Possible future re-application from WoSign (now WoTrus)

[Gervase Markham]

We understand that WoTrus (WoSign changed their name some months ago)
are working towards a re-application to join the Mozilla Root Program.
Richard Wang recently asked us to approve a particular auditor as being
suitable to audit their operations.

In the WoSign Action Items bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824
Kathleen wrote "WoSign may apply for inclusion of new (replacement) root
certificates[1] following Mozilla's normal root inclusion/change
process[2] (minus waiting in the queue for the discussion), after they
have completed all of the following action items, and no earlier than
June 1, 2017."

However, one step in the inclusion process is the public discussion, and
we have some reason to believe that this may lead to significant
objections being raised. It would not be reasonable to encourage WoSign
to complete all the other steps in the process if there was little or no
chance of them being approved in public discussion.

So Kathleen and I thought it would be best to have a pre-discussion now,
in order to make sure that expectations are set appropriately. If WoTrus
had completed all the action items in the bug and arrived at the public
discussion part of the application, what would people say? If you raise
an objection, please say if there is any way at all that you think
WoTrus could address your issue.

Thanks for your input,

Gerv

[Jakob Bohm]

Some notes about previously discussed items:

In bug #1311824 mentioned above, step 1 is for WoTrus to present a list
of changes to be implemented. Has this been done yet?

Step 2 is for WoTrus to update their CP/CPS. Has this been done yet?

Also in Bug #1311824, Richard Wang has posted a summary of a code audit
report the full text of which was made available to the module owners of
the root program. Was the report contents acceptable or did it leave
open questions and outstanding issues?

On 07/10/2016 13:12, Gervase Markham wrote:
> As noted by Richard Wang, WoSign have just published an updated Incident
> Report:
> https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf
>
> I think we are now in a position to discuss whether the plan proposed
here:
>
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit#
> is still appropriate for WoSign.
>
> ...
>
> * There will be personnel changes:
>
> - StartCom’s chairman will be Xiaosheng Tan (Chief Security Officer
> of Qihoo 360).
> - StartCom’s CEO will be Inigo Barreira (formerly GM of StartCom
> Europe).
> - Richard Wang will be relieved of his duties as CEO of WoSign and
> other responsibilities. It is not decided who will replace him.
>
> ...

Although not listed in the Action plan in #1311824, it is noteworthy
that Richard Wang has apparently not been relieved of his other
responsibilities, only the CEO title. Was this part of the old plan
officially dropped?


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

[Hanno Böck]

FWIW my opinion:
I don't think there should be a lifetime or long term ban for people or
companies that have operated a bad CA in the past.

However I do believe that the way Wosign representatives on this list
acted in the past was often dishonest and highly problematic.
If Wosign continues to appear that way I don't see how they can
successfully be trusted again. Not because they are Wosign, but because
I wouldn't trust any other CA behaving that way.

If Wosign wants to be trusted they need to show a behavior where the
community feels questions are answered honestly and technical problems
are taken seriously.

--
Hanno Böck
https://hboeck.de/

mail/jabber: ha...@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

[Tom]

About the past behavior of WoSign, the incident report
https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
from https://wiki.mozilla.org/CA:WoSign_Issues seems missing.

What is the politics of Mozilla about these kind of documents?
- Should the emitter provide it from their website and pledge to keep
that link alive for a long period of time
- Should the emitter provide it and it's Mozilla's job to store it
somewhere permanent
- Should the emitter store it somewhere permanent under Mozilla's
website (as a bug attachment for example)
- Mozilla doesn't care of keeping these documents available

Either way, the this particular case, deciding if WoSign/WoTrus can be
trusted again without having there response about their previous
behavior seems difficult, so I'm sure the document will be online
quickly on the same url as before!

[Hanno Böck]

On Wed, 22 Nov 2017 12:26:15 +0100
Tom via dev-security-policy <dev-secur...@lists.mozilla.org>
wrote:

> About the past behavior of WoSign, the incident report
> https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf
> from https://wiki.mozilla.org/CA:WoSign_Issues seems missing.

It can be read through wayback machine:
https://web.archive.org/web/20170203172437/https://www.wosign.com/report/WoSign_Incident_Final_Report_09162016.pdf

I was wondering if I should edit the wiki, but it's linked at multiple
places and other PDFs as well that may have disappeared.

In any case: I agree these are legitimate questions, if past CA
incidents happen the documents describing them shold be properly
archived. I think having a rule that one copy of them has to be stored
on mozilla infrastructure is wise.

