RE: WoSign new system passed Cure 53 system security audit

Sun, 09 Jul 2017 23:55:48 -0700 

I think you found the source: 
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824

Please note this email topic is just for releasing the news that WoSign new 
system passed the security audit, just for demonstration that we finished item 
5:
 " 5. Provide auditor[3] attestation that a full security audit of the CA’s 
issuing infrastructure has been successfully completed. "
" [3] The auditor must be an external company, and approved by Mozilla. "

NOT for the new root inclusion application.


Best Regards,

Richard

-----Original Message-----
From: dev-security-policy 
[mailto:[email protected]] On 
Behalf Of Itzhak Daniel via dev-security-policy
Sent: Monday, July 10, 2017 2:39 PM
To: [email protected]
Subject: Re: WoSign new system passed Cure 53 system security audit

On Monday, July 10, 2017 at 9:00:04 AM UTC+3, Richard Wang wrote:
>  " 5. Provide auditor[3] attestation that a full security audit of the CA’s 
> issuing infrastructure has been successfully completed. "
> " [3] The auditor must be an external company, and approved by Mozilla. "

What is the source?

According to this thread [1]:
"1. Provide a list of changes that the CA plans to implement to ensure that 
there are no future violations of Mozilla Policy and the Baseline Requirements."

One of these changes is to remove the person responsible for:
1. Releasing unsecured and not fully tested software that allowed issuing 
certificates for Github without proper checks.
2. Back-dating SHA1 certificates.
3. Secretly purchasing another CA without disclosing it to Mozilla.
4. Actively lying and misleading about 2 and 3.

To my understanding, from reading the "Remediation Plan", one of the 
requirements made for WoSign by itself/parent company, is to remove the person 
responsible for most of the issue caused them to lose the trust bit.

I'm not in *any* position to tell who shell manage the daily operations of 
WoSign, but it gives a strong indication that nothing had really changed.

Links:
1. 
https://groups.google.com/d/msg/mozilla.dev.security.policy/BV5XyFJLnQM/_DwiB1PDGQAJ
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
  • WoSign new system passed C... Danny 吴熠 via dev-security-policy
    • Re: WoSign new system... Matt Palmer via dev-security-policy
    • Re: WoSign new system... Itzhak Daniel via dev-security-policy
      • RE: WoSign new sy... Richard Wang via dev-security-policy
        • Re: WoSign ne... Eric Mill via dev-security-policy
          • RE: WoSig... Richard Wang via dev-security-policy
          • Re: WoSig... Percy via dev-security-policy
            • RE: ... Richard Wang via dev-security-policy
            • Re: ... Itzhak Daniel via dev-security-policy
              • ... Richard Wang via dev-security-policy
              • ... okaphone.elektronika--- via dev-security-policy
                • ... Jonathan Rudenberg via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Alex Gaynor via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Richard Wang via dev-security-policy
                • ... Ryan Sleevi via dev-security-policy
                • ... Richard Wang via dev-security-policy
                • ... Matt Palmer via dev-security-policy
                • ... Gervase Markham via dev-security-policy

Reply via email to