| While it is to the benefit of everyone that Richard Wang and other employees at WoSign/WoTrus have learned valuable lessons over the past year, it seems to me that far too much damage has been done for Mozilla to seriously consider a CA which has Richard in any sort of management position, much less as CEO. I look at the depth and breadth of his deceptive acts, the technical/policy/compliance issues that were present at WoSign and StartCom under his leadership, the defiance of any expectation that CA's should exhibit reasonable levels of transparency and forthrightness, the amount of time and effort spent in this forum on the myriad WoSign and StartCom issues.... One is left to consider how much tolerance remains in the community for further mistakes and transgressions that might arise from WoTrus? What incentive does Richard have to be forthcoming in the future knowing that the community might take harsh action against his company? How much time should WoTrus be allowed to consume knowing it might unfairly affect the inclusion requests of new CA's or the addressing of situations that arise at other CA's or the discussion of ideas for advancing security throughout the global PKI? When the initial sanction against WoSign and StartCom took place I think many in this forum would have been content to let both CA's fade away into the land of distrust and ultimate removal. That Mozilla allowed both to remain was, I think, an act of generosity with the expectation being(?) that, with a change in leadership and a new technology infrastructure, the global PKI will be better off for keeping WoSign/StartCom as trusted CA's. It's not (yet) clear that enough improvements have been made to the infrastructure and, obviously, there has been no change in leadership. With everything taken together I just don't see the benefit of including WoTrus in the trusted CA program. The costs to the community have been high--and probably will continue to be high. The risks have been many--and probably will continue to be many. And the benefits would appear to be too few.
Dear Gerv, Kethleen, other community friends,
First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion. Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security. Here is our response covered your questions that we don’t reply the emails one by one. Part One: What we have done in the past year since the sanction (1)After we knew the distrust sanction would be started from Oct. 20, 2016, we started to talk to some CAs to deal with the Managed Sub CA solution, and we signed agreement with Certum and started to resell their SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30, 2017. (2)We sent replacement notices to all charged customer and we have replaced more than 6000 certificates for customers for free. (3)We realized our big problem is the compliance with the Standard, so we set up a department: Risk Control & Compliance Department (RCC), which have 5 persons, the manager is from the bank IT risk control department, he leads team for the risk control management and internal audit. Two English major employees, they are responsible to translate all WebTrust documents and all CAB Forum documents into Chinese to let all employees learn the Standard more clearly. And one is responsible for checking CAB Forum mailing list to produce a weekly brief in Chinese for CAB Forum activity to all department managers, one is responsible for checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they produce summary report if some CA have accident report to let us learn how to prevent the same mistakes and how to response to the Community. Another two employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, they are responsible for the system test and security test to two RD team developed system. And this department setup many internal management regulations, it is the internal auditor to check and verify every CA operation is complaint with the Standard. (4)We started to develop new PKI/CA system including validation system, OCSP system, CT system and develop new BUY system and CMS system. All systems were finished in June 2017 and passed the Mozilla approved security auditor - Cure 53 white box source code security test, the test summary report was posted to the Community at July 7, 2017, and the detailed report was sent to all browser’s key person but no feedback. We set up new infrastructure with the new security audit passed system, the new system integrated the CABFlint, X509lint and Zlint for all pre-issued SSL certificate to make sure every pre-issued certificate complies with the Standard. (5)We stopped updating the old roots CPS and prepared a new CPS that complies with all Standards for new planned coming roots. The RCC Department are responsible for the CPS updates and check every CA operation comply with CPS, this department has super right to supervise all CA operation that nobody including Richard Wang can have a finger in the pie to violate the Standard. Every employee has learnt a deep lesson from the Sanction. (6)At Aug 24, 2017, we changed our company English name from “WoSign CA Limited” to “WoTrus CA Limited” in order to make clear difference for the planned coming new roots. (7)Even though we have experienced the tough time, we didn’t fire any employee. We have 55 employees in October 2016, and now we have 58 employees, in which we hired more customer service employees to provide certificate replacement work to minimize the sanction impact. (8)We didn’t fire the 20 RD employees that we are developing some certificate related software and hardware. Those products will be released in Q1 2018. All the software is being tested or will be tested by Cure 53 voluntarily to guarantee its code security. Part Two: About Richard Wang (1)In the remediation plan, Richard Wang is relieved as CEO and Qihoo 360 start to find a proper candidate since Nov. 2016, and Mr. Tan Xiaosheng has updated this in the March CAB Forum meeting that Richard Wang is the COO. (2)It is very hard to find a suitable person in China for this position that understand PKI/CA technology and know the CA business, so the CEO position is empty and the company is still charged by Richard Wang as COO. (3)At Aug 24, 2017, the company board of directors approved the company name change and restored Richard Wang’s CEO position. (4)Richard Wang is not just a CEO & CTO, he is the company founder and the shareholder. He learned the big lesson from this sanction and he can’t control everything due to the internal audit mechanism designed as described in Part One. Part Three: Our future plan (1) If Mozilla decides to let us move on to do the PITRA audit and WebTrust audit and process our new root inclusion application, then we will do it strictly according to the WoSign Action Items bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 (2) If Mozilla decides to reject our new root inclusion at this beginning stage, then we can wait for another one year. We continue being the reseller of Certum and DigiCert. We don’t have any plan to close our company. (3) In the past 13 years, WoSign/WoTrus has done its best to provide best certificate products and best service to Chinese customer and worldwide customers, we are sure China need a best local CA to make the China Internet more secure and trusted, and I am sure WoTrus is the one. China Internet secure, then the global Internet secure. Finally, as a CA, we fully understand that the mistakes we have made are significant. By the sanction, we learned the importance of maintaining trust and compliance, and we hope to provide excellent products and services as compensation for our mistakes, and to serve the Internet security to regain public trust. We’d love to hear your feedback and we are trying to do better and better, thanks. Best Regards, WoTrus CA Limited | ||
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
