在 2016年10月7日星期五 UTC+8下午7:13:42,Gervase Markham写道: > As noted by Richard Wang, WoSign have just published an updated Incident > Report: > https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf > > I think we are now in a position to discuss whether the plan proposed here: > https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit# > is still appropriate for WoSign. > > Because it contains repeated or lightly-updated information about all of > the issues on the issues list, the updated Incident Report rather > "buries the lede" (hides the important news). Therefore I felt it might > be worth highlighting some of the things within it: > > * WoSign admits that it has issued 64 back-dated SHA-1 certificates. The > cause was a mixture of intentional issuance using a created pathway, and > bugs which triggered that pathway by mistake. > > * This includes admitting the misissuance of the certificates for > tyro.com by StartCom, which were the subject of Mozilla's most recent > investigation; this issuance was approved by Richard Wang. > > * WoSign agrees it should have been more forthcoming about its purchase > of StartCom, and announced it earlier. > > * WoSign and StartCom are to be legally separated, with the corporate > structure changed such that Qihoo 360 owns them both individually, > rather than WoSign owning StartCom. > > * There will be personnel changes: > > - StartCom’s chairman will be Xiaosheng Tan (Chief Security Officer > of Qihoo 360). > - StartCom’s CEO will be Inigo Barreira (formerly GM of StartCom > Europe). > - Richard Wang will be relieved of his duties as CEO of WoSign and > other responsibilities. It is not decided who will replace him. > > * StartCom will soon provide a plan on how they will separate their > operations and technology from that of WoSign. > > * In the light of these changes, Qihoo 360 request that WoSign and > StartCom be considered separately. > > > Mozilla is minded to agree that it is reasonable to at least consider > the two companies separately, although that does not preclude the > possibility that we might decide to take the same action for both of > them. Accordingly, Mozilla continues to await the full remediation plan > from StartCom so as to have a full picture. However, I think we can work > towards a conclusion for WoSign now. > > Gerv
According to the previous discussion, I think that maybe a community-driven program of CA's issue system could be established. Code is open and everyone can audit it. But what's more important is to build the culture of reporting issue like civil aviation and civil nuclear system. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
