Hi Ryan,
For your question “Do you believe that, during the discussions about how to respond to WoSign's issues, the scope of impact was underestimated?”, the answer is YES. After Oct 21 2016, WoSign stopped to issue SSL certificates from WoSign root (to be exactly, maybe few in October, but all replaced), we know our customers don’t accept the problem of interoperability and compatibility failures, so we cooperated with other Trusted CAs to sell their certificates to our customers since Nov 21 2016, to replace the affected SSL certificates and code signing certificates for our charged customers for FREE, to renew and order certificates for current customers and new customers to keep our business continuity till we have our own new trusted roots. WoSign appreciated Mozilla’s decision: trust the certificates that issued before Oct 20 2016, and similarly rule for Apple and Microsoft, and we also promised to our customers for this, this decision don’t bring any troubles to our issued certificate customers, very good. But Google start to distrust WoSign certificates unless the site is in the Alexa Top 1M site list since Chrome 57, this bring many problems to us and to our customers, to provide best service to our customers, we provide FREE replacement for our charged customers that we must pay the cost to the Partner (Trusted CA). Till now, we replaced 596 certificates for our customers for free, and there are 97 orders ask for refund instead of replacement. This Google decision’s problem is some big websites used a domain that not listed in Alexa 1M suffered disruption, for example, Qihoo 360’s search site and online gaming sites used a domain in CDN for pictures that not listed in Top 1M, there are more than 500M users suffered the untrusted warning and 360 need to replace the certificates for thousands of servers. The problem also come from the WoSign Root CA pinned for some payment gateway from online payment service providers and from some online banking APPs, even we replaced the certificate for them for free, they need to update the gateway/API software to accept the new trusted root, and need to update the bank APP to recognize the new certificate and new root, this is terrible that all those customers curse us and very angry. For affected 2417 Code Signing certificates, there are many customers signed the code, but distrusted by Microsoft that customers ask for full refund and need to buy the new code signing cert from other CA that need to sign the software again that installed in billions system, this is also a disaster to customers and its software users. We can’t image the result in the future for “In subsequent Chrome releases, these exceptions will be reduced and ultimately removed, culminating in the full distrust of WoSign”, this means all WoSign issued SSL certificates in the last three years need to be replaced, including the 2845 valid certificates for Microsoft Azure and Office 365 that Microsoft Sumedh said “any outage of an Azure service that lasts more than a few minutes gets escalated to our executives.” The total valid SSL certificates is 173,886, and the charged valid certificates is 10,368 that we need to pay money to other CA for free replacement (if US$100 per certificate, the total cost is over US$ One Million!), I think this is not only money problem, but it also will bring huge work to us and to our customers to replace the certificate. This is the next BIG disaster if Chrome distrust all WoSign certificates that issued before Oct. 20 2016. So, I wish Google can reconsider the plan that change to distrust all WoSign issued free SSL certificates, but keep to trust the charged one (DV SSL/IV SSL/OV SSL/EV SSL) that don’t have any mis-issuance problem, those charged certificates is used for many big eCommerce websites, many government websites, many bank systems, many securities systems, many cloud service providers like Azure that used by the world biggest companies. Thanks. So, this is why I said some words for Symantec to let browsers to consider the distrust result seriously. The Web Ecosystem players not just browsers, but also the CAs, and also the website owners (certificate subscribers), we all have the responsibility for the global Internet security, but we need to balance all related party’s benefit and negotiate an acceptable solution for any problem that happened. Thanks. Best Regards, Richard From: Ryan Sleevi [mailto:r...@sleevi.com] Sent: Thursday, April 27, 2017 8:38 PM To: Richard Wang <rich...@wosign.com> Cc: Steve Medin <steve_me...@symantec.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Symantec Conclusions and Next Steps Hi Richard, On Thu, Apr 27, 2017 at 6:13 AM, Richard Wang via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: I like to share the experience we suffered from distrust, it is disastrous for CA and its customers to replace the certificate that exceed your imagination that we are still working for this since October 2016 that nearly six months now. Yes, when an organization demonstrates its willingness to be operated in a non-trustworthy manner, knowingly and with actively deceptive processes, it can be very difficult for them to regain trust. Due to the quantity of Symantec customers is more than WoSign and most companies are bigger than WoSign's customers, I am sure that the interoperability and compatibility failures could bring big problem to Symantec, to Symantec customers and the Browser users. Do you believe that, during the discussions about how to respond to WoSign's issues, the scope of impact was underestimated? If so, can you share how? That might be a more productive and fruitful contribution, if people trust the response. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy