On Friday, 14 July 2017 04:44:39 UTC+2, Richard Wang wrote:
> Hi Peter,
>
> Thanks for your guesses.
> Buy no those issues in our system.
>
>
> Best Regards,
>
> Richard
That's what you say. But you've lied before. :-( So sorry, but that won't go
anywhere near regaining trust. You'll have to
Subject: Re: WoSign new system passed Cure 53 system security audit
Richard,
I can only guess what Ryan is talking about as the report wasn't sent to this
group, but it is possible that the system described could not meet the Baseline
Requirements, as the BRs do require certain system designs.
Richard,
I can only guess what Ryan is talking about as the report wasn't sent
to this group, but it is possible that the system described could not
meet the Baseline Requirements, as the BRs do require certain system
designs. For example, two requirements are:
"Require that each individual in a
Hi Ryan,
Thanks for your detail info.
But I still CAN NOT understand why you say and confirm that the new system
cannot and does not comply with BR before we start to use it.
We will do the BR audit soon.
Best Regards,
Richard
On 14 Jul 2017, at 00:50, Ryan Sleevi mailto:r...@sleevi.com>>
w
In the description of the remediation of the vulnerabilities, aspects of
the design are shared, particularly in discussing remediation. These
aspects reveal design decisions that do not comply with the BRs, and are
significant enough to require re-design.
I agree that this can be difficult to inde
rd
>
> -Original Message-
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
> Behalf Of Percy via dev-security-policy
> Sent: Monday, July 10, 2017 12:41 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
>
> You will fail #4. Because your system, as designed, cannot and does not
> comply with the Baseline Requirements.
Is there a design outline in the security audit as well? No one in the
community can judge either yours or WoSign's statement as this information is
not shared with us. I suggest e
You will fail #4. Because your system, as designed, cannot and does not
comply with the Baseline Requirements.
As such, you will then
(4.1) Update new system, developing new code and new integrations
(4.2) Engage the auditor to come back on side
(4.3) Hope you get it right this time
(4.4) Generate
Hi Ryan,
I really don't understand where the new system can't meet the BR, we don't use
the new system to issue one certificate, how it violate the BR?
Our step is:
(1) develop a new secure system in the new infrastructure, then do the new
system security audit, pass the security audit;
(2) eng
Richard,
That's great, but the system that passed the full security audit cannot
meet the BRs, you would have to change that system to meet the BRs, and
then that new system would no longer be what was audited.
I would encourage you to address the items in the order that Mozilla posed
them - such
On 13/07/17 04:43, Matt Palmer wrote:
> Who should we contact at Cure 53? Or should we just use the "business
> enquiries" contact address on their website?
I doubt Cure53 would be able to tell you anything more than what has
been said in the released summary document.
Gerv
_
On Thu, Jul 13, 2017 at 02:24:39AM +, Richard Wang via dev-security-policy
wrote:
> We got confirmation from Cure 53 that new system passed the full security
> audit. Please contact Cure 53 directly to verify this, thanks.
Who should we contact at Cure 53? Or should we just use the "busines
Hi Ryan,
We got confirmation from Cure 53 that new system passed the full security
audit. Please contact Cure 53 directly to verify this, thanks.
We don't start the BR audit now.
Best Regards,
Richard
On 12 Jul 2017, at 22:09, Ryan Sleevi mailto:r...@sleevi.com>>
wrote:
On Tue, Jul 11, 20
On Tue, Jul 11, 2017 at 8:18 PM, Richard Wang wrote:
> Hi all,
>
> Your reported BR issues is from StartCom, not WoSign, we don't use the new
> system to issue any certificate now since the new root is not generated.
> PLEASE DO NOT mix it, thanks.
>
> Best Regards,
>
> Richard
>
No, the BR non-
Hi all,
Your reported BR issues is from StartCom, not WoSign, we don't use the new
system to issue any certificate now since the new root is not generated.
PLEASE DO NOT mix it, thanks.
Best Regards,
Richard
> On 11 Jul 2017, at 23:34, Ryan Sleevi via dev-security-policy
> wrote:
>
> On Tue
On Tue, Jul 11, 2017 at 12:09 PM, Percy via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Tuesday, July 11, 2017 at 8:36:33 AM UTC-7, Ryan Sleevi wrote:
>
> > comply with the Baseline Requirements, nor, as designed, can it. The
> system
> > would need to undergo non-triv
On Tuesday, July 11, 2017 at 8:36:33 AM UTC-7, Ryan Sleevi wrote:
> comply with the Baseline Requirements, nor, as designed, can it. The system
> would need to undergo non-trivial effort to comply with the Baseline
> Requirements.
