On Fri, Jul 07, 2017 at 06:12:58AM +0000, Danny 吴熠 via dev-security-policy wrote: > As per requirements, WoSign new issuing infrastructure has been completed > and passed the Cure 53 white box security audit successfully in June 27. > Cure53 is approved by Mozilla. The full audit report has been sent to > Mozilla and other browsers. The Summary Report for public is available > here: > > https://www.wosign.com/Docdownload/WoSign%20system%20code%20security%20audit%20report%20summary%2020170627.pdf.
This report doesn't contain anything of value. It says "we found things, they were fixed". OK, but what *were* those things? How do they reflect the maturity of the WoSign SDLC processes? Do they indicate anything meaningful about the larger issues that caused WoSign to be distrusted? Without the full report being made public, I don't think any useful conclusions can be drawn from this audit. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy