On 27/11/2017 09:38, Danny 吴熠 wrote:
Dear Gerv, Kethleen, other community friends,
First, thanks for Gerv and Kathleen’s so kind consideration and so great
arrangement for this pre-discussion.
Second, thanks for the community participants to help us know our problem
clearly in the past year, we wish you can give us a chance to serve the
Internet security.
Here is our response covered your questions that we don’t reply the emails one
by one.
Part One: What we have done in the past year since the sanction
(1)After we knew the distrust sanction would be started from Oct. 20, 2016, we
started to talk to some CAs to deal with the Managed Sub CA solution, and we
signed agreement with Certum and started to resell their SSL certificates since
Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30,
2017.
(2)We sent replacement notices to all charged customer and we have replaced
more than 6000 certificates for customers for free.
(3)We realized our big problem is the compliance with the Standard, so we set up a
department: Risk Control & Compliance Department (RCC), which have 5 persons,
the manager is from the bank IT risk control department, he leads team for the risk
control management and internal audit. Two English major employees, they are
responsible to translate all WebTrust documents and all CAB Forum documents into
Chinese to let all employees learn the Standard more clearly. And one is
responsible for checking CAB Forum mailing list to produce a weekly brief in
Chinese for CAB Forum activity to all department managers, one is responsible for
checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they
produce summary report if some CA have accident report to let us learn how to
prevent the same mistakes and how to response to the Community. Another two
employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team,
they are responsible for the system test and security test to two RD team developed
system. And this department setup many internal management regulations, it is the
internal auditor to check and verify every CA operation is complaint with the
Standard.
(4)We started to develop new PKI/CA system including validation system, OCSP
system, CT system and develop new BUY system and CMS system. All systems were
finished in June 2017 and passed the Mozilla approved security auditor - Cure
53 white box source code security test, the test summary report was posted to
the Community at July 7, 2017, and the detailed report was sent to all
browser’s key person but no feedback.
We set up new infrastructure with the new security audit passed system, the new
system integrated the CABFlint, X509lint and Zlint for all pre-issued SSL
certificate to make sure every pre-issued certificate complies with the
Standard.
There were plenty of negative responses to that Cure 53 report on
mozilla.dev.security.policy by the people who actually received the full
audit report. At least one of those people said that from their reading
of the Cure 53 report, WoSign would not be able to regain trusted CA
status without major changes to the audited code.
Richard Wang replied to some of those responses in a manner that didn't
exactly inspire further confidence.
(5)We stopped updating the old roots CPS and prepared a new CPS that complies
with all Standards for new planned coming roots. The RCC Department are
responsible for the CPS updates and check every CA operation comply with CPS,
this department has super right to supervise all CA operation that nobody
including Richard Wang can have a finger in the pie to violate the Standard.
Every employee has learnt a deep lesson from the Sanction.
(6)At Aug 24, 2017, we changed our company English name from “WoSign CA
Limited” to “WoTrus CA Limited” in order to make clear difference for the
planned coming new roots.
(7)Even though we have experienced the tough time, we didn’t fire any employee.
We have 55 employees in October 2016, and now we have 58 employees, in which we
hired more customer service employees to provide certificate replacement work
to minimize the sanction impact.
(8)We didn’t fire the 20 RD employees that we are developing some certificate
related software and hardware. Those products will be released in Q1 2018. All
the software is being tested or will be tested by Cure 53 voluntarily to
guarantee its code security.
Part Two: About Richard Wang
(1)In the remediation plan, Richard Wang is relieved as CEO and Qihoo 360 start
to find a proper candidate since Nov. 2016, and Mr. Tan Xiaosheng has updated
this in the March CAB Forum meeting that Richard Wang is the COO.
(2)It is very hard to find a suitable person in China for this position that
understand PKI/CA technology and know the CA business, so the CEO position is
empty and the company is still charged by Richard Wang as COO.
(3)At Aug 24, 2017, the company board of directors approved the company name
change and restored Richard Wang’s CEO position.
(4)Richard Wang is not just a CEO & CTO, he is the company founder and the
shareholder. He learned the big lesson from this sanction and he can’t control
everything due to the internal audit mechanism designed as described in Part One.
Part Three: Our future plan
(1) If Mozilla decides to let us move on to do the PITRA audit and WebTrust
audit and process our new root inclusion application, then we will do it
strictly according to the WoSign Action Items bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824
(2) If Mozilla decides to reject our new root inclusion at this beginning
stage, then we can wait for another one year. We continue being the reseller of
Certum and DigiCert. We don’t have any plan to close our company.
(3) In the past 13 years, WoSign/WoTrus has done its best to provide best
certificate products and best service to Chinese customer and worldwide
customers, we are sure China need a best local CA to make the China Internet
more secure and trusted, and I am sure WoTrus is the one. China Internet
secure, then the global Internet secure.
Finally, as a CA, we fully understand that the mistakes we have made are
significant. By the sanction, we learned the importance of maintaining trust
and compliance, and we hope to provide excellent products and services as
compensation for our mistakes, and to serve the Internet security to regain
public trust.
We’d love to hear your feedback and we are trying to do better and better,
thanks.
Best Regards,
WoTrus CA Limited
-----Original Message-----
From: dev-security-policy
[mailto:dev-security-policy-bounces+pa4=wotrus....@lists.mozilla.org] On Behalf
Of Gervase Markham via dev-security-policy
Sent: Wednesday, November 22, 2017 5:06 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Possible future re-application from WoSign (now WoTrus)
We understand that WoTrus (WoSign changed their name some months ago) are
working towards a re-application to join the Mozilla Root Program.
Richard Wang recently asked us to approve a particular auditor as being
suitable to audit their operations.
In the WoSign Action Items bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824
Kathleen wrote "WoSign may apply for inclusion of new (replacement) root
certificates[1] following Mozilla's normal root inclusion/change process[2] (minus
waiting in the queue for the discussion), after they have completed all of the following
action items, and no earlier than June 1, 2017."
However, one step in the inclusion process is the public discussion, and we
have some reason to believe that this may lead to significant objections being
raised. It would not be reasonable to encourage WoSign to complete all the
other steps in the process if there was little or no chance of them being
approved in public discussion.
So Kathleen and I thought it would be best to have a pre-discussion now, in
order to make sure that expectations are set appropriately. If WoTrus had
completed all the action items in the bug and arrived at the public discussion
part of the application, what would people say? If you raise an objection,
please say if there is any way at all that you think WoTrus could address your
issue.
Thanks for your input,
Gerv
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
