在 2016年9月23日星期五 UTC+8下午6:44:29,Han Yuwei写道: > 在 2016年9月23日星期五 UTC+8下午3:57:12,Percy写道: > > WoSign stated in the report that "Due to foreign companies to China's > > technology blockade, WoSign decided to research and develop all systems by > > ourselves in 2009, including BUY system (Online certificate store), CMS > > (Certificate Management System, internal work flow), PKI/CA (Certificate > > issuing system), CRL/OCSP (Certificate revocation query system) and TSA > > (time stamp system). " > > I'm assuming WoSign is referring to other companies operating CAs. Perhaps > > WoSign can clarify what those companies are and the nature of such > > blockade. > > > > WoSign also stated that "WoSign agrees that this is a violation of the BRs > > (only three US NIST P-256, P-384, or P-521 curves can be used for elliptic > > curve keys in certs), but being a Chinese licensed CA, we must abide by > > local laws and regulations, we must actively cooperate with domestic > > browsers to test the SSL certificate using SM2 algorithm issued by a global > > trusted root in the real Internet, not intranet. > > > > WoSign, as a member of CAB Forum, will spare no effort to continue to > > promote China encryption algorithm SM2 to become the international standard > > allowed algorithm." > > > > > > It seems that WoSign is committed to test certificates in a global trusted > > root depesite explicit warning of not doing so even now. I see no > > Chinese law mandating the insurance of SM2 certificates or forbidding the > > insurance of certificate with standard curves. It's unclear to me why > > WoSign insisted on testing SM2 with publicly trusted root. If WoSign is > > claiming Chinese law mandate such testing/deployment, please refer to such > > laws here and perhaps the community can take the local law into account. If > > however no such law exists, as far as I know, the such commitment to BR > > violation is not acceptable. > > > > On Friday, September 23, 2016, Percy <[email protected]> wrote: > > > > > Richard, > > > On behalf of most Chinese Internet users who do not speak English, I'm > > > asking why WoSign is only making the final statement available in Chinese, > > > but not the incident report. WoSign doesn't even have any statement, > > > announcement or press release in Chinese regarding any of the incidents > > > (except this final statement) anywhere. > > > > > > As WoSign is the largest CA in China, it must be responsible to Chinese > > > users. I'm requesting WoSign to make the incident report available in > > > Chinese and available on the WoSign's Chinese site. I believe an > > > announcement on the official Chinese site with the link to the incident > > > report is also warranted. > > > > > > On Thursday, September 22, 2016, Richard Wang <[email protected] > > > <javascript:;>> wrote: > > > > > > > Hi Gerv, > > > > > > > > This is the final statement about the incident: > > > > https://www.wosign.com/report/WoSign_final_statement_09232016.pdf (in > > > > English) > > > > > > > > https://www.wosign.com/report/WoSign_final_statement_CN_09232016.pdf > > > > (中文版) (In Chinese, this is easy for Chinese users.) > > > > > > > > I think this is the supplement of the two released reports. > > > > > > > > Please let me if you have any questions about this statement, thanks. > > > > > > > > > > > > Best Regards, > > > > > > > > Richard Wang > > > > CEO > > > > WoSign CA Limited > > > > > > > > > > > > -----Original Message----- > > > > From: dev-security-policy [mailto:dev-security-policy-bounces+richard > > > <javascript:;> > > > > <javascript:;>[email protected] <javascript:;> > > > <javascript:;>] On Behalf Of > > > > Richard Wang > > > > Sent: Friday, September 16, 2016 6:05 PM > > > > To: Gervase Markham <[email protected] <javascript:;> <javascript:;>> > > > > Cc: [email protected] <javascript:;> > > > <javascript:;> > > > > Subject: RE: Incidents involving the CA WoSign > > > > > > > > Hi Gerv, > > > > > > > > This is the final report: https://www.wosign.com/report/ > > > > WoSign_Incident_Final_Report_09162016.pdf > > > > > > > > Please let me if you have any questions about the report, thanks. > > > > > > > > > > > > Best Regards, > > > > > > > > Richard Wang > > > > CEO > > > > WoSign CA Limited > > > > > > > > > > > > -----Original Message----- > > > > From: Gervase Markham > > > > Sent: Wednesday, September 7, 2016 7:00 PM > > > > To: Richard Wang; [email protected] > > > <javascript:;> > > > > <javascript:;> > > > > Subject: Re: Incidents involving the CA WoSign > > > > > > > > Hi Richard, > > > > > > > > On 07/09/16 11:06, Richard Wang wrote: > > > > > This discuss has been lasting two weeks, I think it is time to end it, > > > > > it doesn’t worth to waste everybody’s precious time. > > > > > > > > Unfortunately, I think we may be only beginning. > > > > > > > > I have prepared a list of the issues we are tracking with WoSign's > > > > certificate issuance process and business: > > > > > > > > https://wiki.mozilla.org/CA:WoSign_Issues > > > > > > > > Please can you provide a response to issues F, P, S and T at your > > > earliest > > > > convenience? > > > > > > > > In addition, if you have further things to say about issues D, H, J, L, > > > > N > > > > or V we would be happy to hear them. > > > > > > > > Thank you for your suggestions, but once Mozilla has a full > > > > understanding > > > > of what has gone on we will be in a better position to decide what next > > > > actions are appropriate. > > > > > > > > With best wishes, > > > > > > > > Gerv > > > > _______________________________________________ > > > > dev-security-policy mailing list > > > > [email protected] <javascript:;> <javascript:;> > > > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > > > > > > > > -- > > > > > > > > > -- > > http://www.oscca.gov.cn/Column/Column_32.htm
If anybody want a English version of laws & regulations, Percy and I may help. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
