Re: StartCom inclusion request: next steps

2017-09-14 Thread Percy via dev-security-policy 
"Conclusion: StartCom's attempt to restart the CA was rushed."

"It was a very hard task in very few time but the people at 360 tried 
everything to get it done by that date, end of december 2016, and yes, we 
reached the date but with many failures"

May I ask why StartCom choose to rush everything in PHP from the ground up 
rather than using the more secure system already in place in the old StartCom?  
From my understanding, the distrust of StartCom is more related to the secret 
acquisition by  WoSign an Qihoo 360 rather than insecure infrastructure. So if 
the deadline is so imminent as you stated and pressure is so high from 
customers, can't you use the reasonably secure old code base rather than 
rushing everything from the ground up? Then you will have more time transition 
to another system if needed with sufficient time for secure processes?
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remove old WoSign root certs from NSS

2017-08-30 Thread Percy via dev-security-policy 
On Wednesday, August 30, 2017 at 11:15:04 AM UTC-7, Kathleen Wilson wrote:
> Posted:
> 
> https://blog.mozilla.org/security/2017/08/30/removing-disabled-wosign-startcom-certificates-firefox-58/
> 
> I will look into getting this translated and published in China.
> 
> Thanks,
> Kathleen

Thank you so much for taking Chinese users into consideration! 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remove old WoSign root certs from NSS

2017-08-30 Thread Percy via dev-security-policy 
links to all of WoSign's announcement in case anyone want to verify.
https://www.wosign.com/news/index.htm  year 2017
https://www.wosign.com/news/index2016.htm year 2016
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remove old WoSign root certs from NSS

2017-08-30 Thread Percy via dev-security-policy 
In fact, can you tell us, when was the first time WoSign started to notify 
users about replacing certs?  

I've dig through all of WoSign's announcement and the first and in fact the 
ONLY announcement regarding replacing certs is dated July 10th, 2017 , titled 
Announcement regarding Google's decision on July 7th".  During Sept 19, 2016 to 
July 10th 2017, WoSign posted a total of 19 announcements, including 
announcements like mountain hiking competition in Youth Day, trips to Yangtze 
River Delta, Wosign's professional services won customers' acknowledgment.   

Of course your customers might be unable to replace certs in time if you only 
notified them July this year while browser announcement such decisions in Oct 
last year!
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remove old WoSign root certs from NSS

2017-08-30 Thread Percy via dev-security-policy 
It's true that the first post has a link to that second post. However, the 
related sentence is 

To learn more, please visit "Announcement regarding Google's decision on July 
7th", with a hyperlink to the second post. 

And only the second post mentions anything about replacing certs. I hardly 
think users would understand they are risking being blocked by major browsers 
from such a benign looking sentence. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remove old WoSign root certs from NSS

2017-08-29 Thread Percy via dev-security-policy 
On Sunday, August 27, 2017 at 10:59:48 PM UTC-7, Richard Wang wrote:
> We released replacement notice in Chinese in our website:
> https://www.wosign.com/news/announcement-about-Microsoft-Action-20170809.htm
> https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm
> https://www.wosign.com/news/announcement_about_Mozilla_Action_20161024.htm
> 
> And we have sent broadcast email to our customer, but some customers still 
> don't replace its certificate due to many kind of reasons that this must be 
> cooperated by customers.
> 
> 
> Best Regards,
> 
> Richard

I have to point out that of all the above 3 post, only one, namely 
https://www.wosign.com/news/announcement-about-Google-Action-20170710.htm 
mentions anything about replacing the certs. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remove old WoSign root certs from NSS

2017-08-27 Thread Percy via dev-security-policy 
On Friday, August 25, 2017 at 4:42:29 PM UTC-7, Kathleen Wilson wrote:
> On Friday, August 4, 2017 at 12:01:15 AM UTC-7, Percy wrote:
> > I suggest that Mozilla can post an announcement now about the complete 
> > removal of WoSign/StartCom to alert website developers. I suspect that a 
> > moderate amount of Chinese websites are still using WoSign certs chained to 
> > the old roots. Google posted about this complete removal here 
> > https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html
> >  
> > 
> > And since WoSign has the most presence in China, I suggest Mozilla can 
> > instruct Mozilla China to post such announcement in Chinese as well.
> 
> 
> Here's a DRAFT for such an announcement, that I could post to Mozilla's 
> Security Blog [1].
> 
> ~~ DRAFT ~~
> 
> Title: Removing Disabled WoSign and StartCom Certificates from Firefox 58
> 
> In October 2016, Mozilla announced[2] that, as of Firefox 51, we would stop 
> validating new certificates chaining to the below list of root certificates 
> owned by the companies WoSign and StartCom. 
> 
> The announcement also indicated our intent to eventually completely remove 
> these root certificates from Mozilla’s Root Store[3], so that we would no 
> longer validate certificates issued even before that date by those roots. 
> That time has now arrived. We plan to release the relevant changes[4] to 
> Network Security Services (NSS)[5] in November, and then the changes will be 
> picked up in Firefox 58[6], due for release in January 2018. Sites using 
> certificates chaining up to any of the following root certificates need to 
> migrate to another root certificate.
> 
> This announcement applies to the root certificates with the following names:
> 
> CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
> CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
> CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
> CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
> CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, 
> O=StartCom Ltd., C=IL
> CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL
> 
> Mozilla Security Team
> ~~
> 
> As always, I will appreciate your constructive feedback.
> 
> Thanks,
> Kathleen
> 
> [1] https://blog.mozilla.org/security/
> [2] 
> https://blog.mozilla.org/security/2016/10/24/distrusting-new-wosign-and-startcom-certificates/
> [3] https://wiki.mozilla.org/CA
> [4] https://bugzilla.mozilla.org/show_bug.cgi?id=1387260
> https://bugzilla.mozilla.org/show_bug.cgi?id=1392849
> [5] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
> [6] https://wiki.mozilla.org/RapidRelease/Calendar

Such an announcement will be great. And Chinese translation posted on Mozilla 
China will be greatly appreciated too.

A Chinese announcement is rather appreciated because some very large companies, 
for example, OFO which received $450M in funding and currently valued at 1B [1] 
is still using WoSign certs [2]; Fapiao, which deals with receipts for 
Starbucks in China, was using the old WoSign cert[3] until two weeks ago. It 
only changed the cert after customer complaints for months. Those are by far 
not isolated cases. 


[1]https://en.wikipedia.org/wiki/Ofo_(bike_sharing)
[2]https://common.ofo.so/
[3]https://crt.sh/?q=fapiao.com
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Microsoft to remove WoSign and StartCom certificates in Windows 10

2017-08-09 Thread Percy via dev-security-policy 
https://blogs.technet.microsoft.com/mmpc/2017/08/08/microsoft-to-remove-wosign-and-startcom-certificates-in-windows-10/

Microsoft has concluded that the Chinese Certificate Authorities (CAs) WoSign 
and StartCom have failed to maintain the standards required by our Trusted Root 
Program. Observed unacceptable security practices include back-dating SHA-1 
certificates, mis-issuances of certificates, accidental certificate revocation, 
duplicate certificate serial numbers, and multiple CAB Forum Baseline 
Requirements (BR) violations.

Thus, Microsoft will begin the natural deprecation of WoSign and StartCom 
certificates by setting a “NotBefore” date of 26 September 2017. This means all 
existing certificates will continue to function until they self-expire. Windows 
10 will not trust any new certificates from these CAs after September 2017.

Microsoft values the global Certificate Authority community and only makes 
these decisions after careful consideration as to what is best for the security 
of our users.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: StartCom cross-signs disclosed by Certinomis

2017-08-07 Thread Percy via dev-security-policy 
On Monday, August 7, 2017 at 2:36:10 PM UTC-7, Itzhak Daniel wrote:
> On Monday, August 7, 2017 at 11:03:27 PM UTC+3, Jakob Bohm wrote: 
> > 7. At Quihoo: Actually get rid of Richard Wang, not just change his
> >title from CEO to COO.
> 
> I didn't map the new hierarchy of the "Spanish" StartCom CA ("StartCom CA 
> Spain Sociedad Limitada"), having trouble registering to the Spanish company 
> house and pull documents (I pulled from 3rd party, but they're garbage [1] 
> [2]). I did mange to see that Mr. Barreira is the Directory but nothing on 
> the share holders or parent company.
> 
> I took a quick look at StartCom UK (as the information there is free) and 
> noticed Mr. Wang became a director again [3]... I wonder who is "StartCom CA 
> Spain Sociedad Limitada" parent/share holder, maybe a disclosure?
> 
> Links:
> 1. https://www.letsphish.org/files/StartCom-CA-SPA-Appointment.pdf
> 2. https://www.letsphish.org/files/StartCom-CA-SPA-Profile.pdf
> 3. https://beta.companieshouse.gov.uk/company/09744347

StartCom CA Spain Sociedad Limitada was not in the original hierarchy [1] or 
the proposed hierarchy [2] . I request that StartCom makes a full disclosure of 
the ownership information. 

In addition, in the WoSign remediation plan, WoSign Stated[3] that 

Due to the severity of issues noted within, the decision has been made to 
address the above three areas as they fall under the areas of 1) 
leadership/authority in WoSign and StartCom, 2) operational/business process 
and 3) technology. 

If WoSign/Startcom has determined leadership/authority is the No.1 cause of 
issues, why is Richard Wang appointed as a director of StartCom merely 6 month 
after his removal? This doesn't even mention his COO role at WoSign. 

[1] 
https://groups.google.com/forum/#!searchin/mozilla.dev.security.policy/startcom%7Csort:relevance/mozilla.dev.security.policy/0pqpLJ_lCJQ/z69lmZ88DwAJ
[2]https://en.wikipedia.org/wiki/StartCom#cite_note-structure201612-9
[3]https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remove old WoSign root certs from NSS

2017-08-04 Thread Percy via dev-security-policy 
On Thursday, August 3, 2017 at 3:55:34 PM UTC-7, Kathleen Wilson wrote:
> On Monday, July 10, 2017 at 12:47:31 PM UTC-7, Kathleen Wilson wrote:
> > I also think we should remove the old WoSign root certs from NSS.
> > 
> > Reference:
> > https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign
> > ~~
> > Mozilla currently recommends not trusting any certificates issued by this 
> > CA after October 21st, 2016. That recommendation covers the following roots:
> > 
> > CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
> > CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
> > CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, 
> > C=CN
> > CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN
> > 
> > This restriction has been implemented in both in the Mozilla platform 
> > security code (PSM), which is shared by the Mozilla applications (Firefox, 
> > Thunderbird, etc.), and in addition, in the NSS library code, which is used 
> > by applications that use the NSS certificate verification APIs. 
> > ~~
> > 
> > Please let me know if you foresee any problems with removing these root 
> > certs from NSS.
> > 
> > Thanks,
> > Kathleen
> 
> 
> I have filed Bug #1387260 to remove the old WoSign root certificates. This 
> will likely happen in the October batch of root changes.
> 
> Kathleen

I suggest that Mozilla can post an announcement now about the complete removal 
of WoSign/StartCom to alert website developers. I suspect that a moderate 
amount of Chinese websites are still using WoSign certs chained to the old 
roots. Google posted about this complete removal here 
https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html
 

And since WoSign has the most presence in China, I suggest Mozilla can instruct 
Mozilla China to post such announcement in Chinese as well.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign new system passed Cure 53 system security audit

2017-07-13 Thread Percy via dev-security-policy 
> You will fail #4. Because your system, as designed, cannot and does not
> comply with the Baseline Requirements. 

Is there a design outline in the security audit as well? No one in the 
community can judge either yours or WoSign's statement as this information is 
not shared with us. I suggest either WoSign or Mozilla/Google share such 
information with the community if it's not under NDA. Otherwise, this 
discussion is rather unproductive as we have crucial information missing.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign new system passed Cure 53 system security audit

2017-07-11 Thread Percy via dev-security-policy 
On Tuesday, July 11, 2017 at 8:16:50 AM UTC-7, Jonathan Rudenberg wrote:
> > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy 
> >  wrote:
> > 
> > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang  wrote:
> >> 
> >> Please note this email topic is just for releasing the news that WoSign 
> >> new system passed the security audit, just for demonstration that we 
> >> finished item 5:
> >> " 5. Provide auditor[3] attestation that a full security audit of the CA’s 
> >> issuing infrastructure has been successfully completed. "
> >> " [3] The auditor must be an external company, and approved by Mozilla. "
> > 
> > It also seems a bit strange to report item 5 "successfully completed" 
> > before we hear anything about the other items. How about starting with item 
> > 1? What are your plans voor fixing the problems?
> 
> It’s worth noting that the problems have not stopped yet. There are a bunch 
> of certificates issued over the past few months that do not comply with the 
> Baseline Requirements issued from the new "StartCom BR SSL ICA”, for example:
> 
> https://crt.sh/?opt=cablint=8BDFE4A526BFB35C8A417B10F4D0ABE9E1D60D28A412539D5BC71C19B46FEF21
> https://crt.sh/?opt=cablint=124AAD38DAAC6B694D65F45226AB5152FC46D229CBC203E0814D175F39977FF3
> https://crt.sh/?opt=cablint=9B78C78B32F4AC717B3DEFDABDACC4FEFA61BFD17782B83F75ADD82241147721
> https://crt.sh/?opt=cablint=AAB0B5A08F106639A5C9D720CD37FDB30E7F337AEBAF9407FD854B5726303F7B
> https://crt.sh/?opt=cablint=9DCE6A924CE837328D379CE9B7CDF4A2BA8A0E8EC01018B9DE736EBC64442361
> https://crt.sh/?opt=cablint=62A9A9FDCDC04A043CF2CB1A5EAFE33CF9ED8796245DE4BD5250267ADEFF005A
> https://crt.sh/?opt=cablint=6A72FA5DCC253D2EE07921898B9A9BB263FD1D20FE61B1F52F939C0C1C0DCFEE
> https://crt.sh/?opt=cablint=238E2E96665748D2A05BAAEEC8BAE6AFE7B7EF4B1ADA4908354C855C385ECD81
> https://crt.sh/?opt=cablint=C11C00EB0E14EEB30567D749FFD30445E0B490D1DCA7B7E082FD1CB0A40A71C0
> https://crt.sh/?opt=cablint=4DEF4CFD21A969E8349E4428FDEC73767C01DE6127843312511B71029F4E3836

I guess such mis-issurances are not covered by this security audit as the entry 
are done internally. But I hope that WoSign release the full security audit so 
that this community can evaluate objectively, rather than rely on so called 
summary.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: WoSign new system passed Cure 53 system security audit

2017-07-09 Thread Percy via dev-security-policy 
So it seems that Richard Wang still has the final executive decisions regarding 
security in daily operations. Basically WoSign simply changed the title of the 
position from CEO to COO and bypassed Mozilla's requirement? 

On Sunday, July 9, 2017 at 7:26:28 PM UTC-7, Richard Wang wrote:
> The important thing is by the board of directors, the Company Legal 
> Representative is changed to Mr. Shi Xiaohong, VP of 360.
> 
> 
> 
> The daily operation thing is by COO.
> 
> 
> 
> 
> 
> Best Regards,
> 
> 
> 
> Richard
> 
> 
> 
> From: Eric Mill [mailto:e...@konklone.com]
> Sent: Monday, July 10, 2017 10:12 AM
> To: Richard Wang 
> Cc: Itzhak Daniel ; 
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: WoSign new system passed Cure 53 system security audit
> 
> 
> 
> So who acts as the CEO for WoSign when final executive decisions need to be 
> made?
> 
> 
> 
> 
> 
> On Sun, Jul 9, 2017 at 9:41 PM, Richard Wang via dev-security-policy 
> >
>  wrote:
> 
>Mr Wang is the COO now according to Mr. Tan's public announcement on March 
> CAB Forum meeting.
> 
>CEO is still N/A, if anyone is interesting in the CEO position, please 
> send your Resume to Mr. Tan.
> 
> 
>Best Regards,
> 
>Richard
> 
> 
>-Original Message-
>From: dev-security-policy 
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org]
>  On Behalf Of Itzhak Daniel via dev-security-policy
>Sent: Monday, July 10, 2017 4:57 AM
>To: 
> mozilla-dev-security-pol...@lists.mozilla.org
>Subject: Re: WoSign new system passed Cure 53 system security audit
> 
>Mr. Wang is mentioned on the end of the document, what is Richard Wang 
> current official responsibility of Mr. Wang at WoSign?
> 
>According to the incident report, release on October 2016 [1], Mr. Wang 
> was suppose to be relieved of his duties as CEO, this is mentioned in 3 
> separate paragraphs (P.17,P.25,P.26).
> 
>Links:
>1. https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf
> 
>___
>dev-security-policy mailing list
>
> dev-security-policy@lists.mozilla.org
>https://lists.mozilla.org/listinfo/dev-security-policy
>___
>dev-security-policy mailing list
>
> dev-security-policy@lists.mozilla.org
>https://lists.mozilla.org/listinfo/dev-security-policy
> 
> 
> 
> 
> 
> 
> 
>--
> 
>konklone.com | 
> @konklone

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: StartCom continues to sell untrusted certificates

2017-05-03 Thread Percy via dev-security-policy 
On Monday, May 1, 2017 at 7:49:32 AM UTC-7, Henri Sivonen wrote:
> On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> > On 01/05/17 07:52, Percy wrote:
> >> It seems that StartCom continues to sell untrusted certs. Neither their
> home page https://www.startcomca.com/ nor their announcement page
> https://www.startcomca.com/index/news mentions that those certs are not
> trusted.
> >
> > Why is this something that Mozilla should be concerned with?
> >
> > "Selling untrusted certs" is not a crime, or a violation of any
> > standard. Mozilla is not the global authority on what certificates may
> > be issued. If StartCom are providing certificates which do not do what
> > their customers expect, I'm sure those customers will let them know
> > about it soon enough.
> 
> What StartCom claims about compatibility is potentially more
> Mozilla-relevant than what they are silent about. At the bottom of their
> front page, it says "StartCom™ / StartSSL™is supported by:" followed by
> icons. The icons include an early icon for Camino and the SeaMonkey icon.
> Since Camino was discontinued before Mozilla's change in trust in StartCom
> certificates, I guess having Camino there isn't technically incorrect, but
> is about as relevant as having the Flock icon there. However, is it correct
> to have the SeaMonkey icon there? The latest SeaMonkey release seems to
> post-date the Mozilla root program's trust change in StartCom certificates.
> (But then, it seems that there have been a number of Firefox ESR security
> patch releases that post-date the SeaMonkey release. Is SeaMonkey still
> active, despite appearing not to ship Gecko security updates, and does
> SeaMonkey implement the same trust special-casing as Firefox? It seems to
> produce nightlies still.)
> 
> -- 
> Henri Sivonen
> hsivo...@hsivonen.fi
> https://hsivonen.fi/

Ha, it seems that they removed those icons in response to your comments. Now 
they only list Edge, IE, Android and windows.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

StartCom continues to sell untrusted certificates

2017-05-01 Thread Percy via dev-security-policy 
It seems that StartCom continues to sell untrusted certs. Neither their home 
page https://www.startcomca.com/ nor their announcement page 
https://www.startcomca.com/index/news mentions that those certs are not 
trusted. 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Symantec Conclusions and Next Steps

2017-04-28 Thread Percy via dev-security-policy 
On Friday, April 28, 2017 at 1:19:01 AM UTC-7, Richard Wang wrote:
> Hi Ryan,
> 
> 
> 
> For your question “Do you believe that, during the discussions about how to 
> respond to WoSign's issues, the scope of impact was underestimated?”, the 
> answer is YES.
> 
> 
> 
> After Oct 21 2016, WoSign stopped to issue SSL certificates from WoSign root 
> (to be exactly, maybe few in October, but all replaced), we know our 
> customers don’t accept the problem of interoperability and compatibility 
> failures, so we cooperated with other Trusted CAs to sell their certificates 
> to our customers since Nov 21 2016, to replace the affected SSL certificates 
> and code signing certificates for our charged customers for FREE, to renew 
> and order certificates for current customers and new customers to keep our 
> business continuity till we have our own new trusted roots.
> 
> 
> 
> WoSign appreciated Mozilla’s decision: trust the certificates that issued 
> before Oct 20 2016, and similarly rule for Apple and Microsoft, and we also 
> promised to our customers for this, this decision don’t bring any troubles to 
> our issued certificate customers, very good.
> 

This is not what you said. You said "Mozilla’s sanctions are too severe" 
-https://www.wosign.com/english/News/announcement_about_Mozilla_Action_20161024.htm
> 
> 
> But Google start to distrust WoSign certificates unless the site is in the 
> Alexa Top 1M site list since Chrome 57, this bring many problems to us and to 
> our customers, to provide best service to our customers, we provide FREE 
> replacement for our charged customers that we must pay the cost to the 
> Partner (Trusted CA). Till now, we replaced 596 certificates for our 
> customers for free, and there are 97 orders ask for refund instead of 
> replacement. This Google decision’s problem is some big websites used a 
> domain that not listed in Alexa 1M suffered disruption, for example, Qihoo 
> 360’s search site and online gaming sites used a domain in CDN for pictures 
> that not listed in Top 1M, there are more than 500M users suffered the 
> untrusted warning and 360 need to replace the certificates for thousands of 
> servers.
> 
> 
> 
> The problem also come from the WoSign Root CA pinned for some payment gateway 
> from online payment service providers and from some online banking APPs, even 
> we replaced the certificate for them for free, they need to update the 
> gateway/API software to accept the new trusted root, and need to update the 
> bank APP to recognize the new certificate and new root, this is terrible that 
> all those customers curse us and very angry.
> 

Since all the certs are supposedly included in the cert transparency already, 
would you able to share what apps pinned your certs with the certs?  Of only a 
handful of banking related apps included in the apps, I haven't seen any 
failure because of pinning. In fact, why would the Chrome distrust cause the 
failure in pinning in the app? 
> 
> 
> For affected 2417 Code Signing certificates, there are many customers signed 
> the code, but distrusted by Microsoft that customers ask for full refund and 
> need to buy the new code signing cert from other CA that need to sign the 
> software again that installed in billions system, this is also a disaster to 
> customers and its software users.
> 

Could you point to a Microsoft announcement that points to removal of WoSign 
certs? In fact, Microsoft explicitly said WoSign/StartCom is trusted. 
https://social.technet.microsoft.com/wiki/contents/articles/37425.microsoft-trusted-root-certificate-program-participants-as-of-march-9-2017.aspx
 (as of March 9, 2017)

> We can’t image the result in the future for “In subsequent Chrome releases, 
> these exceptions will be reduced and ultimately removed, culminating in the 
> full distrust of WoSign”, this means all WoSign issued SSL certificates in 
> the last three years need to be replaced, including the 2845 valid 
> certificates for Microsoft Azure and Office 365 that Microsoft Sumedh said 
> “any outage of an Azure service that lasts more than a few minutes gets 
> escalated to our executives.”
> 
> The total valid SSL certificates is 173,886, and the charged valid 
> certificates is 10,368 that we need to pay money to other CA for free 
> replacement (if US$100 per certificate, the total cost is over US$ One 
> Million!), I think this is not only money problem, but it also will bring 
> huge work to us and to our customers to replace the certificate. This is the 
> next BIG disaster if Chrome distrust all WoSign certificates that issued 
> before Oct. 20 2016.
> 
> 
> 
> So, I wish Google can reconsider the plan that change to distrust all WoSign 
> issued free SSL certificates, but keep to trust the charged one (DV SSL/IV 
> SSL/OV SSL/EV SSL) that don’t have any mis-issuance problem, those charged 
> certificates is used for many big eCommerce websites, many government 
> websites, many bank systems, many securities