[Tom]

> Although not listed in the Action plan in #1311824, it is noteworthy
> that Richard Wang has apparently not been relieved of his other
> responsibilities, only the CEO title

Do you have a link about the relieved of the CEO title?

https://www.wosign.com/english/about.htm has been updated with the new
name, WoTrus, and currently says "Richard Wang, CEO&CTO"

[marcan]

On 22/11/17 20:41, Tom via dev-security-policy wrote:
>> Although not listed in the Action plan in #1311824, it is noteworthy
>> that Richard Wang has apparently not been relieved of his other

>> responsibilities, only the CEO title
>
> Do you have a link about the relieved of the CEO title?
>
> https://www.wosign.com/english/about.htm has been updated with the new
> name, WoTrus, and currently says "Richard Wang, CEO&CTO"
>

It was discussed here in the past (and IIRC was part of the requirements
for re-inclusion, since he was a large part of the problem), but the
fact that so far it seems Richard Wang has been the main person to
interact on this mailing list from the WoSign (now WoTrus) side makes me
wonder if that wasn't all a ruse. He certainly seems to still be very
much in charge.

--
marcan
Public key: https://mrcn.st/pub

[Jakob Bohm]

It was discussed in the thread about that code audit report, subject is
"WoSign new system passed Cure 53 system security audit" and first post
was on 2017-07-07T06:12:58 UTC.

[Rob Stradling]

On 22/11/17 11:45, marcan via dev-security-policy wrote:
> On 22/11/17 20:41, Tom via dev-security-policy wrote:

>>> Although not listed in the Action plan in #1311824, it is noteworthy
>>> that Richard Wang has apparently not been relieved of his other

>>> responsibilities, only the CEO title
>>
>> Do you have a link about the relieved of the CEO title?
>>
>> https://www.wosign.com/english/about.htm has been updated with the new
>> name, WoTrus, and currently says "Richard Wang, CEO&CTO"
>>
>

> It was discussed here in the past (and IIRC was part of the requirements
> for re-inclusion, since he was a large part of the problem), but the
> fact that so far it seems Richard Wang has been the main person to
> interact on this mailing list from the WoSign (now WoTrus) side makes me
> wonder if that wasn't all a ruse. He certainly seems to still be very
> much in charge.

"Richard Wang will be relieved of his duties as CEO of WoSign and other

responsibilities" seems to be a forward-looking statement with no firm
implementation date. I think we should at least give WoTrus an
opportunity to clarify Richard's position before we pass judgment on
whether or not this was "all a ruse".

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

[Gervase Markham]

On 22/11/17 10:54, Jakob Bohm wrote:
> Some notes about previously discussed items:

Mozilla is not suggesting that WoSign has completed all of the steps.
The entire point is that we want to have this pre-discussion before they
make the effort to do so.

> Although not listed in the Action plan in #1311824, it is noteworthy
> that Richard Wang has apparently not been relieved of his other
> responsibilities, only the CEO title.  Was this part of the old plan
> officially dropped?

Mozilla did not formally require this, but it is true that as far as we
can see, Richard Wang is still effectively in charge of WoSign/WoTrus.

Gerv

[Gervase Markham]

On 22/11/17 11:41, Tom wrote:
> https://www.wosign.com/english/about.htm has been updated with the new
> name, WoTrus, and currently says "Richard Wang, CEO&CTO"

Richard stated to me at one point (I can't remember whether in person or
by email) that at the time of speaking, he was no longer CEO, and they
were looking for a new one, but he was CXO, where the X was, I think, an
O, but might have been a T. So at one point, he did assert that he was
no longer CEO. It seems like, from the website, this has changed.

Gerv

[Gervase Markham]

On 22/11/17 11:39, Hanno Böck wrote:
> In any case: I agree these are legitimate questions, if past CA
> incidents happen the documents describing them shold be properly
> archived. I think having a rule that one copy of them has to be stored
> on mozilla infrastructure is wise.

Having been burned before by disappearing CA documents, I do tend to
keep local copies of all docs (and I do of this one, although the URL
now seems to be working for me). But I don't necessarily stick them in
public places on Mozilla infra. However, ask me if you need one.

Gerv

[Jakob Bohm]

On 22/11/2017 16:38, Gervase Markham wrote:
> On 22/11/17 10:54, Jakob Bohm wrote:
>> Some notes about previously discussed items:
>
> Mozilla is not suggesting that WoSign has completed all of the steps.
> The entire point is that we want to have this pre-discussion before they
> make the effort to do so.
>

This was mostly meant as a reminder of what had been discussed over the
past 13 months, but also as a question if I had somehow missed those
things being completed.

