Re: WoSign new system passed Cure 53 system security audit

On Friday, 14 July 2017 04:44:39 UTC+2, Richard Wang wrote: > Hi Peter, > > Thanks for your guesses. > Buy no those issues in our system. > > > Best Regards, > > Richard That's what you say. But you've lied before. :-( So sorry, but that won't go anywhere near regaining trust. You'll have

RE: WoSign new system passed Cure 53 system security audit

<jonat...@titanous.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: WoSign new system passed Cure 53 system security audit Richard, I can only guess what Ryan is talking about as the report wasn't sent to this group, but it is possible that th

Re: WoSign new system passed Cure 53 system security audit

Richard, I can only guess what Ryan is talking about as the report wasn't sent to this group, but it is possible that the system described could not meet the Baseline Requirements, as the BRs do require certain system designs. For example, two requirements are: "Require that each individual in

Re: WoSign new system passed Cure 53 system security audit

Hi Ryan, Thanks for your detail info. But I still CAN NOT understand why you say and confirm that the new system cannot and does not comply with BR before we start to use it. We will do the BR audit soon. Best Regards, Richard On 14 Jul 2017, at 00:50, Ryan Sleevi

Re: WoSign new system passed Cure 53 system security audit

In the description of the remediation of the vulnerabilities, aspects of the design are shared, particularly in discussing remediation. These aspects reveal design decisions that do not comply with the BRs, and are significant enough to require re-design. I agree that this can be difficult to

Re: WoSign new system passed Cure 53 system security audit

rd > > -Original Message- > From: dev-security-policy > [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On > Behalf Of Percy via dev-security-policy > Sent: Monday, July 10, 2017 12:41 PM > To: mozilla-dev-security-pol...@lists.mozilla.org >

Re: WoSign new system passed Cure 53 system security audit

> You will fail #4. Because your system, as designed, cannot and does not > comply with the Baseline Requirements. Is there a design outline in the security audit as well? No one in the community can judge either yours or WoSign's statement as this information is not shared with us. I suggest

Re: WoSign new system passed Cure 53 system security audit

You will fail #4. Because your system, as designed, cannot and does not comply with the Baseline Requirements. As such, you will then (4.1) Update new system, developing new code and new integrations (4.2) Engage the auditor to come back on side (4.3) Hope you get it right this time (4.4)

Re: WoSign new system passed Cure 53 system security audit

Hi Ryan, I really don't understand where the new system can't meet the BR, we don't use the new system to issue one certificate, how it violate the BR? Our step is: (1) develop a new secure system in the new infrastructure, then do the new system security audit, pass the security audit; (2)

Re: WoSign new system passed Cure 53 system security audit

Richard, That's great, but the system that passed the full security audit cannot meet the BRs, you would have to change that system to meet the BRs, and then that new system would no longer be what was audited. I would encourage you to address the items in the order that Mozilla posed them -

Re: WoSign new system passed Cure 53 system security audit

On 13/07/17 04:43, Matt Palmer wrote: > Who should we contact at Cure 53? Or should we just use the "business > enquiries" contact address on their website? I doubt Cure53 would be able to tell you anything more than what has been said in the released summary document. Gerv

Re: WoSign new system passed Cure 53 system security audit

Hi Ryan, We got confirmation from Cure 53 that new system passed the full security audit. Please contact Cure 53 directly to verify this, thanks. We don't start the BR audit now. Best Regards, Richard On 12 Jul 2017, at 22:09, Ryan Sleevi > wrote:

Re: WoSign new system passed Cure 53 system security audit

On Tue, Jul 11, 2017 at 8:18 PM, Richard Wang wrote: > Hi all, > > Your reported BR issues is from StartCom, not WoSign, we don't use the new > system to issue any certificate now since the new root is not generated. > PLEASE DO NOT mix it, thanks. > > Best Regards, > >

Re: WoSign new system passed Cure 53 system security audit

Hi all, Your reported BR issues is from StartCom, not WoSign, we don't use the new system to issue any certificate now since the new root is not generated. PLEASE DO NOT mix it, thanks. Best Regards, Richard > On 11 Jul 2017, at 23:34, Ryan Sleevi via dev-security-policy >

Re: WoSign new system passed Cure 53 system security audit

On Tue, Jul 11, 2017 at 12:09 PM, Percy via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Tuesday, July 11, 2017 at 8:36:33 AM UTC-7, Ryan Sleevi wrote: > > > comply with the Baseline Requirements, nor, as designed, can it. The > system > > would need to undergo

