On Wednesday, October 12, 2016 at 8:12:29 PM UTC-7, Percy wrote: > WoSign has so far announced nothing about those incidents or immediate > distrust (Apple and Mozilla) to its end users. On the contrary, WoSign had a > press release dated Oct 8th > (https://www.wosign.com/news/netcraft-ssl-oct.htm) titled "WoSign SSL certs > reaches almost 50% market share in China". In the press release, it stated > that "WoSign's achievement today is due to company founder and CEO Richard > Wang leads all staff to be dedicated". WoSign is depicted as this positive, > strong growing company. Nothing about its distrust in the immediate future is > mentioned. > > In Oct 7th, in the incident report in English, WoSign admitted multiple > intentional mistakes and deceptions > (https://www.google.com/url?q=https%3A%2F%2Fwww.wosign.com%2Freport%2FWoSign_Incident_Report_Update_07102016.pdf&sa=D&sntz=1&usg=AFQjCNGRzAxwYrEEiA_SN5gfcsftSst0nA) > and that the CEO Richard Wang to be relieved of its duties. > > I'm calling WoSign out on this two-faced behavior towards Chinese end users > and foreign security researchers.
WoSign and StartCom are still actively selling certs which cost one hundreds or more dollars. I think Mozilla should mandate that WoSign/StartCom inform their users of such incidents or at least the imminent distrust by Mozilla (and Apple). Now users are left in the dark for those trust decisions which violates the minimum disruption principle. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
