It is unfair that somebody attacked me in the WoSign sanction discussion, but no body say any word for this! Why? Due to Ryan is famous person and I am nobody?
Best Regards, Richard Wang On Sep 27, 2018, at 18:24, James Burton <j...@0.me.uk<mailto:j...@0.me.uk>> wrote: Richard, Your conduct is totally unacceptable and won’t be tolerated. You must read the forum rules regarding etiquette. Also I suggest you apologise to Ryan. James On Thu, 27 Sep 2018 at 10:33, Rob Stradling via dev-security-policy <dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org>> wrote: Richard, You might like to familiarize yourself with the Mozilla Forum Etiquette Ground Rules: https://www.mozilla.org/en-US/about/forums/etiquette/ Note this in particular: "Be civil. No personal attacks. Do not feel compelled to defend your honor in public. Posts containing personal attacks may be removed from the news server." On 27/09/2018 07:59, Richard Wang via dev-security-policy wrote: > Sorry, I don't agree with this point. Ryan Sleevi is the Mozilla Module Peer > that gave too many pressures to the M.D.S.P community to misleading the > Community and to let Mozilla make the decision that Google want. > > There are two facts to support my opinion: > > (1) For StartCom sanction, Mozilla agreed in Oct 2nd 2016 London meeting that > if we separate StartCom completely from WoSign, then Mozilla don't sanction > StartCom that still trust StartCom root. But Google as peer of Mozilla Module > don't agree this, and Ryan even found many very very old problems of StartCom > to be a "fact" that must be distrusted. Google changed the Mozilla decision! > > (2) For Symantec sanction, everyone can see the argues in M.D.S.P discussion > from Ryan Sleevi that Google changed the Mozilla initial decision, this also > is the fact. > > So, we can see Ryan not just a Mozilla Module Peer, he represents Google > browser that affect Mozilla to make the right decision. > > Ryan, don't feel too good about yourself. Peoples patiently look at your long > emails at M.D.S.P and listen to your bala bala speaking at the CABF meeting, > this is because you represent Google Chrome, and Google Chrome seriously > affects Mozilla that have the power to kill any CAs. If you leave Google, you > will be nothing, no one will care about your existence, and no one will care > what you say. So, please don't declare that you don't represent Google before > you speak next time, nonsense! > > Your myopic has brought global Internet security to the ditch. Chrome display > "Secure" for a website just it has SSL(https). Many fake banking websites and > fake PayPal websites have Lets Encrypt certificates, and Google Chrome say it > is "Secure", this completely misleads global Internet users, resulting in > many users are deceived and lost property. Encryption is not equal to secure. > Secure means not only encryption, but also need to tell user the website's > true identity. Does a fake bank website encryption mean anything? nothing and > more worse. > > Ryan, 别自我感觉太好,别人耐心看你在M.D.S.P的长篇大论和听你在CABF meeting上说过没完 > ,是因为你代表谷歌浏览器,而谷歌浏览器严重影响Mozilla对所有CA有生杀大权。如果你离开谷歌,你将什么也不是,没有人会理会你的存在,也没有人会在意你说的话。所以下次不要在发言之前就声明不代表谷歌,废话哦! > > 你的短视把全球互联网安全带到了沟里,认为有SSL证书(https)就安全,许多假冒银行网站、假冒PayPal 网站都有Lets > Encrypt证书,谷歌浏览器显示为安全,完全误导了全球互联网用户,导致许多用户上当受骗和财产损失。已加密并不等于安全,安全不仅意味着需要加密,而且还需要告知用户此网站的真实身份,一个假冒银行网站加密有任何意义吗?没有并且更糟糕。 > > > Best Regards, > > Richard Wang > > -------- Original Message -------- > From: Ryan Sleevi via dev-security-policy > Received: Thursday, 27 September 2018 00:53 > To: Jeremy Rowley > Cc: Ryan Sleevi ; mozilla-dev-security-policy > Subject: Re: Google Trust Services Root Inclusion Request > > > On Wed, Sep 26, 2018 at 12:04 PM Jeremy Rowley > <jeremy.row...@digicert.com<mailto:jeremy.row...@digicert.com>> > wrote: > >> I also should also emphasize that I’m speaking as Jeremy Rowley, not as >> DigiCert. >> >> >> >> Note that I didn’t say Google controlled the policy. However, as a module >> peer, Google does have significant influence over the policy and what CAs >> are trusted by Mozilla. Although everyone can participate in Mozilla >> discussions publicly, it’s a fallacy to state that a general participant >> has similar sway or authority to a module peer. That’s the whole point of >> having a separate class for peers compared to us general public. With >> Google acting as a CA and module peer, you now have one CA heavily >> influencing who its competitors are, how its competitors operate, and what >> its competitors can do. Although I personally