On Wed, Sep 21, 2016 at 6:18 PM, Richard Wang <[email protected]> wrote:
> > > Do we trust that WoSign will not collect information on hits to any OCSP > responders they have set up and share that info with...whomever? > > Yes, any CA can do this if need. But you can use OCSP Stapling in your web > server. > We don’t worry about most China online banking system and many ecommerce > website using the foreign CA certificate, what do you worry about? As I > said, we used Akamai CDN service that all hits will go to Akamai Edge > servers first. > In an earlier thread, someone posted a screenshot of what appeared to be a marketing email sent to Let's Encrypt customers, warning them about foreign CAs. The screenshot image was: https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg: large And the text as translated by the person who posted the screenshot (which I haven't personally verified) was: The risks associated with foreign CA: 1. Cert revocation If foreign CA is influenced by politics and revoke certs for important Chinese organizations, the entire system will be paralyzed. 2. Information security risks If the website uses foreign certs, users need to send information to foreign servers in every visit. Time of the visit, the location of the visit, IP addresses, and the browser, frequency of the visits are all collected by foreign CA. This will leak commercial secrets and sensitive data, and is a very risky! Here, you're saying you don't consider it to be a threat, and that you don't worry if most Chinese online banking and ecommerce websites use a foreign CA. Was the screenshot of WoSign's marketing email accurate? And if so, what is WoSign committing to doing w/r/t OCSP metadata that it doesn't trust foreign CAs to do? -- Eric > > > Best Regards, > > Richard Wang > CEO > WoSign CA limited > > > From: dev-security-policy [mailto:dev-security-policy-bounces+richard= > [email protected]] On Behalf Of Peter Kurrasch > Sent: Thursday, September 22, 2016 3:06 AM > To: [email protected] > Subject: Time to distrust (was: Sanctions short of distrust) > > Do we trust that WoSign will honor requsts for certs to be revoked? Do we > trust that revocation will take place in a timely matter? Do we trust that > WoSign will not collect information on hits to any OCSP responders they > have set up and share that info with...whomever? > > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
