Re: Possible future re-application from WoSign (now WoTrus)
On 22/11/17 09:05, Gervase Markham wrote: > We understand that WoTrus (WoSign changed their name some months ago) > are working towards a re-application to join the Mozilla Root Program. > Richard Wang recently asked us to approve a particular auditor as being > suitable to audit their operations. Thank you to everyone who contributed to this discussion in a thoughtful and measured way. Mozilla has emailed WoTrus and Qihoo 360 with our summary of the sentiment of the group, which we hope will be useful to them in making their future plans. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
While it is to the benefit of everyone that Richard Wang and other employees at WoSign/WoTrus have learned valuable lessons over the past year, it seems to me that far too much damage has been done for Mozilla to seriously consider a CA which has Richard in any sort of management position, much less as CEO. I look at the depth and breadth of his deceptive acts, the technical/policy/compliance issues that were present at WoSign and StartCom under his leadership, the defiance of any expectation that CA's should exhibit reasonable levels of transparency and forthrightness, the amount of time and effort spent in this forum on the myriad WoSign and StartCom issuesOne is left to consider how much tolerance remains in the community for further mistakes and transgressions that might arise from WoTrus? What incentive does Richard have to be forthcoming in the future knowing that the community might take harsh action against his company? How much time should WoTrus be allowed to consume knowing it might unfairly affect the inclusion requests of new CA's or the addressing of situations that arise at other CA's or the discussion of ideas for advancing security throughout the global PKI?When the initial sanction against WoSign and StartCom took place I think many in this forum would have been content to let both CA's fade away into the land of distrust and ultimate removal. That Mozilla allowed both to remain was, I think, an act of generosity with the expectation being(?) that, with a change in leadership and a new technology infrastructure, the global PKI will be better off for keeping WoSign/StartCom as trusted CA's. It's not (yet) clear that enough improvements have been made to the infrastructure and, obviously, there has been no change in leadership.With everything taken together I just don't see the benefit of including WoTrus in the trusted CA program. The costs to the community have been high--and probably will continue to be high. The risks have been many--and probably will continue to be many. And the benefits would appear to be too few.From: Danny 吴熠 via dev-security-policySent: Monday, November 27, 2017 2:39 AMDear Gerv, Kethleen, other community friends,First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion.Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security.Here is our response covered your questions that we don’t reply the emails one by one.Part One: What we have done in the past year since the sanction(1)After we knew the distrust sanction would be started from Oct. 20, 2016, we started to talk to some CAs to deal with the Managed Sub CA solution, and we signed agreement with Certum and started to resell their SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30, 2017.(2)We sent replacement notices to all charged customer and we have replaced more than 6000 certificates for customers for free.(3)We realized our big problem is the compliance with the Standard, so we set up a department: Risk Control & Compliance Department (RCC), which have 5 persons, the manager is from the bank IT risk control department, he leads team for the risk control management and internal audit. Two English major employees, they are responsible to translate all WebTrust documents and all CAB Forum documents into Chinese to let all employees learn the Standard more clearly. And one is responsible for checking CAB Forum mailing list to produce a weekly brief in Chinese for CAB Forum activity to all department managers, one is responsible for checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they produce summary report if some CA have accident report to let us learn how to prevent the same mistakes and how to response to the Community. Another two employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, they are responsible for the system test and security test to two RD team developed system. And this department setup many internal management regulations, it is the internal auditor to check and verify every CA operation is complaint with the Standard.(4)We started to develop new PKI/CA system including validation system, OCSP system, CT system
RE: Possible future re-application from WoSign (now WoTrus)
Hi Peter, I am working for WoTrus as a Compliance Coordinator in the Risk Control & Compliance Department and I am the representative of WoTrus for communication in the community. Best regards, Danny -Original Message- From: dev-security-policy [mailto:dev-security-policy-bounces+pa4=wotrus@lists.mozilla.org] On Behalf Of Peter Kurrasch via dev-security-policy Sent: Tuesday, November 28, 2017 11:50 PM To: Danny 吴熠; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: Possible future re-application from WoSign (now WoTrus) Danny, can you please clarify your role? Are you a WoTrus employee and are you speaking on behalf of Richard Wang? Thanks. Original Message From: Danny 吴熠 via dev-security-policy Sent: Monday, November 27, 2017 2:39 AM Dear Gerv, Kethleen, other community friends, First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion. Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security. Here is our response covered your questions that we don’t reply the emails one by one. ...snip... Finally, as a CA, we fully understand that the mistakes we have made are significant. By the sanction, we learned the importance of maintaining trust and compliance, and we hope to provide excellent products and services as compensation for our mistakes, and to serve the Internet security to regain public trust. We’d love to hear your feedback and we are trying to do better and better, thanks. Best Regards, WoTrus CA Limited ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
Danny, can you please clarify your role? Are you a WoTrus employee and are you speaking on behalf of Richard Wang? Thanks. Original Message From: Danny 吴熠 via dev-security-policy Sent: Monday, November 27, 2017 2:39 AM Dear Gerv, Kethleen, other community friends, First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion. Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security. Here is our response covered your questions that we don’t reply the emails one by one. ...snip... Finally, as a CA, we fully understand that the mistakes we have made are significant. By the sanction, we learned the importance of maintaining trust and compliance, and we hope to provide excellent products and services as compensation for our mistakes, and to serve the Internet security to regain public trust. We’d love to hear your feedback and we are trying to do better and better, thanks. Best Regards, WoTrus CA Limited ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On Mon, Nov 27, 2017 at 3:07 PM, adisor19--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > After seeing the forced shutdown of StartCom, I see no reason to allow > them back in. Richard Wang is back in his role as CEO and everything is > back to square one except all trust is gone now. They killed a good > brand/company (StartCom) and did more harm to the public CA ecosystem than > Symantec's shenanigans. > > Allowing them back in is insulting IMO. > > I also lament the passing of StartCom. I liked it before the acquisition. I was a paying customer. It brings an interesting point though. If I were assessing his fitness to run a CA at this point, I would probably fault Eddy Nigg quite harshly, too. While he clearly wasn't responsible for the improper actions undertaken by Mr. Wang, he shirked a responsibility to the community in not announcing that he was no longer supervising and controlling StartCom, delaying the discovery and remediation. To the extent that he made any kind of NDA or other agreement with WoSign as part of the sale, that's still a choice he made to sign on to and such choices have consequences -- especially when it comes to trust. Matt Hardeman ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On Wednesday, November 22, 2017 at 4:06:26 AM UTC-5, Gervase Markham wrote: > We understand that WoTrus (WoSign changed their name some months ago) > are working towards a re-application to join the Mozilla Root Program. > Richard Wang recently asked us to approve a particular auditor as being > suitable to audit their operations. > > In the WoSign Action Items bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 > Kathleen wrote "WoSign may apply for inclusion of new (replacement) root > certificates[1] following Mozilla's normal root inclusion/change > process[2] (minus waiting in the queue for the discussion), after they > have completed all of the following action items, and no earlier than > June 1, 2017." > > However, one step in the inclusion process is the public discussion, and > we have some reason to believe that this may lead to significant > objections being raised. It would not be reasonable to encourage WoSign > to complete all the other steps in the process if there was little or no > chance of them being approved in public discussion. > > So Kathleen and I thought it would be best to have a pre-discussion now, > in order to make sure that expectations are set appropriately. If WoTrus > had completed all the action items in the bug and arrived at the public > discussion part of the application, what would people say? If you raise > an objection, please say if there is any way at all that you think > WoTrus could address your issue. > > Thanks for your input, > > Gerv After seeing the forced shutdown of StartCom, I see no reason to allow them back in. Richard Wang is back in his role as CEO and everything is back to square one except all trust is gone now. They killed a good brand/company (StartCom) and did more harm to the public CA ecosystem than Symantec's shenanigans. Allowing them back in is insulting IMO. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On 27/11/2017 09:38, Danny 吴熠 wrote: Dear Gerv, Kethleen, other community friends, First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion. Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security. Here is our response covered your questions that we don’t reply the emails one by one. Part One: What we have done in the past year since the sanction (1)After we knew the distrust sanction would be started from Oct. 20, 2016, we started to talk to some CAs to deal with the Managed Sub CA solution, and we signed agreement with Certum and started to resell their SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30, 2017. (2)We sent replacement notices to all charged customer and we have replaced more than 6000 certificates for customers for free. (3)We realized our big problem is the compliance with the Standard, so we set up a department: Risk Control & Compliance Department (RCC), which have 5 persons, the manager is from the bank IT risk control department, he leads team for the risk control management and internal audit. Two English major employees, they are responsible to translate all WebTrust documents and all CAB Forum documents into Chinese to let all employees learn the Standard more clearly. And one is responsible for checking CAB Forum mailing list to produce a weekly brief in Chinese for CAB Forum activity to all department managers, one is responsible for checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they produce summary report if some CA have accident report to let us learn how to prevent the same mistakes and how to response to the Community. Another two employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, they are responsible for the system test and security test to two RD team developed system. And this department setup many internal management regulations, it is the internal auditor to check and verify every CA operation is complaint with the Standard. (4)We started to develop new PKI/CA system including validation system, OCSP system, CT system and develop new BUY system and CMS system. All systems were finished in June 2017 and passed the Mozilla approved security auditor - Cure 53 white box source code security test, the test summary report was posted to the Community at July 7, 2017, and the detailed report was sent to all browser’s key person but no feedback. We set up new infrastructure with the new security audit passed system, the new system integrated the CABFlint, X509lint and Zlint for all pre-issued SSL certificate to make sure every pre-issued certificate complies with the Standard. There were plenty of negative responses to that Cure 53 report on mozilla.dev.security.policy by the people who actually received the full audit report. At least one of those people said that from their reading of the Cure 53 report, WoSign would not be able to regain trusted CA status without major changes to the audited code. Richard Wang replied to some of those responses in a manner that didn't exactly inspire further confidence. (5)We stopped updating the old roots CPS and prepared a new CPS that complies with all Standards for new planned coming roots. The RCC Department are responsible for the CPS updates and check every CA operation comply with CPS, this department has super right to supervise all CA operation that nobody including Richard Wang can have a finger in the pie to violate the Standard. Every employee has learnt a deep lesson from the Sanction. (6)At Aug 24, 2017, we changed our company English name from “WoSign CA Limited” to “WoTrus CA Limited” in order to make clear difference for the planned coming new roots. (7)Even though we have experienced the tough time, we didn’t fire any employee. We have 55 employees in October 2016, and now we have 58 employees, in which we hired more customer service employees to provide certificate replacement work to minimize the sanction impact. (8)We didn’t fire the 20 RD employees that we are developing some certificate related software and hardware. Those products will be released in Q1 2018. All the software is being tested or will be tested by Cure 53 voluntarily to guarantee its code security. Part Two: About Richard Wang (1)In the remediation plan, Richard Wang is relieved as CEO and Qihoo 360 start to find a proper candidate since Nov. 2016, and Mr. Tan Xiaosheng has updated this in the March CAB Forum meeting that Richard Wang is the COO. (2)It is very hard to find a suitable person in China for this position that understand PKI/CA technology and know the CA business, so the CEO position is empty and the company is still charged by Richard Wang as COO. (3)At Aug 24, 2017, the company board of directors
Re: Possible future re-application from WoSign (now WoTrus)
The position that WoTrus (and apparently QiHoo 360) take(s) here does seem to clarify a matter involving the reinclusion. It sounds like they are insisting that Richard Wang would be part of the plan and would, in fact, retain a position of material control and responsibility in the post-reinclusion WoTrus. I believe that opens the door to directly addressing the question as to whether or not the community would support WoTrus' reinclusion under those terms. While it also probably opens that door without having to address the larger question of individual trust in the abstract, I submit that the missed opportunity would seem to only kick that can down the road... On Mon, Nov 27, 2017 at 2:38 AM, Danny 吴熠 via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Dear Gerv, Kethleen, other community friends, > > First, thanks for Gerv and Kathleen’s so kind consideration and so great > arrangement for this pre-discussion. > Second, thanks for the community participants to help us know our problem > clearly in the past year, we wish you can give us a chance to serve the > Internet security. > > Here is our response covered your questions that we don’t reply the emails > one by one. > > Part One: What we have done in the past year since the sanction > > (1)After we knew the distrust sanction would be started from Oct. 20, > 2016, we started to talk to some CAs to deal with the Managed Sub CA > solution, and we signed agreement with Certum and started to resell their > SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA > from DigiCert since June 30, 2017. > > (2)We sent replacement notices to all charged customer and we have > replaced more than 6000 certificates for customers for free. > > (3)We realized our big problem is the compliance with the Standard, so we > set up a department: Risk Control & Compliance Department (RCC), which have > 5 persons, the manager is from the bank IT risk control department, he > leads team for the risk control management and internal audit. Two English > major employees, they are responsible to translate all WebTrust documents > and all CAB Forum documents into Chinese to let all employees learn the > Standard more clearly. And one is responsible for checking CAB Forum > mailing list to produce a weekly brief in Chinese for CAB Forum activity to > all department managers, one is responsible for checking Mozilla D.S.P. > mailing list to produce a weekly brief in Chinese. And they produce summary > report if some CA have accident report to let us learn how to prevent the > same mistakes and how to response to the Community. Another two employees > are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, > they are responsible for the system test and security test to two RD team > developed system. And this department setup many internal management > regulations, it is the internal auditor to check and verify every CA > operation is complaint with the Standard. > > (4)We started to develop new PKI/CA system including validation system, > OCSP system, CT system and develop new BUY system and CMS system. All > systems were finished in June 2017 and passed the Mozilla approved security > auditor - Cure 53 white box source code security test, the test summary > report was posted to the Community at July 7, 2017, and the detailed report > was sent to all browser’s key person but no feedback. > We set up new infrastructure with the new security audit passed system, > the new system integrated the CABFlint, X509lint and Zlint for all > pre-issued SSL certificate to make sure every pre-issued certificate > complies with the Standard. > > (5)We stopped updating the old roots CPS and prepared a new CPS that > complies with all Standards for new planned coming roots. The RCC > Department are responsible for the CPS updates and check every CA operation > comply with CPS, this department has super right to supervise all CA > operation that nobody including Richard Wang can have a finger in the pie > to violate the Standard. Every employee has learnt a deep lesson from the > Sanction. > > (6)At Aug 24, 2017, we changed our company English name from “WoSign CA > Limited” to “WoTrus CA Limited” in order to make clear difference for the > planned coming new roots. > > (7)Even though we have experienced the tough time, we didn’t fire any > employee. We have 55 employees in October 2016, and now we have 58 > employees, in which we hired more customer service employees to provide > certificate replacement work to minimize the sanction impact. > > (8)We didn’t fire the 20 RD employees that we are developing some > certificate related software and hardware. Those products will be released > in Q1 2018. All the software is being tested or will be tested by Cure 53 > voluntarily to guarantee its code security. > > Part Two: About Richard Wang > > (1)In the remediation plan, Richard Wang is relieved as CEO and Qihoo 360 > start to find a proper
RE: Possible future re-application from WoSign (now WoTrus)
Here it is also a question of a dangerous precedent. Should Mozilla always forgive all bad CA in the future and take a formal approach to security? ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
RE: Possible future re-application from WoSign (now WoTrus)
Dear Gerv, Kethleen, other community friends, First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion. Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security. Here is our response covered your questions that we don’t reply the emails one by one. Part One: What we have done in the past year since the sanction (1)After we knew the distrust sanction would be started from Oct. 20, 2016, we started to talk to some CAs to deal with the Managed Sub CA solution, and we signed agreement with Certum and started to resell their SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30, 2017. (2)We sent replacement notices to all charged customer and we have replaced more than 6000 certificates for customers for free. (3)We realized our big problem is the compliance with the Standard, so we set up a department: Risk Control & Compliance Department (RCC), which have 5 persons, the manager is from the bank IT risk control department, he leads team for the risk control management and internal audit. Two English major employees, they are responsible to translate all WebTrust documents and all CAB Forum documents into Chinese to let all employees learn the Standard more clearly. And one is responsible for checking CAB Forum mailing list to produce a weekly brief in Chinese for CAB Forum activity to all department managers, one is responsible for checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they produce summary report if some CA have accident report to let us learn how to prevent the same mistakes and how to response to the Community. Another two employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, they are responsible for the system test and security test to two RD team developed system. And this department setup many internal management regulations, it is the internal auditor to check and verify every CA operation is complaint with the Standard. (4)We started to develop new PKI/CA system including validation system, OCSP system, CT system and develop new BUY system and CMS system. All systems were finished in June 2017 and passed the Mozilla approved security auditor - Cure 53 white box source code security test, the test summary report was posted to the Community at July 7, 2017, and the detailed report was sent to all browser’s key person but no feedback. We set up new infrastructure with the new security audit passed system, the new system integrated the CABFlint, X509lint and Zlint for all pre-issued SSL certificate to make sure every pre-issued certificate complies with the Standard. (5)We stopped updating the old roots CPS and prepared a new CPS that complies with all Standards for new planned coming roots. The RCC Department are responsible for the CPS updates and check every CA operation comply with CPS, this department has super right to supervise all CA operation that nobody including Richard Wang can have a finger in the pie to violate the Standard. Every employee has learnt a deep lesson from the Sanction. (6)At Aug 24, 2017, we changed our company English name from “WoSign CA Limited” to “WoTrus CA Limited” in order to make clear difference for the planned coming new roots. (7)Even though we have experienced the tough time, we didn’t fire any employee. We have 55 employees in October 2016, and now we have 58 employees, in which we hired more customer service employees to provide certificate replacement work to minimize the sanction impact. (8)We didn’t fire the 20 RD employees that we are developing some certificate related software and hardware. Those products will be released in Q1 2018. All the software is being tested or will be tested by Cure 53 voluntarily to guarantee its code security. Part Two: About Richard Wang (1)In the remediation plan, Richard Wang is relieved as CEO and Qihoo 360 start to find a proper candidate since Nov. 2016, and Mr. Tan Xiaosheng has updated this in the March CAB Forum meeting that Richard Wang is the COO. (2)It is very hard to find a suitable person in China for this position that understand PKI/CA technology and know the CA business, so the CEO position is empty and the company is still charged by Richard Wang as COO. (3)At Aug 24, 2017, the company board of directors approved the company name change and restored Richard Wang’s CEO position. (4)Richard Wang is not just a CEO & CTO, he is the company founder and the shareholder. He learned the big lesson from this sanction and he can’t control everything due to the internal audit mechanism designed as described in Part One. Part Three: Our future plan (1) If Mozilla decides to let us move on to do the PITRA audit and WebTrust audit and process our new root inclusion application, then we
RE: Possible future re-application from WoSign (now WoTrus)
Dear Gerv, Kethleen, other community friends, First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion. Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security. Here is our response covered your questions that we don’t reply the emails one by one. Part One: What we have done in the past year since the sanction (1)After we knew the distrust sanction would be started from Oct. 20, 2016, we started to talk to some CAs to deal with the Managed Sub CA solution, and we signed agreement with Certum and started to resell their SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30, 2017. (2)We sent replacement notices to all charged customer and we have replaced more than 6000 certificates for customers for free. (3)We realized our big problem is the compliant with the Standard, so we set up a department: Risk Control & Compliance Department (RCC), which have 5 persons, the manager is from the bank IT risk control department, he leads team for the risk control management and internal audit. Two English major employees, they are responsible to translate all WebTrust documents and all CAB Forum documents into Chinese to let all employees learn the Standard more clearly. And one is responsible for checking CAB Forum mailing list to produce a weekly brief in Chinese for CAB Forum activity to all department managers, one is responsible for checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they produce summary report if some CA have accident report to let us learn how to prevent the same mistakes and how to response to the Community. Another two employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, they are responsible for the system test and security test to two RD team developed system. And this department setup many internal management regulations, it is the internal auditor to check and verify every CA operation is complaint with the Standard. (4)We started to develop new PKI/CA system including validation system, OCSP system, CT system and develop new BUY system and CMS system. All systems were finished in June 2017 and passed the Mozilla approved security auditor - Cure 53 white box source code security test, the test summary report was posted to the Community at July 7, 2017, and the detailed report was sent to all browser’s key person but no feedback. We set up new infrastructure with the new security audit passed system, the new system integrated the CABFlint, X509lint and Zlint for all pre-issued SSL certificate to make sure every pre-issued certificate complies with the Standard. (5)We stopped updating the old roots CPS and prepared a new CPS that complies with all Standards for new planned coming roots. The RCC Department are responsible for the CPS updates and check every CA operation comply with CPS, this department has super right to supervise all CA operation that nobody including Richard Wang can have a finger in the pie to violate the Standard. Every employee has learnt a deep lesson from the Sanction. (6)At Aug 24, 2017, we changed our company English name from “WoSign CA Limited” to “WoTrus CA Limited” in order to make clear difference for the planned coming new roots. (7)Even though we have experienced the tough time, we didn’t fire any employee. We have 55 employees in October 2016, and now we have 58 employees, in which we hired more customer service employees to provide certificate replacement work to minimize the sanction impact. (8)We didn’t fire the 20 RD employees that we are developing some certificate related software and hardware. Those products will be released in Q1 2018. All the software is being tested or will be tested by Cure 53 voluntarily to guarantee its code security. Part Two: About Richard Wang (1)In the remediation plan, Richard Wang is relieved as CEO and Qihoo 360 start to find a proper candidate since Nov. 2016, and Mr. Tan Xiaosheng has updated this in the March CAB Forum meeting that Richard Wang is the COO. (2)It is very hard to find a suitable person in China for this position that understand PKI/CA technology and know the CA business, so the CEO position is empty and the company is still charged by Richard Wang as COO. (3)At Aug 24, 2017, the company board of directors approved the company name change and restored Richard Wang’s CEO position. (4)Richard Wang is not just a CEO & CTO, he is the company founder and the shareholder. He learned the big lesson from this sanction and he can’t control everything due to the internal audit mechanism designed as described in Part One. Part Three: Our future plan (1) If Mozilla decides to let us move on to do the PITRA audit and WebTrust audit and process our new root inclusion application, then we
Re: Possible future re-application from WoSign (now WoTrus)
On Friday, November 24, 2017 at 5:36:20 PM UTC-6, Tom wrote: > For information, WoSign/WoTrus can already sells WoSign-branded EV > certificates accepted by major trusts stores, Mozilla's included. > > The intermediate certificate "WoSign EV SSL Pro CA" ( > https://crt.sh/?id=146206939 ) is signed by "DigiCert High Assurance EV > Root CA". I'm completely fine with them being a tightly controlled SubCA of someone else who has come up with contractual and technical controls sufficient for which that sponsoring CA is willing to take any risks of the activity. In this case, I imagine DigiCert is doing all the work and essentially just letting WoTrus sell their services. This is fine, as it doesn't place WoTrus or its management in a trusted position. Clearly, they intend to seek re-inclusion themselves so as to be able to attain all the profit from the sales. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
