> I’m not sure what I could reasonably require (and enforce) of the CA in
> regards to communicating with their customers.
> I recall that my security blog about CNNIC got censored in China, so I'm not
> sure what Mozilla can do about informing the CA's customers of this pending
Because 360 safe browser is the most dominant browser in China. Qihoo, the
parent company of WoSign/StartCom produced this browser. I assume Qihoo's
browser will not take any action against its own CAs.
So If Mozilla or other parties is not mandating WoSign/StartCom disclose such
incidents to its users, but WoSign is portraying WoSign to be this fast growing
company with great security record (as WoSign's latest press release did),
users of WoSign will not be able to know about the distrust, even sometime
after the grace period ends (1 year or 2 year from now). Web owners will only
found out after the grace period, when they somehow accessed the site with
non-360 safe browser.
Indeed, your announcement about CNNIC was censored in China. In fact, I
monitored and broke this news. However, WoSign is not a government agency and
the announcement shouldn't be censored. I suggest Mozilla at least publish a
blog post in Chinese about this, but preferably mandating WoSign/StartCom to
publish on its official sites to inform users about its bad security practices.
dev-security-policy mailing list