On Friday, April 28, 2017 at 1:19:01 AM UTC-7, Richard Wang wrote: > Hi Ryan, > > > > For your question “Do you believe that, during the discussions about how to > respond to WoSign's issues, the scope of impact was underestimated?”, the > answer is YES. > > > > After Oct 21 2016, WoSign stopped to issue SSL certificates from WoSign root > (to be exactly, maybe few in October, but all replaced), we know our > customers don’t accept the problem of interoperability and compatibility > failures, so we cooperated with other Trusted CAs to sell their certificates > to our customers since Nov 21 2016, to replace the affected SSL certificates > and code signing certificates for our charged customers for FREE, to renew > and order certificates for current customers and new customers to keep our > business continuity till we have our own new trusted roots. > > > > WoSign appreciated Mozilla’s decision: trust the certificates that issued > before Oct 20 2016, and similarly rule for Apple and Microsoft, and we also > promised to our customers for this, this decision don’t bring any troubles to > our issued certificate customers, very good. >
This is not what you said. You said "Mozilla’s sanctions are too severe" -https://www.wosign.com/english/News/announcement_about_Mozilla_Action_20161024.htm > > > But Google start to distrust WoSign certificates unless the site is in the > Alexa Top 1M site list since Chrome 57, this bring many problems to us and to > our customers, to provide best service to our customers, we provide FREE > replacement for our charged customers that we must pay the cost to the > Partner (Trusted CA). Till now, we replaced 596 certificates for our > customers for free, and there are 97 orders ask for refund instead of > replacement. This Google decision’s problem is some big websites used a > domain that not listed in Alexa 1M suffered disruption, for example, Qihoo > 360’s search site and online gaming sites used a domain in CDN for pictures > that not listed in Top 1M, there are more than 500M users suffered the > untrusted warning and 360 need to replace the certificates for thousands of > servers. > > > > The problem also come from the WoSign Root CA pinned for some payment gateway > from online payment service providers and from some online banking APPs, even > we replaced the certificate for them for free, they need to update the > gateway/API software to accept the new trusted root, and need to update the > bank APP to recognize the new certificate and new root, this is terrible that > all those customers curse us and very angry. > Since all the certs are supposedly included in the cert transparency already, would you able to share what apps pinned your certs with the certs? Of only a handful of banking related apps included in the apps, I haven't seen any failure because of pinning. In fact, why would the Chrome distrust cause the failure in pinning in the app? > > > For affected 2417 Code Signing certificates, there are many customers signed > the code, but distrusted by Microsoft that customers ask for full refund and > need to buy the new code signing cert from other CA that need to sign the > software again that installed in billions system, this is also a disaster to > customers and its software users. > Could you point to a Microsoft announcement that points to removal of WoSign certs? In fact, Microsoft explicitly said WoSign/StartCom is trusted. https://social.technet.microsoft.com/wiki/contents/articles/37425.microsoft-trusted-root-certificate-program-participants-as-of-march-9-2017.aspx (as of March 9, 2017) > We can’t image the result in the future for “In subsequent Chrome releases, > these exceptions will be reduced and ultimately removed, culminating in the > full distrust of WoSign”, this means all WoSign issued SSL certificates in > the last three years need to be replaced, including the 2845 valid > certificates for Microsoft Azure and Office 365 that Microsoft Sumedh said > “any outage of an Azure service that lasts more than a few minutes gets > escalated to our executives.” > > The total valid SSL certificates is 173,886, and the charged valid > certificates is 10,368 that we need to pay money to other CA for free > replacement (if US$100 per certificate, the total cost is over US$ One > Million!), I think this is not only money problem, but it also will bring > huge work to us and to our customers to replace the certificate. This is the > next BIG disaster if Chrome distrust all WoSign certificates that issued > before Oct. 20 2016. > > > > So, I wish Google can reconsider the plan that change to distrust all WoSign > issued free SSL certificates, but keep to trust the charged one (DV SSL/IV > SSL/OV SSL/EV SSL) that don’t have any mis-issuance problem, those charged > certificates is used for many big eCommerce websites, many government > websites, many bank systems, many securities systems, many cloud service > providers like Azure that used by the world biggest companies. Thanks. > > > > So, this is why I said some words for Symantec to let browsers to consider > the distrust result seriously. The Web Ecosystem players not just browsers, > but also the CAs, and also the website owners (certificate subscribers), we > all have the responsibility for the global Internet security, but we need to > balance all related party’s benefit and negotiate an acceptable solution for > any problem that happened. > > Thanks. > > > > Best Regards, > > > > Richard _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
