在 2016年9月23日星期五 UTC+8下午3:57:12,Percy写道: > WoSign stated in the report that "Due to foreign companies to China's > technology blockade, WoSign decided to research and develop all systems by > ourselves in 2009, including BUY system (Online certificate store), CMS > (Certificate Management System, internal work flow), PKI/CA (Certificate > issuing system), CRL/OCSP (Certificate revocation query system) and TSA > (time stamp system). " > I'm assuming WoSign is referring to other companies operating CAs. Perhaps > WoSign can clarify what those companies are and the nature of such > blockade. > > WoSign also stated that "WoSign agrees that this is a violation of the BRs > (only three US NIST P-256, P-384, or P-521 curves can be used for elliptic > curve keys in certs), but being a Chinese licensed CA, we must abide by > local laws and regulations, we must actively cooperate with domestic > browsers to test the SSL certificate using SM2 algorithm issued by a global > trusted root in the real Internet, not intranet. > > WoSign, as a member of CAB Forum, will spare no effort to continue to > promote China encryption algorithm SM2 to become the international standard > allowed algorithm." > > > It seems that WoSign is committed to test certificates in a global trusted > root depesite explicit warning of not doing so even now. I see no > Chinese law mandating the insurance of SM2 certificates or forbidding the > insurance of certificate with standard curves. It's unclear to me why > WoSign insisted on testing SM2 with publicly trusted root. If WoSign is > claiming Chinese law mandate such testing/deployment, please refer to such > laws here and perhaps the community can take the local law into account. If > however no such law exists, as far as I know, the such commitment to BR > violation is not acceptable. > > On Friday, September 23, 2016, Percy <[email protected]> wrote: > > > Richard, > > On behalf of most Chinese Internet users who do not speak English, I'm > > asking why WoSign is only making the final statement available in Chinese, > > but not the incident report. WoSign doesn't even have any statement, > > announcement or press release in Chinese regarding any of the incidents > > (except this final statement) anywhere. > > > > As WoSign is the largest CA in China, it must be responsible to Chinese > > users. I'm requesting WoSign to make the incident report available in > > Chinese and available on the WoSign's Chinese site. I believe an > > announcement on the official Chinese site with the link to the incident > > report is also warranted. > > > > On Thursday, September 22, 2016, Richard Wang <[email protected] > > <javascript:;>> wrote: > > > > > Hi Gerv, > > > > > > This is the final statement about the incident: > > > https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in > > > English) > > > > > > https://www.wosign.com/report/WoSign_final_statement_CN_09232016.pdf > > > (中文版) (In Chinese, this is easy for Chinese users.) > > > > > > I think this is the supplement of the two released reports. > > > > > > Please let me if you have any questions about this statement, thanks. > > > > > > > > > Best Regards, > > > > > > Richard Wang > > > CEO > > > WoSign CA Limited > > > > > > > > > -----Original Message----- > > > From: dev-security-policy [mailto:dev-security-policy-bounces+richard > > <javascript:;> > > > <javascript:;>[email protected] <javascript:;> > > <javascript:;>] On Behalf Of > > > Richard Wang > > > Sent: Friday, September 16, 2016 6:05 PM > > > To: Gervase Markham <[email protected] <javascript:;> <javascript:;>> > > > Cc: [email protected] <javascript:;> > > <javascript:;> > > > Subject: RE: Incidents involving the CA WoSign > > > > > > Hi Gerv, > > > > > > This is the final report: https://www.wosign.com/report/ > > > WoSign_Incident_Final_Report_09162016.pdf > > > > > > Please let me if you have any questions about the report, thanks. > > > > > > > > > Best Regards, > > > > > > Richard Wang > > > CEO > > > WoSign CA Limited > > > > > > > > > -----Original Message----- > > > From: Gervase Markham > > > Sent: Wednesday, September 7, 2016 7:00 PM > > > To: Richard Wang; [email protected] > > <javascript:;> > > > <javascript:;> > > > Subject: Re: Incidents involving the CA WoSign > > > > > > Hi Richard, > > > > > > On 07/09/16 11:06, Richard Wang wrote: > > > > This discuss has been lasting two weeks, I think it is time to end it, > > > > it doesn’t worth to waste everybody’s precious time. > > > > > > Unfortunately, I think we may be only beginning. > > > > > > I have prepared a list of the issues we are tracking with WoSign's > > > certificate issuance process and business: > > > > > > https://wiki.mozilla.org/CA:WoSign_Issues > > > > > > Please can you provide a response to issues F, P, S and T at your > > earliest > > > convenience? > > > > > > In addition, if you have further things to say about issues D, H, J, L, N > > > or V we would be happy to hear them. > > > > > > Thank you for your suggestions, but once Mozilla has a full understanding > > > of what has gone on we will be in a better position to decide what next > > > actions are appropriate. > > > > > > With best wishes, > > > > > > Gerv > > > _______________________________________________ > > > dev-security-policy mailing list > > > [email protected] <javascript:;> <javascript:;> > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > > > > -- > > > > > --
http://www.oscca.gov.cn/Column/Column_32.htm _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
