Thanks for your advice.
As I said, we closed it completely in PKI side.
Best Regards,
Richard
-Original Message-
From: dev-security-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Percy
Sent: Tuesday, December 13, 2016 3:40 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: In September 29, 2016, WoSign stop issuing free certificate, but I
still successfully get it.
If you made a promise to close it "due to some security consideration", then
you don't have the right to just enable and disable it at will, or disable it
at one channel but not another channel, which ultimately has the same security
if WoSign is doing the validation.
On Sunday, December 11, 2016 at 12:27:46 AM UTC-8, Richard Wang wrote:
> As I said, we have the right to keep it or close it at any time.
>
>
> Best Regards,
>
> Richard
>
> > On 11 Dec 2016, at 12:47, Percy wrote:
> >
> >> On Saturday, December 10, 2016 at 8:29:29 PM UTC-8, Richard Wang wrote:
> >> Our promise is close the free SSL application in our own website:
> >> buy.wosign.com.
> >>
> >> And now we closed it in our PKI side.
> >>
> >>
> >> Best Regards,
> >>
> >> Richard
> >>
> On 9 Dec 2016, at 04:17, Gervase Markham wrote:
>
> On 05/12/16 13:41, Richard Wang wrote:
> We checked our system, this order is from one of the reseller. We
> have many resellers that used the API, we noticed all resellers
> to close the free SSL, but they need some time to update the system.
> >>>
> >>> More than two months?
> >>>
> >>> Has this reseller given a timeline by which they expect to have
> >>> ceased to use the API?
> >>>
> The
> most important thing is this certificate is issued by proper way
> that this subscriber finished the domain validation, so this is
> not a mis-issuance, not "deceiving".
> >>>
> >>> This is narrowly true, from a Mozilla perspective. Mozilla has not
> >>> required that WoSign stop issuing certificates. We have just said
> >>> that we no longer trust them. Of course, I don't know what
> >>> commitments WoSign has made to other root stores. And indeed,
> >>> no-one has suggested that this certificate is mis-issued from a domain
> >>> validation perspective.
> >>>
> >>> There is an issue relating to the difference between WoSign's
> >>> public statement on their website that they have ceased free SSL
> >>> issuance, and the reality that they have not. We expect CAs who
> >>> make public statements about their actions to abide by those statements.
> >>>
> >>> Gerv
> > Sorry. You just said there is no deadline? Which is it?
> >
> > -
> >
> > Sorry, we don't have deadline.
> > And no plan to close it in PKI side, we keep the right to active it at any
> > time, and we can issue this free SSL certificate for subscribers at any
> > time if customers need it.
> >
> > ___
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy