Hi Ryan, Thanks for your point out the link "https://wiki.mozilla.org/CA:WoSign_Issues'. I think I need to say more words about "misleading" and "lie".
I like to expose some FACTs to show the public, to let public know who is misleading and lie. For the initiate WoSign issues email in M.D.S.P in Aug 24, 2016 -- Issue 0 (a.k.a. Issue L: Any Port (Jan - Apr 2015), Mozilla wrote: "This problem was reported to Google, and thence to WoSign and resolved. Mozilla only became aware of it recently.” The FACT is Google Ryan Sleevi sent email to Richard Wang at April 4th 2015 to point out the problems (see below original email), NOT WoSign reported to Google, this is the first misleading and lie. The second "lie" is Ryan Sleevi is the Mozilla Module Peer, this mean Mozilla know this case, why someone say “Mozilla only became aware of it recently."(August 24, 2016)? This is second misleading and lie. ------------------------------------------------------------------------------------- -------- Original Message -------- From: Ryan Sleevi <sle...@google.com> Received: Saturday, 04 April 2015 09:25 To: Richard Wang Subject: WoSign Irregularities Hi Richard, It's come to our attention that WoSign may be issuing certificates that are not conforming to your CPS and not conforming to the Baseline Requirements. While we're still investigating the nature and scope, I was hoping you could take the opportunity and ensure that the certificates you're issuing are consistent with the Baseline Requirements and consistent to your CPS. Among other things, I've noted irregularities in: - Subject Information - Extensions - Certificate Policies - Issuer Alternative Name Could you please examine your certificates and let me know of any irregularities that you have detected and what steps have been taken (per Section 8.2 of your CPS) Also, can you please provide your most recent audit? The most recent BR audit available was for the period of 1 January 2013 through 31 December 2013, completed on 28 March 2014. I see you've already completed Seals 1843 (Principles & Practices) and 1842 (EV). When do you expect an audit for the period of 1 January 2014 through 31 December 2014 to be made available? ----------------------------------------------------------------------------------- Best Regards, Richard Wang -------- Original Message -------- From: Ryan Sleevi via dev-security-policy Received: Thursday, 27 September 2018 00:44 To: Richard Wang Cc: Ryan Sleevi ; mozilla-dev-security-policy ; Jeremy Rowley Subject: Re: Re: Google Trust Services Root Inclusion Request Hi Richard, A few corrections: On Wed, Sep 26, 2018 at 11:36 AM Richard Wang via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > Ryan mentioned WoSign/StartCom and 360, so I like to say some words. > > First, I think your idea is not a proper metaphor because 360 browser > can't compare to Google browser, Google browser have absolutely strong > market share to say YES/NO to all CAs, but I am sure not to Google CA. > That wasn't the comparison. I was more highlighting how you actively mislead (lied?) to the community about the relationship between the entities, by trying to argue as separate entities. While Google Trust Services is a separate legal entity, which is about ensuring there is a firewall between these organizations, my concern about bringing it up was because of how you actively mislead the community. > Third, your comparison of Apple and Microsoft is also not correct, they > use its own CA system for their own system use only, not for public, not to > be a global public CA like Google. > I'm afraid this also misunderstands things. Microsoft does issue certificates for end-users using its services (like Google). To the point of the discussion, however, it was about the assumption and implication that you cannot distrust an entity that operates a large web presence and also a CA, or that browsers would play special favors to the CAs of their properties, whether in-house or external. Both of these apply to all browsers - arguably, even Mozilla (which uses certs from DigiCert as well, either through the Amazon-branded sub-CA that DigiCert operates or directly through DigiCert) > Ryan, thank you for still remembering WoSign. > I think it will be very hard for the community to ever forget https://wiki.mozilla.org/CA:WoSign_Issues _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
