On Friday, 14 July 2017 04:44:39 UTC+2, Richard Wang wrote:
> Hi Peter,
>
> Thanks for your guesses.
> Buy no those issues in our system.
>
>
> Best Regards,
>
> Richard
That's what you say. But you've lied before. :-( So sorry, but that won't go
anywhere near regaining trust. You'll have
<jonat...@titanous.com>;
mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org>
Subject: Re: WoSign new system passed Cure 53 system security audit
Richard,
I can only guess what Ryan is talking about as the report wasn't sent to this
group, but it is possible that th
Richard,
I can only guess what Ryan is talking about as the report wasn't sent
to this group, but it is possible that the system described could not
meet the Baseline Requirements, as the BRs do require certain system
designs. For example, two requirements are:
"Require that each individual in
Hi Ryan,
Thanks for your detail info.
But I still CAN NOT understand why you say and confirm that the new system
cannot and does not comply with BR before we start to use it.
We will do the BR audit soon.
Best Regards,
Richard
On 14 Jul 2017, at 00:50, Ryan Sleevi
In the description of the remediation of the vulnerabilities, aspects of
the design are shared, particularly in discussing remediation. These
aspects reveal design decisions that do not comply with the BRs, and are
significant enough to require re-design.
I agree that this can be difficult to
rd
>
> -Original Message-
> From: dev-security-policy
> [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
> Behalf Of Percy via dev-security-policy
> Sent: Monday, July 10, 2017 12:41 PM
> To: mozilla-dev-security-pol...@lists.mozilla.org
>
> You will fail #4. Because your system, as designed, cannot and does not
> comply with the Baseline Requirements.
Is there a design outline in the security audit as well? No one in the
community can judge either yours or WoSign's statement as this information is
not shared with us. I suggest
You will fail #4. Because your system, as designed, cannot and does not
comply with the Baseline Requirements.
As such, you will then
(4.1) Update new system, developing new code and new integrations
(4.2) Engage the auditor to come back on side
(4.3) Hope you get it right this time
(4.4)
Hi Ryan,
I really don't understand where the new system can't meet the BR, we don't use
the new system to issue one certificate, how it violate the BR?
Our step is:
(1) develop a new secure system in the new infrastructure, then do the new
system security audit, pass the security audit;
(2)
Richard,
That's great, but the system that passed the full security audit cannot
meet the BRs, you would have to change that system to meet the BRs, and
then that new system would no longer be what was audited.
I would encourage you to address the items in the order that Mozilla posed
them -
On 13/07/17 04:43, Matt Palmer wrote:
> Who should we contact at Cure 53? Or should we just use the "business
> enquiries" contact address on their website?
I doubt Cure53 would be able to tell you anything more than what has
been said in the released summary document.
Gerv
Hi Ryan,
We got confirmation from Cure 53 that new system passed the full security
audit. Please contact Cure 53 directly to verify this, thanks.
We don't start the BR audit now.
Best Regards,
Richard
On 12 Jul 2017, at 22:09, Ryan Sleevi >
wrote:
On Tue, Jul 11, 2017 at 8:18 PM, Richard Wang wrote:
> Hi all,
>
> Your reported BR issues is from StartCom, not WoSign, we don't use the new
> system to issue any certificate now since the new root is not generated.
> PLEASE DO NOT mix it, thanks.
>
> Best Regards,
>
>
Hi all,
Your reported BR issues is from StartCom, not WoSign, we don't use the new
system to issue any certificate now since the new root is not generated.
PLEASE DO NOT mix it, thanks.
Best Regards,
Richard
> On 11 Jul 2017, at 23:34, Ryan Sleevi via dev-security-policy
>
On Tue, Jul 11, 2017 at 12:09 PM, Percy via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On Tuesday, July 11, 2017 at 8:36:33 AM UTC-7, Ryan Sleevi wrote:
>
> > comply with the Baseline Requirements, nor, as designed, can it. The
> system
> > would need to undergo
On Tue, Jul 11, 2017 at 11:40 AM, Alex Gaynor wrote:
> Is this a correct summary:
>
> - The report included here is supposed to fulfill the network security
> test portion of the BRs
>
No. This is #5 from https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 ,
and relates to
Is this a correct summary:
- The report included here is supposed to fulfill the network security test
portion of the BRs
- This report does not attest to BR compliance (or non-compliance)
- To complete an application for the Mozilla Root Program, WoSign would be
required to additionally provide
On Tue, Jul 11, 2017 at 11:16 AM, Jonathan Rudenberg via
dev-security-policy wrote:
>
> > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via
> dev-security-policy wrote:
> >
> > On Monday, 10 July 2017 08:55:38
On Tuesday, July 11, 2017 at 8:16:50 AM UTC-7, Jonathan Rudenberg wrote:
> > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy
> > wrote:
> >
> > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote:
> >>
> >> Please note
> On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy
> wrote:
>
> On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote:
>>
>> Please note this email topic is just for releasing the news that WoSign new
>> system passed the
On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote:
>
> Please note this email topic is just for releasing the news that WoSign new
> system passed the security audit, just for demonstration that we finished
> item 5:
> " 5. Provide auditor[3] attestation that a full security audit of
-policy
[mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Itzhak Daniel via dev-security-policy
Sent: Monday, July 10, 2017 2:39 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign new system passed Cure 53 system security audit
On Monday, July 10
On Monday, July 10, 2017 at 9:00:04 AM UTC+3, Richard Wang wrote:
> " 5. Provide auditor[3] attestation that a full security audit of the CA’s
> issuing infrastructure has been successfully completed. "
> " [3] The auditor must be an external company, and approved by Mozilla. "
What is the
..@lists.mozilla.org] On
Behalf Of Percy via dev-security-policy
Sent: Monday, July 10, 2017 12:41 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign new system passed Cure 53 system security audit
So it seems that Richard Wang still has the final executive decisions regardin
Eric Mill [mailto:e...@konklone.com]
> Sent: Monday, July 10, 2017 10:12 AM
> To: Richard Wang <rich...@wosign.com>
> Cc: Itzhak Daniel <itk98...@gmail.com>;
> mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: WoSign new system passed Cure 53 system security
<rich...@wosign.com>
Cc: Itzhak Daniel <itk98...@gmail.com>;
mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign new system passed Cure 53 system security audit
So who acts as the CEO for WoSign when final executive decisions need to be
made?
On Sun, Jul 9, 201
osign@lists.mozilla.org] On Behalf Of Itzhak Daniel via
> dev-security-policy
> Sent: Monday, July 10, 2017 4:57 AM
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Re: WoSign new system passed Cure 53 system security audit
>
> Mr. Wang is mentioned on the end of th
-policy-bounces+richard=wosign@lists.mozilla.org] On
Behalf Of Itzhak Daniel via dev-security-policy
Sent: Monday, July 10, 2017 4:57 AM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: WoSign new system passed Cure 53 system security audit
Mr. Wang is mentioned on the end
Mr. Wang is mentioned on the end of the document, what is Richard Wang current
official responsibility of Mr. Wang at WoSign?
According to the incident report, release on October 2016 [1], Mr. Wang was
suppose to be relieved of his duties as CEO, this is mentioned in 3 separate
paragraphs
On Fri, Jul 07, 2017 at 06:12:58AM +, Danny 吴熠 via dev-security-policy
wrote:
> As per requirements, WoSign new issuing infrastructure has been completed
> and passed the Cure 53 white box security audit successfully in June 27.
> Cure53 is approved by Mozilla. The full audit report has
30 matches
Mail list logo