WoSign stated in the report that "Due to foreign companies to China's technology blockade, WoSign decided to research and develop all systems by ourselves in 2009, including BUY system (Online certificate store), CMS (Certificate Management System, internal work flow), PKI/CA (Certificate issuing system), CRL/OCSP (Certificate revocation query system) and TSA (time stamp system). " I'm assuming WoSign is referring to other companies operating CAs. Perhaps WoSign can clarify what those companies are and the nature of such blockade.
WoSign also stated that "WoSign agrees that this is a violation of the BRs (only three US NIST P-256, P-384, or P-521 curves can be used for elliptic curve keys in certs), but being a Chinese licensed CA, we must abide by local laws and regulations, we must actively cooperate with domestic browsers to test the SSL certificate using SM2 algorithm issued by a global trusted root in the real Internet, not intranet. WoSign, as a member of CAB Forum, will spare no effort to continue to promote China encryption algorithm SM2 to become the international standard allowed algorithm." It seems that WoSign is committed to test certificates in a global trusted root depesite explicit warning of not doing so even now. I see no Chinese law mandating the insurance of SM2 certificates or forbidding the insurance of certificate with standard curves. It's unclear to me why WoSign insisted on testing SM2 with publicly trusted root. If WoSign is claiming Chinese law mandate such testing/deployment, please refer to such laws here and perhaps the community can take the local law into account. If however no such law exists, as far as I know, the such commitment to BR violation is not acceptable. On Friday, September 23, 2016, Percy <percyal...@gmail.com> wrote: > Richard, > On behalf of most Chinese Internet users who do not speak English, I'm > asking why WoSign is only making the final statement available in Chinese, > but not the incident report. WoSign doesn't even have any statement, > announcement or press release in Chinese regarding any of the incidents > (except this final statement) anywhere. > > As WoSign is the largest CA in China, it must be responsible to Chinese > users. I'm requesting WoSign to make the incident report available in > Chinese and available on the WoSign's Chinese site. I believe an > announcement on the official Chinese site with the link to the incident > report is also warranted. > > On Thursday, September 22, 2016, Richard Wang <rich...@wosign.com > <javascript:;>> wrote: > > > Hi Gerv, > > > > This is the final statement about the incident: > > https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in > > English) > > > > https://www.wosign.com/report/WoSign_final_statement_CN_09232016.pdf > > (中文版) (In Chinese, this is easy for Chinese users.) > > > > I think this is the supplement of the two released reports. > > > > Please let me if you have any questions about this statement, thanks. > > > > > > Best Regards, > > > > Richard Wang > > CEO > > WoSign CA Limited > > > > > > -----Original Message----- > > From: dev-security-policy [mailto:dev-security-policy-bounces+richard > <javascript:;> > > <javascript:;>=wosign....@lists.mozilla.org <javascript:;> > <javascript:;>] On Behalf Of > > Richard Wang > > Sent: Friday, September 16, 2016 6:05 PM > > To: Gervase Markham <g...@mozilla.org <javascript:;> <javascript:;>> > > Cc: mozilla-dev-security-pol...@lists.mozilla.org <javascript:;> > <javascript:;> > > Subject: RE: Incidents involving the CA WoSign > > > > Hi Gerv, > > > > This is the final report: https://www.wosign.com/report/ > > WoSign_Incident_Final_Report_09162016.pdf > > > > Please let me if you have any questions about the report, thanks. > > > > > > Best Regards, > > > > Richard Wang > > CEO > > WoSign CA Limited > > > > > > -----Original Message----- > > From: Gervase Markham > > Sent: Wednesday, September 7, 2016 7:00 PM > > To: Richard Wang; mozilla-dev-security-pol...@lists.mozilla.org > <javascript:;> > > <javascript:;> > > Subject: Re: Incidents involving the CA WoSign > > > > Hi Richard, > > > > On 07/09/16 11:06, Richard Wang wrote: > > > This discuss has been lasting two weeks, I think it is time to end it, > > > it doesn’t worth to waste everybody’s precious time. > > > > Unfortunately, I think we may be only beginning. > > > > I have prepared a list of the issues we are tracking with WoSign's > > certificate issuance process and business: > > > > https://wiki.mozilla.org/CA:WoSign_Issues > > > > Please can you provide a response to issues F, P, S and T at your > earliest > > convenience? > > > > In addition, if you have further things to say about issues D, H, J, L, N > > or V we would be happy to hear them. > > > > Thank you for your suggestions, but once Mozilla has a full understanding > > of what has gone on we will be in a better position to decide what next > > actions are appropriate. > > > > With best wishes, > > > > Gerv > > _______________________________________________ > > dev-security-policy mailing list > > dev-security-policy@lists.mozilla.org <javascript:;> <javascript:;> > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > -- > -- _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
