Re: Possible future re-application from WoSign (now WoTrus)
Hi, I touched on my thoughts on this matter a bit before. This is really about trust. I think several factors must be weighed here: 1. Is "trust" really required of a CA in a soon-to-be post-mandatory-CT-log world? If some level of trust is required, then: 2. Can we say that the QiHoo 360 / WoSign / WoTrus / WoTrust / StartCom family of corporate entities has any left? And furthermore is trust in the corporate entity chain even necessary if... 3. Are individuals filling executive and executive operations positions taking personal responsibility for key generation and management, stand up of the infrastructure, day to day operation of the infrastructure? And if so, can those individuals represent that they're staking their personal reputations on personally managing this infrastructure or in the alternative guaranteeing to affirmatively notify the community that they are stepping down and can no longer be responsible? My take: Businesses are assets. Assets can be closely held or not. In many cases, the not closely held assets are traded around quite often, often with little oversight. I don't think we can make any assertions on trust as to the ownership. I do, however, believe that a company can be operated in such a manner that key executives can be identified and personal representations of those parties can be relied upon in as far as that consequences can be visited upon those individuals by the root programs. I do firmly support the spirit of this thread. I think it would be unethical of the community and of the Mozilla Root Program to dangle the theoretical possibility of inclusion / reinclusion -- encouraging the endeavor such that many external costs are taxed upon the prospect -- if they have knowledge that there are likely to be problems in the final approval in terms of community buy-in. The downside, of course, is that while this alternative pre-discussion allows for discussion of the nebulous concept of "trust" and integrity, it actually denies the community those matters which can be most objectively evaluated -- the CPS, the subscriber agreements, certificate policy, auditor's opinions, etc. (which makes sense -- the development of these is pricey). I suppose, in summation, I believe this conversation only matters if we're really trying to have a discussion about trust and defining trust and importance of trust and whether there is a way that this CA can be trusted. Just my thoughts... Matt Hardeman On Wed, Nov 22, 2017 at 3:05 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We understand that WoTrus (WoSign changed their name some months ago) > are working towards a re-application to join the Mozilla Root Program. > Richard Wang recently asked us to approve a particular auditor as being > suitable to audit their operations. > > In the WoSign Action Items bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 > Kathleen wrote "WoSign may apply for inclusion of new (replacement) root > certificates[1] following Mozilla's normal root inclusion/change > process[2] (minus waiting in the queue for the discussion), after they > have completed all of the following action items, and no earlier than > June 1, 2017." > > However, one step in the inclusion process is the public discussion, and > we have some reason to believe that this may lead to significant > objections being raised. It would not be reasonable to encourage WoSign > to complete all the other steps in the process if there was little or no > chance of them being approved in public discussion. > > So Kathleen and I thought it would be best to have a pre-discussion now, > in order to make sure that expectations are set appropriately. If WoTrus > had completed all the action items in the bug and arrived at the public > discussion part of the application, what would people say? If you raise > an objection, please say if there is any way at all that you think > WoTrus could address your issue. > > Thanks for your input, > > Gerv > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On Wed, Nov 22, 2017 at 11:16 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Mozilla did not formally require this, but it is true that as far as we >> can see, Richard Wang is still effectively in charge of WoSign/WoTrus. >> >> > I think assessing and discussing the viability of a return of WoSign > would be a lot easier if we had at least a proposed draft master plan > from WoSign, so we could discuss if that plan (if correctly and honestly > implemented) would be sufficient. Alternatively, and I think what Gerv was requesting, was what concerns people would raise with respect to a reapplication, such that WoSign/WoTrus could ensure sufficient consideration went into such plans. Obviously, there will be concerns with implementation details, and finding those out before WoTrus implements is a useful and viable task. But similarly, by outlining the broader concerns, it might help inform. For example, one theme that can be picked up on this thread is a concern around the potential inconsistencies with respect to Richard Wang's role at WoTrus. Given his direct and personal involvement in the misissuance practices, one view might be that he's a fundamentally untrustworthy actor who has repeatedly displayed behaviours that undermine community trust in the organizations he is affiliated with. The statements about his transition out of CEO, and his apparent resumption of those duties, might underscore concerns about the management structure. It may be that a solution is for a response similar to what Mozilla recently shared with respect to DigiCert and Symantec, and a concern that any organization in which Richard Wang has a decision making capacity may not be a trustworthy organization. Or it might be that some feel that is too strong, and look for technical measures - such as no inclusion of WoTrus logs until Mozilla has the technical capability to enforce Certificate Transparency on such certificates, such that any risks can be expediently detected and trust removed. These are all concerns that would arise during a discussion phase - after the stated requirements of Mozilla have been met, but due to potential overwhelming community concern about any trust in a Richard Wang-affiliated CA or an organization with a history as sordid as WoTrus/WoSign/WoTrust. If we assume good faith of WoTrus, which may be overly generous given past behaviour, then the goal of this discussion would be addressing the concerns that would exist with _future_ trust, now that the past/present trust has been addressed, such that systems can be designed and evaluated to appropriately consider such feedback. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On 22/11/2017 16:38, Gervase Markham wrote: On 22/11/17 10:54, Jakob Bohm wrote: Some notes about previously discussed items: Mozilla is not suggesting that WoSign has completed all of the steps. The entire point is that we want to have this pre-discussion before they make the effort to do so. This was mostly meant as a reminder of what had been discussed over the past 13 months, but also as a question if I had somehow missed those things being completed. Although not listed in the Action plan in #1311824, it is noteworthy that Richard Wang has apparently not been relieved of his other responsibilities, only the CEO title. Was this part of the old plan officially dropped? Mozilla did not formally require this, but it is true that as far as we can see, Richard Wang is still effectively in charge of WoSign/WoTrus. I think assessing and discussing the viability of a return of WoSign would be a lot easier if we had at least a proposed draft master plan from WoSign, so we could discuss if that plan (if correctly and honestly implemented) would be sufficient. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Forbidden Practices: Subscriber key generation
On 14/11/17 21:53, Doug Beattie wrote > The question is, if we issue Code Signing certificates via P12 files > in compliance with the Code Signing standard, are we out of > compliance with the Mozilla policy? How do you recommend we respond > to this checklist question? Mozilla does not have policies relating to code signing. We would therefore expect CAs to arrange things such that their code signing activities fall outside the scope of the Mozilla policy. The scope statement in the policy section 1.1, and it seems to me that the easiest technical way to achieve this is to do code signing activities under an intermediate which is technically constrained so it cannot issue email or server certs. > And the same for S/MIME and SSL certificates. If CAs generate and > then securely distribute the keys to the subscribers using similar > methods, is that permitted provided we implement similar security, or > does that practice need to immediately stop? Your guidance in this > area would be appreciated. For SSL, I would say it needs to immediately stop. Although see: https://github.com/mozilla/pkipolicy/issues/107 For S/MIME, as you can see, the Problematic Practices page permits it. > Side question: Is there a deadline when you expect to receive > self-assessments from all CAs? We've found that complying with the > checklist means a major update to our CPS (among other things...), > and I suspect most other CAs will also need a major update. I believe Kathleen did put a date in the CA Communication. If you need more time, contact certificates@mozilla dot org with your good reasons :-) Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On 22/11/17 11:41, Tom wrote: > https://www.wosign.com/english/about.htm has been updated with the new > name, WoTrus, and currently says "Richard Wang, CEO" Richard stated to me at one point (I can't remember whether in person or by email) that at the time of speaking, he was no longer CEO, and they were looking for a new one, but he was CXO, where the X was, I think, an O, but might have been a T. So at one point, he did assert that he was no longer CEO. It seems like, from the website, this has changed. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
FWIW my opinion: I don't think there should be a lifetime or long term ban for people or companies that have operated a bad CA in the past. However I do believe that the way Wosign representatives on this list acted in the past was often dishonest and highly problematic. If Wosign continues to appear that way I don't see how they can successfully be trusted again. Not because they are Wosign, but because I wouldn't trust any other CA behaving that way. If Wosign wants to be trusted they need to show a behavior where the community feels questions are answered honestly and technical problems are taken seriously. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On 22/11/2017 10:05, Gervase Markham wrote: We understand that WoTrus (WoSign changed their name some months ago) are working towards a re-application to join the Mozilla Root Program. Richard Wang recently asked us to approve a particular auditor as being suitable to audit their operations. In the WoSign Action Items bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 Kathleen wrote "WoSign may apply for inclusion of new (replacement) root certificates[1] following Mozilla's normal root inclusion/change process[2] (minus waiting in the queue for the discussion), after they have completed all of the following action items, and no earlier than June 1, 2017." However, one step in the inclusion process is the public discussion, and we have some reason to believe that this may lead to significant objections being raised. It would not be reasonable to encourage WoSign to complete all the other steps in the process if there was little or no chance of them being approved in public discussion. So Kathleen and I thought it would be best to have a pre-discussion now, in order to make sure that expectations are set appropriately. If WoTrus had completed all the action items in the bug and arrived at the public discussion part of the application, what would people say? If you raise an objection, please say if there is any way at all that you think WoTrus could address your issue. Thanks for your input, Gerv Some notes about previously discussed items: In bug #1311824 mentioned above, step 1 is for WoTrus to present a list of changes to be implemented. Has this been done yet? Step 2 is for WoTrus to update their CP/CPS. Has this been done yet? Also in Bug #1311824, Richard Wang has posted a summary of a code audit report the full text of which was made available to the module owners of the root program. Was the report contents acceptable or did it leave open questions and outstanding issues? On 07/10/2016 13:12, Gervase Markham wrote: > As noted by Richard Wang, WoSign have just published an updated Incident > Report: > https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf > > I think we are now in a position to discuss whether the plan proposed here: > https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit# > is still appropriate for WoSign. > > ... > > * There will be personnel changes: > >- StartCom’s chairman will be Xiaosheng Tan (Chief Security Officer > of Qihoo 360). >- StartCom’s CEO will be Inigo Barreira (formerly GM of StartCom > Europe). >- Richard Wang will be relieved of his duties as CEO of WoSign and > other responsibilities. It is not decided who will replace him. > > ... Although not listed in the Action plan in #1311824, it is noteworthy that Richard Wang has apparently not been relieved of his other responsibilities, only the CEO title. Was this part of the old plan officially dropped? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Possible future re-application from WoSign (now WoTrus)
We understand that WoTrus (WoSign changed their name some months ago) are working towards a re-application to join the Mozilla Root Program. Richard Wang recently asked us to approve a particular auditor as being suitable to audit their operations. In the WoSign Action Items bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 Kathleen wrote "WoSign may apply for inclusion of new (replacement) root certificates[1] following Mozilla's normal root inclusion/change process[2] (minus waiting in the queue for the discussion), after they have completed all of the following action items, and no earlier than June 1, 2017." However, one step in the inclusion process is the public discussion, and we have some reason to believe that this may lead to significant objections being raised. It would not be reasonable to encourage WoSign to complete all the other steps in the process if there was little or no chance of them being approved in public discussion. So Kathleen and I thought it would be best to have a pre-discussion now, in order to make sure that expectations are set appropriately. If WoTrus had completed all the action items in the bug and arrived at the public discussion part of the application, what would people say? If you raise an objection, please say if there is any way at all that you think WoTrus could address your issue. Thanks for your input, Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
