On Wed, Sep 21, 2016 at 6:18 PM, Richard Wang <rich...@wosign.com> wrote:

>
> > Do we trust that WoSign will not collect information on hits to any OCSP
> responders they have set up and share that info with...whomever?
>
> Yes, any CA can do this if need. But you can use OCSP Stapling in your web
> server.
> We don’t worry about most China online banking system and many ecommerce
> website using the foreign CA certificate, what do you worry about? As I
> said, we used Akamai CDN service that all hits will go to Akamai Edge
> servers first.
>

In an earlier thread, someone posted a screenshot of what appeared to be a
marketing email sent to Let's Encrypt customers, warning them about foreign
CAs.

The screenshot image was: https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg:
large

And the text as translated by the person who posted the screenshot (which I
haven't personally verified) was:

The risks associated with foreign CA:
1. Cert revocation
If foreign CA is influenced by politics and revoke certs for important
Chinese organizations, the entire system will be paralyzed.

2. Information security risks
If the website uses foreign certs, users need to send information to
foreign servers in every visit. Time of the visit, the location of the
visit, IP addresses, and the browser, frequency of the visits are all
collected by foreign CA. This will leak commercial secrets and sensitive
data, and is a very risky!


Here, you're saying you don't consider it to be a threat, and that you
don't worry if most Chinese online banking and ecommerce websites use a
foreign CA. Was the screenshot of WoSign's marketing email accurate? And if
so, what is WoSign committing to doing w/r/t OCSP metadata that it doesn't
trust foreign CAs to do?

-- Eric


>
>
> Best Regards,
>
> Richard Wang
> CEO
> WoSign CA limited
>
>
> From: dev-security-policy [mailto:dev-security-policy-bounces+richard=
> wosign....@lists.mozilla.org] On Behalf Of Peter Kurrasch
> Sent: Thursday, September 22, 2016 3:06 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Time to distrust (was: Sanctions short of distrust)
>
> Do we trust that WoSign will honor requsts for certs to be revoked? Do we
> trust that revocation will take place in a timely matter? Do we trust that
> WoSign will not collect information on hits to any OCSP responders they
> have set up and share that info with...whomever?
>
> _______________________________________________
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to