Re: WoSign new system passed Cure 53 system security audit

On Tue, Jul 11, 2017 at 11:40 AM, Alex Gaynor wrote: > Is this a correct summary: > > - The report included here is supposed to fulfill the network security > test portion of the BRs > No. This is #5 from https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 , and relates to

Re: WoSign new system passed Cure 53 system security audit

Is this a correct summary: - The report included here is supposed to fulfill the network security test portion of the BRs - This report does not attest to BR compliance (or non-compliance) - To complete an application for the Mozilla Root Program, WoSign would be required to additionally provide

Re: WoSign new system passed Cure 53 system security audit

On Tue, Jul 11, 2017 at 11:16 AM, Jonathan Rudenberg via dev-security-policy wrote: > > > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via > dev-security-policy wrote: > > > > On Monday, 10 July 2017 08:55:38

Re: WoSign new system passed Cure 53 system security audit

On Tuesday, July 11, 2017 at 8:16:50 AM UTC-7, Jonathan Rudenberg wrote: > > On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy > > wrote: > > > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: > >> > >> Please note

Re: WoSign new system passed Cure 53 system security audit

> On Jul 11, 2017, at 06:53, okaphone.elektronika--- via dev-security-policy > wrote: > > On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: >> >> Please note this email topic is just for releasing the news that WoSign new >> system passed the

Re: WoSign new system passed Cure 53 system security audit

On Monday, 10 July 2017 08:55:38 UTC+2, Richard Wang wrote: > > Please note this email topic is just for releasing the news that WoSign new > system passed the security audit, just for demonstration that we finished > item 5: > " 5. Provide auditor[3] attestation that a full security audit of

RE: WoSign new system passed Cure 53 system security audit

-policy [mailto:dev-security-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Itzhak Daniel via dev-security-policy Sent: Monday, July 10, 2017 2:39 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: WoSign new system passed Cure 53 system security audit On Monday, July 10

Re: WoSign new system passed Cure 53 system security audit

On Monday, July 10, 2017 at 9:00:04 AM UTC+3, Richard Wang wrote: > " 5. Provide auditor[3] attestation that a full security audit of the CA’s > issuing infrastructure has been successfully completed. " > " [3] The auditor must be an external company, and approved by Mozilla. " What is the

RE: WoSign new system passed Cure 53 system security audit

..@lists.mozilla.org] On Behalf Of Percy via dev-security-policy Sent: Monday, July 10, 2017 12:41 PM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: WoSign new system passed Cure 53 system security audit So it seems that Richard Wang still has the final executive decisions regardin

Re: WoSign new system passed Cure 53 system security audit

Eric Mill [mailto:e...@konklone.com] > Sent: Monday, July 10, 2017 10:12 AM > To: Richard Wang <rich...@wosign.com> > Cc: Itzhak Daniel <itk98...@gmail.com>; > mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: WoSign new system passed Cure 53 system security

RE: WoSign new system passed Cure 53 system security audit

<rich...@wosign.com> Cc: Itzhak Daniel <itk98...@gmail.com>; mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: WoSign new system passed Cure 53 system security audit So who acts as the CEO for WoSign when final executive decisions need to be made? On Sun, Jul 9, 201

Re: WoSign new system passed Cure 53 system security audit

osign@lists.mozilla.org] On Behalf Of Itzhak Daniel via > dev-security-policy > Sent: Monday, July 10, 2017 4:57 AM > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: WoSign new system passed Cure 53 system security audit > > Mr. Wang is mentioned on the end of th

RE: WoSign new system passed Cure 53 system security audit

-policy-bounces+richard=wosign@lists.mozilla.org] On Behalf Of Itzhak Daniel via dev-security-policy Sent: Monday, July 10, 2017 4:57 AM To: mozilla-dev-security-pol...@lists.mozilla.org Subject: Re: WoSign new system passed Cure 53 system security audit Mr. Wang is mentioned on the end

Re: WoSign new system passed Cure 53 system security audit

Mr. Wang is mentioned on the end of the document, what is Richard Wang current official responsibility of Mr. Wang at WoSign? According to the incident report, release on October 2016 [1], Mr. Wang was suppose to be relieved of his duties as CEO, this is mentioned in 3 separate paragraphs

Re: WoSign new system passed Cure 53 system security audit

On Fri, Jul 07, 2017 at 06:12:58AM +, Danny 吴熠 via dev-security-policy wrote: > As per requirements, WoSign new issuing infrastructure has been completed > and passed the Cure 53 white box security audit successfully in June 27. > Cure53 is approved by Mozilla. The full audit report has