Hi Richard, A few corrections:
On Wed, Sep 26, 2018 at 11:36 AM Richard Wang via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Ryan mentioned WoSign/StartCom and 360, so I like to say some words. > > First, I think your idea is not a proper metaphor because 360 browser > can't compare to Google browser, Google browser have absolutely strong > market share to say YES/NO to all CAs, but I am sure not to Google CA. > That wasn't the comparison. I was more highlighting how you actively mislead (lied?) to the community about the relationship between the entities, by trying to argue as separate entities. While Google Trust Services is a separate legal entity, which is about ensuring there is a firewall between these organizations, my concern about bringing it up was because of how you actively mislead the community. > Third, your comparison of Apple and Microsoft is also not correct, they > use its own CA system for their own system use only, not for public, not to > be a global public CA like Google. > I'm afraid this also misunderstands things. Microsoft does issue certificates for end-users using its services (like Google). To the point of the discussion, however, it was about the assumption and implication that you cannot distrust an entity that operates a large web presence and also a CA, or that browsers would play special favors to the CAs of their properties, whether in-house or external. Both of these apply to all browsers - arguably, even Mozilla (which uses certs from DigiCert as well, either through the Amazon-branded sub-CA that DigiCert operates or directly through DigiCert) > Ryan, thank you for still remembering WoSign. > I think it will be very hard for the community to ever forget https://wiki.mozilla.org/CA:WoSign_Issues _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
