Hi Richard, On 01/09/16 04:04, Richard Wang wrote: > First, please treat WoSign as a global trusted CA, DON'T stamp as > China CA. We need a fair treatment as other worldwide CAs that I am > sure WoSign is not the first CA that have incident and not the > serious one;
We are keen to treat WoSign as a global CA. It's certainly true that we would be having this discussion about any other global CA which had had such a list of incidents. However, it seems that you are advancing arguments - such as "we are Chinese; we can't be expected to fully understand standards written in English" - which ask for special consideration as a Chinese CA rather than a global CA. And, as others have pointed out in this thread, WoSign is very happy to be seen as a China CA for marketing purposes inside China. > Second, I supplement some data for your reference, please consider > those subscribers benefit, especially from many underdeveloped > countries that can't afford the too expansive SSL certificate. WoSign is not the only company to offer free SSL certificates. But also, this seems like arguing "we're too big for you to take action against us". > Third, I believe no one dare to say his system no bug, WoSign > admitted we have system bug that issued the wrong certificate and > fixed. This is why WoSign is the first CA in the world for > volunteering to "Require CT", we like to use CT mechanism to find out > the bug quickly and reduce the lost to minimum, That seems to me to be outsourcing your quality control to a set of third parties. I would say that any CA should have independent systems which check every certificate issued, before it is sent to the customer, for a long list of possible faults, and hold the certificate for manual review if any of those faults are found. That's what I'd do if I were running a CA, anyway. Saying "it's all in CT, so we can find problems after issuance" does not, to my mind, take misissuance appropriately seriously. > Thanks a million. (Just as a note, I would advise against using this English phrase, as it has acquired a sarcastic overtone in normal usage.) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
