> and we don't think our brand is "tarnishing", we are working hard to try to > regain the trust and confidence in this community.
Wasn't a prerequisite for that process your stepping down as CEO of WoSign? On Thursday, March 30, 2017 at 9:49:25 PM UTC-4, Richard Wang wrote: > To be transparent, WoSign are NOT "acquiring the HARICA root" that we NEVER > contact HARICA, and we don't think our brand is "tarnishing", we are working > hard to try to regain the trust and confidence in this community. > > > Best Regards, > > Richard > > -----Original Message----- > From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On > Behalf Of Peter Kurrasch via dev-security-policy > Sent: Thursday, March 30, 2017 9:02 PM > To: Gervase Markham via dev-security-policy <g...@mozilla.org>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: Criticism of Google Re: Google Trust Services roots > > By "not new", are you referring to Google being the second(?) instance where > a company has purchased an individual root cert from another company? It's > fair enough to say that Google isn't the first but I'm not aware of any > commentary or airing of opposing viewpoints as to the suitability of this > practice going forward. > > Has Mozilla received any notification that other companies ‎intend to acquire > individual roots from another CA? I wouldn't ask Mozilla to violate any > non-disclosures but surely it's possible to let the community know if we > should expect more of this? Ryan H. implied as much in a previous post but I > wasn't sure where he was coming from on that. > > Also, does Mozilla have any policies (requirements?) regarding individual > root acquisition? For example, how frequently should roots be allowed to > change hands? What would Mozilla's response be if WoSign were to say that > because of the tarnishing of their own brand they are acquiring the HARICA > root? What if Vladimir Putin were to make such a purchase? Any requirements > on companies notifying the public when the acquisition takes place? > > Perhaps this is putting too much of a burden on Mozilla as a somewhat > protector of the global PKI but I'm not sure who else is in a better position > for that role? > > > Original Message > From: Gervase Markham via dev-security-policy > Sent: Thursday, March 30, 2017 1:06 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Reply To: Gervase Markham > Subject: Re: Criticism of Google Re: Google Trust Services roots > > On 29/03/17 20:46, Peter Kurrasch wrote: > > It's not inconsequential for Google to say: "From now on, nobody can > > trust what you see in the root certificate, even if some of it appears > > in the browser UI. The only way you can actually establish trust is to > > do frequent, possibly complicated research." It doesn't seem right > > that Google be allowed to unilaterally impose that change on the > > global PKI without any discussion from the security community. > > As others in this thread have pointed out, this is not a new thing. I > wouldn't say that Google is "imposing" this need. > > Gerv > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
