Ha. I was the OP of that email. Richard's reply was " From the screenshot, we know why Percy hate WoSign so deeply, we know he represent which CA, everything is clear now. "
On Thursday, September 22, 2016 at 11:55:43 AM UTC-7, Eric Mill wrote: > On Wed, Sep 21, 2016 at 6:18 PM, Richard Wang <[email protected]> wrote: > > > > > > Do we trust that WoSign will not collect information on hits to any OCSP > > responders they have set up and share that info with...whomever? > > > > Yes, any CA can do this if need. But you can use OCSP Stapling in your web > > server. > > We don’t worry about most China online banking system and many ecommerce > > website using the foreign CA certificate, what do you worry about? As I > > said, we used Akamai CDN service that all hits will go to Akamai Edge > > servers first. > > > > In an earlier thread, someone posted a screenshot of what appeared to be a > marketing email sent to Let's Encrypt customers, warning them about foreign > CAs. > > The screenshot image was: https://pbs.twimg.com/media/CrXf7w3W8AA2zd7.jpg: > large > > And the text as translated by the person who posted the screenshot (which I > haven't personally verified) was: > > The risks associated with foreign CA: > 1. Cert revocation > If foreign CA is influenced by politics and revoke certs for important > Chinese organizations, the entire system will be paralyzed. > > 2. Information security risks > If the website uses foreign certs, users need to send information to > foreign servers in every visit. Time of the visit, the location of the > visit, IP addresses, and the browser, frequency of the visits are all > collected by foreign CA. This will leak commercial secrets and sensitive > data, and is a very risky! > > > Here, you're saying you don't consider it to be a threat, and that you > don't worry if most Chinese online banking and ecommerce websites use a > foreign CA. Was the screenshot of WoSign's marketing email accurate? And if > so, what is WoSign committing to doing w/r/t OCSP metadata that it doesn't > trust foreign CAs to do? > > -- Eric > > > > > > > > Best Regards, > > > > Richard Wang > > CEO > > WoSign CA limited > > > > > > From: dev-security-policy [mailto:dev-security-policy-bounces+richard= > > [email protected]] On Behalf Of Peter Kurrasch > > Sent: Thursday, September 22, 2016 3:06 AM > > To: [email protected] > > Subject: Time to distrust (was: Sanctions short of distrust) > > > > Do we trust that WoSign will honor requsts for certs to be revoked? Do we > > trust that revocation will take place in a timely matter? Do we trust that > > WoSign will not collect information on hits to any OCSP responders they > > have set up and share that info with...whomever? > > > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > -- > konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