Nevertheless, WoTrus is (presumably) a commercial operation. Whoever owns that organization bought or built it with an expectation of at least the possibility of commercial success (profit). The organization's long term success requires inclusion in major root programs. For information, WoSign/WoTrus can already sells WoSign-branded EV certificates accepted by major trusts stores, Mozilla's included. The intermediate certificate "WoSign EV SSL Pro CA" ( https://crt.sh/?id=146206939 ) is signed by "DigiCert High Assurance EV Root CA". As stated by DigiCert, WoSign/WoTrus doesn't control the private key of "WoSign EV SSL Pro CA", DigiCert do: https://bugzilla.mozilla.org/show_bug.cgi?id=1418451#c4 ) And the fact that they are simply a reseller (as they doesn't control the private key nor do themselves the validation) is even well hidden by FireFox UI, which state "Certified by: WoSign CA limited". ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On Friday, November 24, 2017 at 6:07:44 AM UTC-6, Gervase Markham wrote: > While I do not want to make this discussion entirely about specific > people, as Mozilla's investigator of the issues at the time I am > satisfied that WoSign's actions at the time were taken with full > knowledge - that is, they were not due to incompetence. And those > decisions were overseen and approved by individual(s) who still control > WoSign/WoTrus. > > Gerv This is core issue that I believe makes any proposed inclusion or re-inclusion of WoTrus/WoSign/et.al _as it presently exists_ a non-starter. I can not fathom that the community would or should tolerate the extension of trust to an organization being managed by an individual who has knowingly violated the requirements, conventions, and standards demanded by the community. The rare exception set aside, an individual does not generally experience an overnight turn-around and incorporate a strict adherence to ethics and rules. Mozilla has previously allowed as much as to say that WoSign/StartCom engaged in intentional deception during the course of the investigation. You've now expressed confidence that the underlying actions in at least some of the violations were purposeful and performed while knowing that such actions were not in compliance. All persons involved who had advance knowledge of the actions to be taken -- and of the impropriety of such actions -- in addition to the ability to stop those actions or ability to forewarn the community of those actions should be blacklisted as unfit for employment by any trusted CA. I believe that with the current management and executive team in place, WoTrus is unfit for inclusion. Modern society gives us plenty of other-than-CA examples of industries and functional roles within those industries in which the individuals are held to standards and the violations of those standards remove that individuals' ability to continue within that function. This is seen in both fully formalized rule making as well as in more informal contexts. I offer up as just two examples among many possibles: The various SEC rules disqualifying various "bad actors", convicted felons, etc from certain types of service in publicly traded corporations. They similarly have rules barring those individuals from new securities offerings. Less formally, look to cases such as the Wells Fargo fraudulent account opening debacle. It is unlikely that Wells' CEO and upper management committed a crime in building an incentive structure which caused literally thousands of employees to engage in actual criminal frauds. However, it was clear that the people of the US, the congress, and the various regulatory agencies were not content to leave the CEO and upper management which caused those actions to come about in place. At no point was there a discussion of whether or not the Wells Fargo bank would continue. There was always question of whether the leadership could continue. Ultimately, their own board resolved the matter by ousting those who had to go. It immediately reduced external animus toward the bank. However uncomfortable the situation may be, I believe that the community and the root program must find a way to adopt a position vests trust with the executive and management team -- and pulls that trust appropriately. I think it is not an uncontroversial position to suggest that Richard Wang should not have privileged access at any publicly trusted CA. If that is truly uncontroversial, the rest of the decisions are just details to hammer out. I can well imagine that the tough one is how to break that to the CA / proposed CA. I can also imagine that the precedent set in doing so will have broader ramifications for the root program. Nevertheless, WoTrus is (presumably) a commercial operation. Whoever owns that organization bought or built it with an expectation of at least the possibility of commercial success (profit). The organization's long term success requires inclusion in major root programs. If that organization will never get such trust and inclusion regardless of technical prowess or audits -- while person X is in place -- the community and program owe it to the ownership to make that crystal clear. Matt Hardeman ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On 2017-11-22 21:10, Rob Stradling via dev-security-policy wrote: > On 22/11/17 11:45, marcan via dev-security-policy wrote: >> On 22/11/17 20:41, Tom via dev-security-policy wrote: Although not listed in the Action plan in #1311824, it is noteworthy that Richard Wang has apparently not been relieved of his other responsibilities, only the CEO title >>> >>> Do you have a link about the relieved of the CEO title? >>> >>> https://www.wosign.com/english/about.htm has been updated with the new >>> name, WoTrus, and currently says "Richard Wang, CEO" >>> >> >> It was discussed here in the past (and IIRC was part of the requirements >> for re-inclusion, since he was a large part of the problem), but the >> fact that so far it seems Richard Wang has been the main person to >> interact on this mailing list from the WoSign (now WoTrus) side makes me >> wonder if that wasn't all a ruse. He certainly seems to still be very >> much in charge. > > "Richard Wang will be relieved of his duties as CEO of WoSign and other > responsibilities" seems to be a forward-looking statement with no firm > implementation date. I think we should at least give WoTrus an > opportunity to clarify Richard's position before we pass judgment on > whether or not this was "all a ruse". It's worth considering the implications of him remaining on board for an extended period of time. Presumably the reason why him leaving was made a requirement was because he has lost trust with the community and it was deemed that he was directly responsible for a lot of WoSign's woes. If that is the case, then it stands to reason that removing him as soon as possible would be the best course of action for WoSign in order to improve their security and recover community trust. After all, if Richard Wang has been running the ship all along, then leaves the day before a re-inclusion request is filed, should the community trust the system and company which were built under his watch? Sure, this meets the letter of the requirements, but I think it's fair to say it wouldn't meet the spirit, or at least reduce confidence and WoSign's chances for re-inclusion. -- Hector Martin "marcan" (mar...@marcan.st) Public Key: https://mrcn.st/pub ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
