> I’m not sure what I could reasonably require (and enforce) of the CA in 
> regards to  communicating with their customers. 

>  I recall that my security blog about CNNIC got censored in China, so I'm not 
> sure what Mozilla can do about informing the CA's customers of this pending 
> change/impact. 

Because 360 safe browser is the most dominant browser in China. Qihoo, the 
parent company of WoSign/StartCom produced this browser. I assume Qihoo's 
browser will not take any action against its own CAs. 

So If Mozilla or other parties is not mandating WoSign/StartCom disclose such 
incidents to its users, but WoSign is portraying WoSign to be this fast growing 
company with great security record (as WoSign's latest press release did), 
users of WoSign will not be able to know about the distrust, even sometime 
after the grace period ends (1 year or 2 year from now). Web owners will only 
found out after the grace period, when they somehow accessed the site with 
non-360 safe browser. 

Indeed, your announcement about CNNIC was censored in China. In fact, I 
monitored and broke this news.  However, WoSign is not a government agency and 
the announcement shouldn't be censored. I suggest Mozilla at least publish a 
blog post in Chinese about this, but preferably mandating WoSign/StartCom to 
publish on its official sites to inform users about its bad security practices.
dev-security-policy mailing list

Reply via email to