I know WoSign make some mistakes in 2015, and I accept any reasonable fair enough sanction. But WoSign will continue to do our best to provide best products and best service to worldwide customers, no matter what the sanction is. Here is the answer for your questions:
> Do we trust that WoSign will honor requests for certs to be revoked? Yes, we honor your requests for certs to be revoked for FREE according to our CPS. We used Akamai CDN for worldwide customer to provide best CRL/OCSP service. > Do we trust that revocation will take place in a timely matter? Yes, we will take place your revocation request in a timely matter that exceed your expectation – within 24 hours (24 x 365 non-stop). > Do we trust that WoSign will not collect information on hits to any OCSP > responders they have set up and share that info with...whomever? Yes, any CA can do this if need. But you can use OCSP Stapling in your web server. We don’t worry about most China online banking system and many ecommerce website using the foreign CA certificate, what do you worry about? As I said, we used Akamai CDN service that all hits will go to Akamai Edge servers first. Best Regards, Richard Wang CEO WoSign CA limited From: dev-security-policy [mailto:dev-security-policy-bounces+richard=wosign....@lists.mozilla.org] On Behalf Of Peter Kurrasch Sent: Thursday, September 22, 2016 3:06 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Time to distrust (was: Sanctions short of distrust) Do we trust that WoSign will honor requsts for certs to be revoked? Do we trust that revocation will take place in a timely matter? Do we trust that WoSign will not collect information on hits to any OCSP responders they have set up and share that info with...whomever? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
