Hi Gerv, Forgive me my bad English, you know my English level. :-)
It seems my bad English mislead you to wrong place, so I try to correct: (1) Don't care about the marketing word, it is an advertisement; (2) What I mean is please think about the current users if any action; 10% from government website, 6 customers is the top 10 eCommerce website in China; (3) We have quality control; I will send the blocking system screenshot to you since this mail list can't send. But we think CT is a good solution for mis-issued problem. Best Regards, Richard -----Original Message----- From: Gervase Markham [mailto:g...@mozilla.org] Sent: Friday, September 2, 2016 6:07 PM To: Richard Wang <rich...@wosign.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Incidents involving the CA WoSign Hi Richard, On 01/09/16 04:04, Richard Wang wrote: > First, please treat WoSign as a global trusted CA, DON'T stamp as > China CA. We need a fair treatment as other worldwide CAs that I am > sure WoSign is not the first CA that have incident and not the serious > one; We are keen to treat WoSign as a global CA. It's certainly true that we would be having this discussion about any other global CA which had had such a list of incidents. However, it seems that you are advancing arguments - such as "we are Chinese; we can't be expected to fully understand standards written in English" - which ask for special consideration as a Chinese CA rather than a global CA. And, as others have pointed out in this thread, WoSign is very happy to be seen as a China CA for marketing purposes inside China. > Second, I supplement some data for your reference, please consider > those subscribers benefit, especially from many underdeveloped > countries that can't afford the too expansive SSL certificate. WoSign is not the only company to offer free SSL certificates. But also, this seems like arguing "we're too big for you to take action against us". > Third, I believe no one dare to say his system no bug, WoSign admitted > we have system bug that issued the wrong certificate and fixed. This > is why WoSign is the first CA in the world for volunteering to > "Require CT", we like to use CT mechanism to find out the bug quickly > and reduce the lost to minimum, That seems to me to be outsourcing your quality control to a set of third parties. I would say that any CA should have independent systems which check every certificate issued, before it is sent to the customer, for a long list of possible faults, and hold the certificate for manual review if any of those faults are found. That's what I'd do if I were running a CA, anyway. Saying "it's all in CT, so we can find problems after issuance" does not, to my mind, take misissuance appropriately seriously. > Thanks a million. (Just as a note, I would advise against using this English phrase, as it has acquired a sarcastic overtone in normal usage.) Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
