Re: WoSign: updated report and discussion

Sun, 09 Oct 2016 18:26:57 -0700 

I also said that the official website, ordering system, certificate management 
system are different and independent, which is the major cause of the bugs from 
technical perspective, that’s why Wosign suffered the incidents of bugs but 
StartCom haven’t.
The validation team, customer care team and tech support team are also 
independent, that is important for the quality control for the business, that’s 
also the important reason that StartCom did well except the 2 backdated 
certificates that instructed by Richard Wang directly.
StartCom as a CA for 17 years, contributed more or less to the industry and 
community, we do hired an in-proper person to manage the company and it have 
been fixed, fortunately, the ordering process, CMS process still keep the same 
with the original one of StartCom, we are changing the software soon, the time 
table will be released in this week.
Please give a chance to StartCom.

Thanks,
Xiaosheng Tan



在 2016/10/10 上午6:43,“dev-security-policy 代表 
Percy”<dev-security-policy-bounces+tanxiaosheng=360...@lists.mozilla.org 代表 
percyal...@gmail.com> 写入:

    Tan said,  for StartCom and WoSign’s infrastructure, the PKI servers 
were/are shared, the CRL/OCSP, TSA code were cloned and the StartCom and WoSign 
shared the software development team. 
    
    Also some management team are shared I assume since Richard Wang approved 
Tyro's backdated cert from StartCom.
    
    As we saw most problems discovered are either due to software 
development(issue F,H,L,N,V) or management (issue S,P,R). And those team were 
shared between WoSign and StartCom at the time of the incidents. Consequently, 
at the time of the incidents, they're the same entity with regards to those 
issues. So I agree with the opinion that " If their 
    operations are, in the future, functionally separated, then they can be 
    considered for reinclusion separately.  However, for the purposes of what 
to 
    do about them over *past* actions, when they were a single operational 
    entity, their actions should be considered as such. "
    _______________________________________________
    dev-security-policy mailing list
    dev-security-policy@lists.mozilla.org
    https://lists.mozilla.org/listinfo/dev-security-policy
    

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to