Hi, I touched on my thoughts on this matter a bit before. This is really about trust. I think several factors must be weighed here: 1. Is "trust" really required of a CA in a soon-to-be post-mandatory-CT-log world? If some level of trust is required, then: 2. Can we say that the QiHoo 360 / WoSign / WoTrus / WoTrust / StartCom family of corporate entities has any left? And furthermore is trust in the corporate entity chain even necessary if... 3. Are individuals filling executive and executive operations positions taking personal responsibility for key generation and management, stand up of the infrastructure, day to day operation of the infrastructure? And if so, can those individuals represent that they're staking their personal reputations on personally managing this infrastructure or in the alternative guaranteeing to affirmatively notify the community that they are stepping down and can no longer be responsible? My take: Businesses are assets. Assets can be closely held or not. In many cases, the not closely held assets are traded around quite often, often with little oversight. I don't think we can make any assertions on trust as to the ownership. I do, however, believe that a company can be operated in such a manner that key executives can be identified and personal representations of those parties can be relied upon in as far as that consequences can be visited upon those individuals by the root programs. I do firmly support the spirit of this thread. I think it would be unethical of the community and of the Mozilla Root Program to dangle the theoretical possibility of inclusion / reinclusion -- encouraging the endeavor such that many external costs are taxed upon the prospect -- if they have knowledge that there are likely to be problems in the final approval in terms of community buy-in. The downside, of course, is that while this alternative pre-discussion allows for discussion of the nebulous concept of "trust" and integrity, it actually denies the community those matters which can be most objectively evaluated -- the CPS, the subscriber agreements, certificate policy, auditor's opinions, etc. (which makes sense -- the development of these is pricey). I suppose, in summation, I believe this conversation only matters if we're really trying to have a discussion about trust and defining trust and importance of trust and whether there is a way that this CA can be trusted. Just my thoughts... Matt Hardeman On Wed, Nov 22, 2017 at 3:05 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > We understand that WoTrus (WoSign changed their name some months ago) > are working towards a re-application to join the Mozilla Root Program. > Richard Wang recently asked us to approve a particular auditor as being > suitable to audit their operations. > > In the WoSign Action Items bug: > https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 > Kathleen wrote "WoSign may apply for inclusion of new (replacement) root > certificates[1] following Mozilla's normal root inclusion/change > process[2] (minus waiting in the queue for the discussion), after they > have completed all of the following action items, and no earlier than > June 1, 2017." > > However, one step in the inclusion process is the public discussion, and > we have some reason to believe that this may lead to significant > objections being raised. It would not be reasonable to encourage WoSign > to complete all the other steps in the process if there was little or no > chance of them being approved in public discussion. > > So Kathleen and I thought it would be best to have a pre-discussion now, > in order to make sure that expectations are set appropriately. If WoTrus > had completed all the action items in the bug and arrived at the public > discussion part of the application, what would people say? If you raise > an objection, please say if there is any way at all that you think > WoTrus could address your issue. > > Thanks for your input, > > Gerv > ___ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On Wed, Nov 22, 2017 at 11:16 AM, Jakob Bohm via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > Mozilla did not formally require this, but it is true that as far as we >> can see, Richard Wang is still effectively in charge of WoSign/WoTrus. >> >> > I think assessing and discussing the viability of a return of WoSign > would be a lot easier if we had at least a proposed draft master plan > from WoSign, so we could discuss if that plan (if correctly and honestly > implemented) would be sufficient. Alternatively, and I think what Gerv was requesting, was what concerns people would raise with respect to a reapplication, such that WoSign/WoTrus could ensure sufficient consideration went into such plans. Obviously, there will be concerns with implementation details, and finding those out before WoTrus implements is a useful and viable task. But similarly, by outlining the broader concerns, it might help inform. For example, one theme that can be picked up on this thread is a concern around the potential inconsistencies with respect to Richard Wang's role at WoTrus. Given his direct and personal involvement in the misissuance practices, one view might be that he's a fundamentally untrustworthy actor who has repeatedly displayed behaviours that undermine community trust in the organizations he is affiliated with. The statements about his transition out of CEO, and his apparent resumption of those duties, might underscore concerns about the management structure. It may be that a solution is for a response similar to what Mozilla recently shared with respect to DigiCert and Symantec, and a concern that any organization in which Richard Wang has a decision making capacity may not be a trustworthy organization. Or it might be that some feel that is too strong, and look for technical measures - such as no inclusion of WoTrus logs until Mozilla has the technical capability to enforce Certificate Transparency on such certificates, such that any risks can be expediently detected and trust removed. These are all concerns that would arise during a discussion phase - after the stated requirements of Mozilla have been met, but due to potential overwhelming community concern about any trust in a Richard Wang-affiliated CA or an organization with a history as sordid as WoTrus/WoSign/WoTrust. If we assume good faith of WoTrus, which may be overly generous given past behaviour, then the goal of this discussion would be addressing the concerns that would exist with _future_ trust, now that the past/present trust has been addressed, such that systems can be designed and evaluated to appropriately consider such feedback. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On 22/11/2017 16:38, Gervase Markham wrote: On 22/11/17 10:54, Jakob Bohm wrote: Some notes about previously discussed items: Mozilla is not suggesting that WoSign has completed all of the steps. The entire point is that we want to have this pre-discussion before they make the effort to do so. This was mostly meant as a reminder of what had been discussed over the past 13 months, but also as a question if I had somehow missed those things being completed. Although not listed in the Action plan in #1311824, it is noteworthy that Richard Wang has apparently not been relieved of his other responsibilities, only the CEO title. Was this part of the old plan officially dropped? Mozilla did not formally require this, but it is true that as far as we can see, Richard Wang is still effectively in charge of WoSign/WoTrus. I think assessing and discussing the viability of a return of WoSign would be a lot easier if we had at least a proposed draft master plan from WoSign, so we could discuss if that plan (if correctly and honestly implemented) would be sufficient. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On 22/11/17 11:41, Tom wrote: > https://www.wosign.com/english/about.htm has been updated with the new > name, WoTrus, and currently says "Richard Wang, CEO" Richard stated to me at one point (I can't remember whether in person or by email) that at the time of speaking, he was no longer CEO, and they were looking for a new one, but he was CXO, where the X was, I think, an O, but might have been a T. So at one point, he did assert that he was no longer CEO. It seems like, from the website, this has changed. Gerv ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
FWIW my opinion: I don't think there should be a lifetime or long term ban for people or companies that have operated a bad CA in the past. However I do believe that the way Wosign representatives on this list acted in the past was often dishonest and highly problematic. If Wosign continues to appear that way I don't see how they can successfully be trusted again. Not because they are Wosign, but because I wouldn't trust any other CA behaving that way. If Wosign wants to be trusted they need to show a behavior where the community feels questions are answered honestly and technical problems are taken seriously. -- Hanno Böck https://hboeck.de/ mail/jabber: ha...@hboeck.de GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Possible future re-application from WoSign (now WoTrus)
On 22/11/2017 10:05, Gervase Markham wrote: We understand that WoTrus (WoSign changed their name some months ago) are working towards a re-application to join the Mozilla Root Program. Richard Wang recently asked us to approve a particular auditor as being suitable to audit their operations. In the WoSign Action Items bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 Kathleen wrote "WoSign may apply for inclusion of new (replacement) root certificates[1] following Mozilla's normal root inclusion/change process[2] (minus waiting in the queue for the discussion), after they have completed all of the following action items, and no earlier than June 1, 2017." However, one step in the inclusion process is the public discussion, and we have some reason to believe that this may lead to significant objections being raised. It would not be reasonable to encourage WoSign to complete all the other steps in the process if there was little or no chance of them being approved in public discussion. So Kathleen and I thought it would be best to have a pre-discussion now, in order to make sure that expectations are set appropriately. If WoTrus had completed all the action items in the bug and arrived at the public discussion part of the application, what would people say? If you raise an objection, please say if there is any way at all that you think WoTrus could address your issue. Thanks for your input, Gerv Some notes about previously discussed items: In bug #1311824 mentioned above, step 1 is for WoTrus to present a list of changes to be implemented. Has this been done yet? Step 2 is for WoTrus to update their CP/CPS. Has this been done yet? Also in Bug #1311824, Richard Wang has posted a summary of a code audit report the full text of which was made available to the module owners of the root program. Was the report contents acceptable or did it leave open questions and outstanding issues? On 07/10/2016 13:12, Gervase Markham wrote: > As noted by Richard Wang, WoSign have just published an updated Incident > Report: > https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf > > I think we are now in a position to discuss whether the plan proposed here: > https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit# > is still appropriate for WoSign. > > ... > > * There will be personnel changes: > >- StartCom’s chairman will be Xiaosheng Tan (Chief Security Officer > of Qihoo 360). >- StartCom’s CEO will be Inigo Barreira (formerly GM of StartCom > Europe). >- Richard Wang will be relieved of his duties as CEO of WoSign and > other responsibilities. It is not decided who will replace him. > > ... Although not listed in the Action plan in #1311824, it is noteworthy that Richard Wang has apparently not been relieved of his other responsibilities, only the CEO title. Was this part of the old plan officially dropped? Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy