On Friday, September 2, 2016 at 3:07:46 AM UTC-7, Gervase Markham wrote: > Hi Richard, > > On 01/09/16 04:04, Richard Wang wrote: > > First, please treat WoSign as a global trusted CA, DON'T stamp as > > China CA. We need a fair treatment as other worldwide CAs that I am > > sure WoSign is not the first CA that have incident and not the > > serious one; > > We are keen to treat WoSign as a global CA. It's certainly true that we > would be having this discussion about any other global CA which had had > such a list of incidents. However, it seems that you are advancing > arguments - such as "we are Chinese; we can't be expected to fully > understand standards written in English" - which ask for special > consideration as a Chinese CA rather than a global CA. And, as others > have pointed out in this thread, WoSign is very happy to be seen as a > China CA for marketing purposes inside China.
WoSign in fact actively emphasis that it's a China CA and the global politics in marketing. WoSign claimed foreign CA might revoke certs to Chinese orgs due to politics and claimed that foreign CA will collect all users information. This is a typical marketing email they sent. https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg:large Translated below. ------- Dear friend: I'm *** from WoSign CA. WoSign is the first SSL cert company in China. Your website *****'s SSL cert is from Let's Encrypt, expiring at Oct, 2016. If you switch to WoSign before the expiration you can enjoy buy one year get one year free. The risks associated with foreign CA: 1. Cert revocation If foreign CA is influenced by politics and revoke certs for important Chinese organizations, the entire system will be paralyzed. 2. Information security risks If the website uses foreign certs, users need to send information to foreign servers in every visit. Time of the visit, the location of the visit, IP addresses, and the browser, frequency of the visits are all collected by foreign CA. This will leak commercial secrets and sensitive data, and is a very risky! 3. Server latency Foreign CA cannot provide 24*7 local support. Servers are overseas and affected by submarine cables, latency is 10X. If something happens to submarine cables, and cert revocation list is not accessible, important systems with foreign certs will be paralyzed. In 2012, there is a incident that submarine cables was broken. .... (contact info stuff) Best regards and thanks, WoSign CA Limited. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