>> Although not listed in the Action plan in #1311824, it is noteworthy
>> that Richard Wang has apparently not been relieved of his other
>> responsibilities, only the CEO title.  Was this part of the old plan
>> officially dropped?
>
> Mozilla did not formally require this, but it is true that as far as we
> can see, Richard Wang is still effectively in charge of WoSign/WoTrus.
>

I think assessing and discussing the viability of a return of WoSign
would be a lot easier if we had at least a proposed draft master plan
from WoSign, so we could discuss if that plan (if correctly and honestly
implemented) would be sufficient.

[Ryan Sleevi]

On Wed, Nov 22, 2017 at 11:16 AM, Jakob Bohm via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
>
> Mozilla did not formally require this, but it is true that as far as we
>> can see, Richard Wang is still effectively in charge of WoSign/WoTrus.
>>
>>

> I think assessing and discussing the viability of a return of WoSign
> would be a lot easier if we had at least a proposed draft master plan
> from WoSign, so we could discuss if that plan (if correctly and honestly
> implemented) would be sufficient.

Alternatively, and I think what Gerv was requesting, was what concerns
people would raise with respect to a reapplication, such that WoSign/WoTrus
could ensure sufficient consideration went into such plans.

Obviously, there will be concerns with implementation details, and finding
those out before WoTrus implements is a useful and viable task. But
similarly, by outlining the broader concerns, it might help inform.

For example, one theme that can be picked up on this thread is a concern
around the potential inconsistencies with respect to Richard Wang's role at
WoTrus. Given his direct and personal involvement in the misissuance
practices, one view might be that he's a fundamentally untrustworthy actor
who has repeatedly displayed behaviours that undermine community trust in
the organizations he is affiliated with. The statements about his
transition out of CEO, and his apparent resumption of those duties, might
underscore concerns about the management structure. It may be that a
solution is for a response similar to what Mozilla recently shared with
respect to DigiCert and Symantec, and a concern that any organization in
which Richard Wang has a decision making capacity may not be a trustworthy
organization.

Or it might be that some feel that is too strong, and look for technical
measures - such as no inclusion of WoTrus logs until Mozilla has the
technical capability to enforce Certificate Transparency on such
certificates, such that any risks can be expediently detected and trust
removed.

These are all concerns that would arise during a discussion phase - after
the stated requirements of Mozilla have been met, but due to potential
overwhelming community concern about any trust in a Richard Wang-affiliated
CA or an organization with a history as sordid as WoTrus/WoSign/WoTrust.

If we assume good faith of WoTrus, which may be overly generous given past
behaviour, then the goal of this discussion would be addressing the
concerns that would exist with _future_ trust, now that the past/present
trust has been addressed, such that systems can be designed and evaluated
to appropriately consider such feedback.

[Matthew Hardeman]

Hi,

I touched on my thoughts on this matter a bit before.

This is really about trust.

I think several factors must be weighed here:

1. Is "trust" really required of a CA in a soon-to-be
post-mandatory-CT-log world?

If some level of trust is required, then:

2. Can we say that the QiHoo 360 / WoSign / WoTrus / WoTrust / StartCom
family of corporate entities has any left? And furthermore is trust in the
corporate entity chain even necessary if...

3. Are individuals filling executive and executive operations positions
taking personal responsibility for key generation and management, stand up
of the infrastructure, day to day operation of the infrastructure? And if
so, can those individuals represent that they're staking their personal
reputations on personally managing this infrastructure or in the
alternative guaranteeing to affirmatively notify the community that they
are stepping down and can no longer be responsible?

My take: Businesses are assets. Assets can be closely held or not. In
many cases, the not closely held assets are traded around quite often,
often with little oversight. I don't think we can make any assertions on
trust as to the ownership. I do, however, believe that a company can be
operated in such a manner that key executives can be identified and
personal representations of those parties can be relied upon in as far as
that consequences can be visited upon those individuals by the root
programs.

I do firmly support the spirit of this thread. I think it would be
unethical of the community and of the Mozilla Root Program to dangle the
theoretical possibility of inclusion / reinclusion -- encouraging the
endeavor such that many external costs are taxed upon the prospect -- if
they have knowledge that there are likely to be problems in the final
approval in terms of community buy-in. The downside, of course, is that
while this alternative pre-discussion allows for discussion of the nebulous
concept of "trust" and integrity, it actually denies the community those
matters which can be most objectively evaluated -- the CPS, the subscriber
agreements, certificate policy, auditor's opinions, etc. (which makes
sense -- the development of these is pricey).

I suppose, in summation, I believe this conversation only matters if we're
really trying to have a discussion about trust and defining trust and
importance of trust and whether there is a way that this CA can be trusted.

