, WoSign stop issuing free certificate, but I still successfully get it.

If you made a promise to close it "due to some security consideration", then you don't have the right to just enable and disable it at will, or disable it at one channel but not another channel, which ultimately has the same security if WoSign is doing the validation.

[zbw...@gmail.com]

在 2016年12月15日星期四 UTC+8上午9:53:29，Percy写道：
> lslqtz,
> Could you host a subdomain say wosign.loliwiki.org with this cert? So we can test the blocking is functioning correctly.

I was pulled into the black list.

[zbw...@gmail.com]

> not doing verification? Could you say more about that?
> And how do you know there is a manual audit about this?

I issued a certificate even if it is free, but still passed the audit,follow-up notice to my mailbox,I know the reason for the manual audit is because the email notification to me.