Richard, Your conduct is totally unacceptable and won’t be tolerated. You must read the forum rules regarding etiquette.
Also I suggest you apologise to Ryan. James On Thu, 27 Sep 2018 at 10:33, Rob Stradling via dev-security-policy < [email protected]> wrote: > Richard, > > You might like to familiarize yourself with the Mozilla Forum Etiquette > Ground Rules: > https://www.mozilla.org/en-US/about/forums/etiquette/ > > Note this in particular: > "Be civil. > No personal attacks. Do not feel compelled to defend your honor in > public. Posts containing personal attacks may be removed from the news > server." > > On 27/09/2018 07:59, Richard Wang via dev-security-policy wrote: > > Sorry, I don't agree with this point. Ryan Sleevi is the Mozilla Module > Peer that gave too many pressures to the M.D.S.P community to misleading > the Community and to let Mozilla make the decision that Google want. > > > > There are two facts to support my opinion: > > > > (1) For StartCom sanction, Mozilla agreed in Oct 2nd 2016 London meeting > that if we separate StartCom completely from WoSign, then Mozilla don't > sanction StartCom that still trust StartCom root. But Google as peer of > Mozilla Module don't agree this, and Ryan even found many very very old > problems of StartCom to be a "fact" that must be distrusted. Google changed > the Mozilla decision! > > > > (2) For Symantec sanction, everyone can see the argues in M.D.S.P > discussion from Ryan Sleevi that Google changed the Mozilla initial > decision, this also is the fact. > > > > So, we can see Ryan not just a Mozilla Module Peer, he represents Google > browser that affect Mozilla to make the right decision. > > > > Ryan, don't feel too good about yourself. Peoples patiently look at your > long emails at M.D.S.P and listen to your bala bala speaking at the CABF > meeting, this is because you represent Google Chrome, and Google Chrome > seriously affects Mozilla that have the power to kill any CAs. If you leave > Google, you will be nothing, no one will care about your existence, and no > one will care what you say. So, please don't declare that you don't > represent Google before you speak next time, nonsense! > > > > Your myopic has brought global Internet security to the ditch. Chrome > display "Secure" for a website just it has SSL(https). Many fake banking > websites and fake PayPal websites have Lets Encrypt certificates, and > Google Chrome say it is "Secure", this completely misleads global Internet > users, resulting in many users are deceived and lost property. Encryption > is not equal to secure. Secure means not only encryption, but also need to > tell user the website's true identity. Does a fake bank website encryption > mean anything? nothing and more worse. > > > > Ryan, 别自我感觉太好,别人耐心看你在M.D.S.P的长篇大论和听你在CABF meeting上说过没完 > ,是因为你代表谷歌浏览器,而谷歌浏览器严重影响Mozilla对所有CA有生杀大权。如果你离开谷歌,你将什么也不是,没有人会理会你的存在,也没有人会在意你说的话。所以下次不要在发言之前就声明不代表谷歌,废话哦! > > > > 你的短视把全球互联网安全带到了沟里,认为有SSL证书(https)就安全,许多假冒银行网站、假冒PayPal 网站都有Lets > Encrypt证书,谷歌浏览器显示为安全,完全误导了全球互联网用户,导致许多用户上当受骗和财产损失。已加密并不等于安全,安全不仅意味着需要加密,而且还需要告知用户此网站的真实身份,一个假冒银行网站加密有任何意义吗?没有并且更糟糕。 > > > > > > Best Regards, > > > > Richard Wang > > > > -------- Original Message -------- > > From: Ryan Sleevi via dev-security-policy > > Received: Thursday, 27 September 2018 00:53 > > To: Jeremy Rowley > > Cc: Ryan Sleevi ; mozilla-dev-security-policy > > Subject: Re: Google Trust Services Root Inclusion Request > > > > > > On Wed, Sep 26, 2018 at 12:04 PM Jeremy Rowley < > [email protected]> > > wrote: > > > >> I also should also emphasize that I’m speaking as Jeremy Rowley, not as > >> DigiCert. > >> > >> > >> > >> Note that I didn’t say Google controlled the policy. However, as a > module > >> peer, Google does have significant influence over the policy and what > CAs > >> are trusted by Mozilla. Although everyone can participate in Mozilla > >> discussions publicly, it’s a fallacy to state that a general participant > >> has similar sway or authority to a module peer. That’s the whole point > of > >> having a separate class for peers compared to us general public. With > >> Google acting as a CA and module peer, you now have one CA heavily > >> influencing who its competitors are, how its competitors operate, and > what > >> its competitors can do. Although I personally find that you never > misuse > >> your power as a module peer, I can see how Jake has concerns that Google > >> (as a CA) has very heavy influence over the platform that has > historically > >> been the CA watchdog (Mozilla). > >> > > > > Jeremy, I think this again deserves calling out, because this is > > misrepresenting what module peership does, as well as the CA > relationship. > > > > I linked you to the definition of Module Ownership, which highlights and > > emphasizes that the module peer is simply a recognized helper. To the > > extent there is any influence, it is through the public discussions here. > > If your concern is that the title confers some special advantage, that's > to > > misread what module peer is. If your concern is that the participation - > > which provides solid technical arguments as well as the policy > alternatives > > - is influential, then what you're arguing against is public > participation. > > > > You're presenting these as factual, and that's misleading, so I'd like to > > highlight what is actually entailed. > > > > > >> The circumstances are different between the scenarios you describe with > >> respect to the other browsers, as is market share. If Microsoft wants > to > >> change CAs (and they already use multiple), they can without impacting > >> public perception. If Apple wants to use another CA, they can without > >> people commenting how odd it is that Apple doesn’t use the Apple CA. > With > >> Google controlling the CA and the Google browser, all incentive to > >> eliminate any misbehaving Google CA disappears for financial reasons, > >> public perception, and because Google can control the messaging (through > >> marketshare and influence over Mozilla policy). Note that there is > >> historical precedent for Google treating Google special – i.e. the > >> exclusion for Google in the Symantec distrust plan. Thus, I think > Jake’s > >> concerns should not be discarded so readily. > >> > > > > I can understand and appreciate why you have this perspective. I disagree > > that it's an accurate representation, and as shown by the previous > message, > > it does not have factual basis. I think it's misleading to suggest that > the > > concerns are being discarded, much like yours - they're being responded > to > > with supporting evidence and careful analysis. However, they do not hold > > water, and while it would be ideal to convince you of this as well, it's > > equally important to be transparent about it. > > > > Your argument above seems to boil down to "People would notice if Google > > changed CAs, but not if Microsoft" - yet that's not supported (see, > > example, the usage of Let's Encrypt by Google, or the former usage of > > WoSign by Microsoft). Your argument about incentives entirely ignores the > > incentives I just described to you previously - which look at public > > perception, internet security, and ecosystem stability. Your argument > about > > influence over Mozilla policy has already been demonstrated as false and > > misleading, but it seems you won't be convinced by that. And your > > suggestion of special treatment ignores the facts of the situation (the > > validation issues, the scoping of audits, that Apple and 2 other CAs were > > also included in the exclusion), ignores the more significant special > > treatment granted by other vendors (e.g. Apple's exclusion of a host of > > mismanaged Symantec sub-CAs now under DigiCert's operational control), > the > > past precedent (e.g. the gradual distrust of WoSign/StartCom through > > whitelists, of CNNIC through whitelists), and the public discussion > > involved so entirely that it's entirely unfounded. > > > > So I think your continued suggestion that it's being discarded so readily > > is, again, misleading and inaccurate. > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > > > _______________________________________________ > > dev-security-policy mailing list > > [email protected] > > https://lists.mozilla.org/listinfo/dev-security-policy > > > > -- > Rob Stradling > Senior Research & Development Scientist > Email: [email protected] > Bradford, UK > Office: +441274730505 > ComodoCA.com > > This message and any files associated with it may contain legally > privileged, confidential, or proprietary information. If you are not the > intended recipient, you are not permitted to use, copy, or forward it, > in whole or in part without the express consent of the sender. Please > notify the sender by reply email, disregard the foregoing messages, and > delete it immediately. > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
