On Friday, August 26, 2016 at 4:26:26 PM UTC+8, Richard Wang wrote: > This is the standard way in China Internet, if a west company say something > to China company, all will support the west company.
-- especially when local CAs are losing credibility to end-users. Microsoft Azure's Chinese website[1] has migrated from CNNIC CA, to WoSign, and recently to DigiCert. CNNIC itself, ironically, also moved to DigiCert. [1]: azure.cn It is almost axiomatic that without a proper statement & fix (no more 233sec team exploits) made, WoSign will continue losing trust from end-users as well as webmasters. > PLEASE don’t move this technical problem to political issue, thanks. Very unfortunately WoSign's advertisements are seemingly doing the opposite. On this comparison between WoSign and foreign CAs[2], you made the following statements: [2]: http://wayback.archive.org/web/20160828045112/https://www.wosign.com/about/WoSign_ForeignCA_compare.htm * Security: handled by Chinese company itself, fully secure. (Foreign CA: System Security should not be a problem, but risks of random revokes and/or access failures exist.) * Compliance with Chinese Law: Yes (Foreign CA: No, legal risks exist.) > Best Regards, > > Richard > > -----Original Message----- > From: dev-security-policy > [mailto:[email protected]] On > Behalf Of [email protected] > Sent: Friday, August 26, 2016 4:05 PM > To: [email protected] > Subject: Re: Incidents involving the CA WoSign > > The news about possible sanction against WoSign was reported by Solidot > http://www.solidot.org/story?sid=49448 > (the Chinese version of Slashdot). Out of 12 comments in total (at the time > of writing), 8 of them call for revocation of WoSign, the rest talks about > the general bad security practices in China. > > A quick intro of myself. > I'm Percy Alpha and I broke the news on GFW's MITM attack on iCloud, Outlook > and Yahoo in 2014 and was later the victim of Great Cannon attack in 2015. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
