On Friday, April 28, 2017 at 1:19:01 AM UTC-7, Richard Wang wrote:
> Hi Ryan,
> For your question “Do you believe that, during the discussions about how to 
> respond to WoSign's issues, the scope of impact was underestimated?”, the 
> answer is YES.
> After Oct 21 2016, WoSign stopped to issue SSL certificates from WoSign root 
> (to be exactly, maybe few in October, but all replaced), we know our 
> customers don’t accept the problem of interoperability and compatibility 
> failures, so we cooperated with other Trusted CAs to sell their certificates 
> to our customers since Nov 21 2016, to replace the affected SSL certificates 
> and code signing certificates for our charged customers for FREE, to renew 
> and order certificates for current customers and new customers to keep our 
> business continuity till we have our own new trusted roots.
> WoSign appreciated Mozilla’s decision: trust the certificates that issued 
> before Oct 20 2016, and similarly rule for Apple and Microsoft, and we also 
> promised to our customers for this, this decision don’t bring any troubles to 
> our issued certificate customers, very good.

This is not what you said. You said "Mozilla’s sanctions are too severe" 
> But Google start to distrust WoSign certificates unless the site is in the 
> Alexa Top 1M site list since Chrome 57, this bring many problems to us and to 
> our customers, to provide best service to our customers, we provide FREE 
> replacement for our charged customers that we must pay the cost to the 
> Partner (Trusted CA). Till now, we replaced 596 certificates for our 
> customers for free, and there are 97 orders ask for refund instead of 
> replacement. This Google decision’s problem is some big websites used a 
> domain that not listed in Alexa 1M suffered disruption, for example, Qihoo 
> 360’s search site and online gaming sites used a domain in CDN for pictures 
> that not listed in Top 1M, there are more than 500M users suffered the 
> untrusted warning and 360 need to replace the certificates for thousands of 
> servers.
> The problem also come from the WoSign Root CA pinned for some payment gateway 
> from online payment service providers and from some online banking APPs, even 
> we replaced the certificate for them for free, they need to update the 
> gateway/API software to accept the new trusted root, and need to update the 
> bank APP to recognize the new certificate and new root, this is terrible that 
> all those customers curse us and very angry.

Since all the certs are supposedly included in the cert transparency already, 
would you able to share what apps pinned your certs with the certs?  Of only a 
handful of banking related apps included in the apps, I haven't seen any 
failure because of pinning. In fact, why would the Chrome distrust cause the 
failure in pinning in the app? 
> For affected 2417 Code Signing certificates, there are many customers signed 
> the code, but distrusted by Microsoft that customers ask for full refund and 
> need to buy the new code signing cert from other CA that need to sign the 
> software again that installed in billions system, this is also a disaster to 
> customers and its software users.

Could you point to a Microsoft announcement that points to removal of WoSign 
certs? In fact, Microsoft explicitly said WoSign/StartCom is trusted. 
 (as of March 9, 2017)

> We can’t image the result in the future for “In subsequent Chrome releases, 
> these exceptions will be reduced and ultimately removed, culminating in the 
> full distrust of WoSign”, this means all WoSign issued SSL certificates in 
> the last three years need to be replaced, including the 2845 valid 
> certificates for Microsoft Azure and Office 365 that Microsoft Sumedh said 
> “any outage of an Azure service that lasts more than a few minutes gets 
> escalated to our executives.”
> The total valid SSL certificates is 173,886, and the charged valid 
> certificates is 10,368 that we need to pay money to other CA for free 
> replacement (if US$100 per certificate, the total cost is over US$ One 
> Million!), I think this is not only money problem, but it also will bring 
> huge work to us and to our customers to replace the certificate. This is the 
> next BIG disaster if Chrome distrust all WoSign certificates that issued 
> before Oct. 20 2016.
> So, I wish Google can reconsider the plan that change to distrust all WoSign 
> issued free SSL certificates, but keep to trust the charged one (DV SSL/IV 
> SSL/OV SSL/EV SSL) that don’t have any mis-issuance problem, those charged 
> certificates is used for many big eCommerce websites, many government 
> websites, many bank systems, many securities systems, many cloud service 
> providers like Azure that used by the world biggest companies. Thanks.
> So, this is why I said some words for Symantec to let browsers to consider 
> the distrust result seriously. The Web Ecosystem players not just browsers, 
> but also the CAs, and also the website owners (certificate subscribers), we 
> all have the responsibility for the global Internet security, but we need to 
> balance all related party’s benefit and negotiate an acceptable solution for 
> any problem that happened.
> Thanks.
> Best Regards,
> Richard
dev-security-policy mailing list

Reply via email to