As noted by Richard Wang, WoSign have just published an updated Incident Report: https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf
I think we are now in a position to discuss whether the plan proposed here: https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit# is still appropriate for WoSign. Because it contains repeated or lightly-updated information about all of the issues on the issues list, the updated Incident Report rather "buries the lede" (hides the important news). Therefore I felt it might be worth highlighting some of the things within it: * WoSign admits that it has issued 64 back-dated SHA-1 certificates. The cause was a mixture of intentional issuance using a created pathway, and bugs which triggered that pathway by mistake. * This includes admitting the misissuance of the certificates for tyro.com by StartCom, which were the subject of Mozilla's most recent investigation; this issuance was approved by Richard Wang. * WoSign agrees it should have been more forthcoming about its purchase of StartCom, and announced it earlier. * WoSign and StartCom are to be legally separated, with the corporate structure changed such that Qihoo 360 owns them both individually, rather than WoSign owning StartCom. * There will be personnel changes: - StartCom’s chairman will be Xiaosheng Tan (Chief Security Officer of Qihoo 360). - StartCom’s CEO will be Inigo Barreira (formerly GM of StartCom Europe). - Richard Wang will be relieved of his duties as CEO of WoSign and other responsibilities. It is not decided who will replace him. * StartCom will soon provide a plan on how they will separate their operations and technology from that of WoSign. * In the light of these changes, Qihoo 360 request that WoSign and StartCom be considered separately. Mozilla is minded to agree that it is reasonable to at least consider the two companies separately, although that does not preclude the possibility that we might decide to take the same action for both of them. Accordingly, Mozilla continues to await the full remediation plan from StartCom so as to have a full picture. However, I think we can work towards a conclusion for WoSign now. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
