Ha. I was the OP of that email. Richard's reply was " From the screenshot, we 
know why Percy hate WoSign so deeply, we know he represent which CA, everything 
is clear now. "

On Thursday, September 22, 2016 at 11:55:43 AM UTC-7, Eric Mill wrote:
> On Wed, Sep 21, 2016 at 6:18 PM, Richard Wang <rich...@wosign.com> wrote:
> 
> >
> > > Do we trust that WoSign will not collect information on hits to any OCSP
> > responders they have set up and share that info with...whomever?
> >
> > Yes, any CA can do this if need. But you can use OCSP Stapling in your web
> > server.
> > We don’t worry about most China online banking system and many ecommerce
> > website using the foreign CA certificate, what do you worry about? As I
> > said, we used Akamai CDN service that all hits will go to Akamai Edge
> > servers first.
> >
> 
> In an earlier thread, someone posted a screenshot of what appeared to be a
> marketing email sent to Let's Encrypt customers, warning them about foreign
> CAs.
> 
> The screenshot image was: https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg:
> large
> 
> And the text as translated by the person who posted the screenshot (which I
> haven't personally verified) was:
> 
> The risks associated with foreign CA:
> 1. Cert revocation
> If foreign CA is influenced by politics and revoke certs for important
> Chinese organizations, the entire system will be paralyzed.
> 
> 2. Information security risks
> If the website uses foreign certs, users need to send information to
> foreign servers in every visit. Time of the visit, the location of the
> visit, IP addresses, and the browser, frequency of the visits are all
> collected by foreign CA. This will leak commercial secrets and sensitive
> data, and is a very risky!
> 
> 
> Here, you're saying you don't consider it to be a threat, and that you
> don't worry if most Chinese online banking and ecommerce websites use a
> foreign CA. Was the screenshot of WoSign's marketing email accurate? And if
> so, what is WoSign committing to doing w/r/t OCSP metadata that it doesn't
> trust foreign CAs to do?
> 
> -- Eric
> 
> 
> >
> >
> > Best Regards,
> >
> > Richard Wang
> > CEO
> > WoSign CA limited
> >
> >
> > From: dev-security-policy [mailto:dev-security-policy-bounces+richard=
> > wosign....@lists.mozilla.org] On Behalf Of Peter Kurrasch
> > Sent: Thursday, September 22, 2016 3:06 AM
> > To: mozilla-dev-security-pol...@lists.mozilla.org
> > Subject: Time to distrust (was: Sanctions short of distrust)
> >
> > Do we trust that WoSign will honor requsts for certs to be revoked? Do we
> > trust that revocation will take place in a timely matter? Do we trust that
> > WoSign will not collect information on hits to any OCSP responders they
> > have set up and share that info with...whomever?
> >
> > _______________________________________________
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy
> >
> 
> 
> 
> -- 
> konklone.com | @konklone <https://twitter.com/konklone>

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to