find that you never misuse >> your power as a module peer, I can see how Jake has concerns that Google >> (as a CA) has very heavy influence over the platform that has historically >> been the CA watchdog (Mozilla). >> > > Jeremy, I think this again deserves calling out, because this is > misrepresenting what module peership does, as well as the CA relationship. > > I linked you to the definition of Module Ownership, which highlights and > emphasizes that the module peer is simply a recognized helper. To the > extent there is any influence, it is through the public discussions here. > If your concern is that the title confers some special advantage, that's to > misread what module peer is. If your concern is that the participation - > which provides solid technical arguments as well as the policy alternatives > - is influential, then what you're arguing against is public participation. > > You're presenting these as factual, and that's misleading, so I'd like to > highlight what is actually entailed. > > >> The circumstances are different between the scenarios you describe with >> respect to the other browsers, as is market share. If Microsoft wants to >> change CAs (and they already use multiple), they can without impacting >> public perception. If Apple wants to use another CA, they can without >> people commenting how odd it is that Apple doesn’t use the Apple CA. With >> Google controlling the CA and the Google browser, all incentive to >> eliminate any misbehaving Google CA disappears for financial reasons, >> public perception, and because Google can control the messaging (through >> marketshare and influence over Mozilla policy). Note that there is >> historical precedent for Google treating Google special �C i.e. the >> exclusion for Google in the Symantec distrust plan. Thus, I think Jake’s >> concerns should not be discarded so readily. >> > > I can understand and appreciate why you have this perspective. I disagree > that it's an accurate representation, and as shown by the previous message, > it does not have factual basis. I think it's misleading to suggest that the > concerns are being discarded, much like yours - they're being responded to > with supporting evidence and careful analysis. However, they do not hold > water, and while it would be ideal to convince you of this as well, it's > equally important to be transparent about it. > > Your argument above seems to boil down to "People would notice if Google > changed CAs, but not if Microsoft" - yet that's not supported (see, > example, the usage of Let's Encrypt by Google, or the former usage of > WoSign by Microsoft). Your argument about incentives entirely ignores the > incentives I just described to you previously - which look at public > perception, internet security, and ecosystem stability. Your argument about > influence over Mozilla policy has already been demonstrated as false and > misleading, but it seems you won't be convinced by that. And your > suggestion of special treatment ignores the facts of the situation (the > validation issues, the scoping of audits, that Apple and 2 other CAs were > also included in the exclusion), ignores the more significant special > treatment granted by other vendors (e.g. Apple's exclusion of a host of > mismanaged Symantec sub-CAs now under DigiCert's operational control), the > past precedent (e.g. the gradual distrust of WoSign/StartCom through > whitelists, of CNNIC through whitelists), and the public discussion > involved so entirely that it's entirely unfounded. > > So I think your continued suggestion that it's being discarded so readily > is, again, misleading and inaccurate. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> > https://lists.mozilla.org/listinfo/dev-security-policy > -- Rob Stradling Senior Research & Development Scientist Email: r...@comodoca.com<mailto:r...@comodoca.com> Bradford, UK Office: +441274730505 ComodoCA.com<http://ComodoCA.com> This message and any files associated with it may contain legally privileged, confidential, or proprietary information. If you are not the intended recipient, you are not permitted to use, copy, or forward it, in whole or in part without the express consent of the sender. Please notify the sender by reply email, disregard the foregoing messages, and delete it immediately. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org<mailto:dev-security-policy@lists.mozilla.org> https://lists.mozilla.org/listinfo/dev-security-policy
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