If the system needs significant changes to meet the BR, then does
On Tue, Jul 11, 2017 at 11:40 AM, Alex Gaynor wrote:
> Is this a correct summary:
>
> - The report included here is supposed to fulfill the network security
> test portion of the BRs
>
No. This is #5 from https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 ,
and relates to the overall security
Is this a correct summary:
- The report included here is supposed to fulfill the network security test
portion of the BRs
- This report does not attest to BR compliance (or non-compliance)
- To complete an application for the Mozilla Root Program, WoSign would be
required to additionally provide a
On Tue, Jul 11, 2017 at 11:16 AM, Jonathan Rudenberg via
dev-security-policy wrote:
>
> > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via
> dev-security-policy wrote:
> >
> > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote:
> >>
> >> Please note this email topic is just for re
On Tuesday, July 11, 2017 at 8:16:50 AM UTC-7, Jonathan Rudenberg wrote:
> > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy
> > wrote:
> >
> > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote:
> >>
> >> Please note this email topic is just for releasing th
> On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy
> wrote:
>
> On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote:
>>
>> Please note this email topic is just for releasing the news that WoSign new
>> system passed the security audit, just for demonstration
On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote:
>
> Please note this email topic is just for releasing the news that WoSign new
> system passed the security audit, just for demonstration that we finished
> item 5:
> " 5. Provide auditor[3] attestation that a full security audit of
-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Itzhak Daniel via dev-security-policy
Sent: Monday, July 10, 2017 2:39 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign new system passed Cure 53 system security audit
On Monday, July 10
On Monday, July 10, 2017 at 9:00:04 AM UTC+3, Richard Wang wrote:
> " 5. Provide auditor[3] attestation that a full security audit of the CA’s
> issuing infrastructure has been successfully completed. "
> " [3] The auditor must be an external company, and approved by Mozilla. "
What is the sourc
ists.mozilla.org] On
Behalf Of Percy via dev-security-policy
Sent: Monday, July 10, 2017 12:41 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign new system passed Cure 53 system security audit
So it seems that Richard Wang still has the final executive decisions regardin
rom: Eric Mill [mailto:e...@konklone.com]
> Sent: Monday, July 10, 2017 10:12 AM
> To: Richard Wang
> Cc: Itzhak Daniel ;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: WoSign new system passed Cure 53 system security audit
>
>
>
> So who acts as the CEO
Cc: Itzhak Daniel ;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign new system passed Cure 53 system security audit
So who acts as the CEO for WoSign when final executive decisions need to be
made?
On Sun, Jul 9, 2017 at 9:41 PM, Richard Wang via dev-security-policy
gt; wosign@lists.mozilla.org] On Behalf Of Itzhak Daniel via
> dev-security-policy
> Sent: Monday, July 10, 2017 4:57 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: WoSign new system passed Cure 53 system security audit
>
> Mr. Wang is mentioned on the end of
urity-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Itzhak Daniel via dev-security-policy
Sent: Monday, July 10, 2017 4:57 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign new system passed Cure 53 system security audit
Mr. Wang is mentioned on the end o
Mr. Wang is mentioned on the end of the document, what is Richard Wang current
official responsibility of Mr. Wang at WoSign?
According to the incident report, release on October 2016 [1], Mr. Wang was
suppose to be relieved of his duties as CEO, this is mentioned in 3 separate
paragraphs (P.17
On Fri, Jul 07, 2017 at 06:12:58AM +, Danny 吴熠 via dev-security-policy
wrote:
> As per requirements, WoSign new issuing infrastructure has been completed
> and passed the Cure 53 white box security audit successfully in June 27.
> Cure53 is approved by Mozilla. The full audit report has been
Hi all,
This is Danny from WoSign.
As per requirements, WoSign new issuing infrastructure has been completed and
passed the Cure 53 white box security audit successfully in June 27. Cure53 is
approved by Mozilla. The full audit report has been sent to Mozilla and other
browsers. The Summar
33 matches
Mail list logo