Hi, I just want to throw out some thoughts and I hope the people involved find it noteworthy. Please note that I am in no way in a position to decide anything here, I'm just someone who happens to have an opinion on the stuff going on.
This seems to be some last minute attempt to rescue wosign/startcom as a CA. Despite all the stuff that happend I kinda sympathize with it, for two reasons: * I think wosign and startcom did a lot of good for the web by providing free certificate options and I think it'd be problematic to have a Let's Encrypt monopoly for free certificates. * I fear that if wosign gets removed that this might lead to a further separation of the chinese web. I don't want to see a situation where chinese webpages use a chinese certificate that the browsers from the rest of the world don't accept. I don't think this is in anyone's interest, as it would harm the Internet as a whole. I guess the community could agree to let wosign stay in the browsers, but it must be clear that there is a sincere will to handle things differently in the future. My advice to the representatives of wosign/startcom/quihoo would be to be as transparent as possible. I think the major reason people find this mozilla research so damning is because it looks a lot like you were trying to hide things. This was further fuelled by multiple statements in the form "we don't have to talk about this". If you want to regain trust from the community you'll have to talk about it. This isn't about any legal requirements, it's about trust from the community. Be open about who owns which company, who's in charge and also tell us exactly why these things happened in the past and how you want to prevent them from happening again. Minor sidenote: there have been some concerns about TLS security vulnerabilities of the qihoo 360 browser [1] [2]. While this is not directly related to the operation of a CA, it surely would increase the community's trust of qihoo 360 if these issues get resolved quickly. [1] https://cabforum.org/pipermail/public/2015-April/005441.html [2] https://twitter.com/ryancdotorg/status/780470538686697472 -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
pgppRcHcrXVwf.pgp
Description: OpenPGP digital signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