Just my thoughts...

Matt Hardeman

> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>

[Matthew Hardeman]

I think Ryan's commentary reflects, again, that the discussion here seems
to be about trust.

In that spirit, I put forth some questions of hypotheticals to provoke
further contemplation and discussion:

1. Presume that QiHoo 360 / WoTrus / WoTrust / StartCom actually purchased
one of the small but still active currently included CA player -- perhaps
from a business not primarily a CA. Maybe a bank that's a root program
member. Let's assume that the acquired entity's management reached out
properly during the negotiations and post-closing and persuaded Mozilla
that the same management team is still in place and will continue to have
custody of the infrastructure (including keys, etc) and day to day control
of the operations. Additionally, said team commits to notify the root
programs immediately if that should change.

1a. Would Mozilla / the community grant this change of ownership?
1b. If so, on what basis?
1c. If not, on what basis?

2. Presume that the same hypothetical acquiree is acquired by QiHoo 360 /
WoTrus / WoTrust / StartCom. Presume that this is announced during or
after the closing with Mozilla. Presume that post-closing, the executive
management and operations staff reach out to the root program to notify
Mozilla that they are stepping down from their roles -- or sharing their
roles -- with Richard Wang (hypothetically).

2a. Would Mozilla / the community grant this change of CONTROL?
2b. If so, on what basis?
2c. If not, why not?

I reiterate that I think this is about the finite (and generally pretty
small) set of people with privileged access and responsibility, and it is
about trust in those people to abide the rules or in the alternative notify
immediately if they are no longer able to abide. I think a CA manager who
make such commitments formally or informally can be individually held to
account. A severe enough issue, such as intentional deception, could be
visited with a presumption of a lifetime ban on working for any included
CA, with exceptions and reversals rare and hard earned.

Like in so many other areas of life, people running CAs must be personally
accountable and must enjoy the privileges which accompany the good
reputation of a long and reliable and storied career while in on the other
hand able to enjoy the punishment attendant in ruining one's name (within a
given scope, at least).

Matt Hardeman

On Wed, Nov 22, 2017 at 10:52 AM, Ryan Sleevi via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> On Wed, Nov 22, 2017 at 11:16 AM, Jakob Bohm via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
> >

> > Mozilla did not formally require this, but it is true that as far as we
> >> can see, Richard Wang is still effectively in charge of WoSign/WoTrus.
> >>
> >>

[Gervase Markham]

On 22/11/17 17:03, Matthew Hardeman wrote:
> approval in terms of community buy-in. The downside, of course, is that
> while this alternative pre-discussion allows for discussion of the nebulous
> concept of "trust" and integrity, it actually denies the community those
> matters which can be most objectively evaluated -- the CPS, the subscriber
> agreements, certificate policy, auditor's opinions, etc. (which makes
> sense -- the development of these is pricey).

That's a fair point. Let us assume for the sake of discussion that all
of those things are standard and unobjectionable in themselves.

> I suppose, in summation, I believe this conversation only matters if we're
> really trying to have a discussion about trust and defining trust and
> importance of trust and whether there is a way that this CA can be trusted.

Yes. I think that's a fair summary.

Gerv

[Ryan Sleevi]

On Wed, Nov 22, 2017 at 12:24 PM, Gervase Markham via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

> On 22/11/17 17:03, Matthew Hardeman wrote:

> > approval in terms of community buy-in. The downside, of course, is that
> > while this alternative pre-discussion allows for discussion of the
> nebulous
> > concept of "trust" and integrity, it actually denies the community those
> > matters which can be most objectively evaluated -- the CPS, the
> subscriber
> > agreements, certificate policy, auditor's opinions, etc. (which makes
> > sense -- the development of these is pricey).
>

> That's a fair point. Let us assume for the sake of discussion that all
> of those things are standard and unobjectionable in themselves.
>

Let's assume it meets the standard boilerplate. Would it meet community
expectations, based on past behaviour?

Given that WoSign's CP/CPS itself was met by standard boilerplate, I would
pose that it is insufficient - the past behaviour as a predictor of future
behaviour means that the existing documentation approaches are insufficient
to make an evaluation about the trustworthiness going forward.

How would this be remedied? It seems at a minimum, there'd need to be
safeguards within the new documents that sufficiently describe and mitigate
the past failures of safeguards.

But would such statements, such as "I promise I won't do X again, and look,
here's a document that now says explicitly 'We have trained sharks and
equipped them with lasers to ensure we do not do X again'" be seen as a
sufficient mitigation?

I think an important part of this discussion is trying to understand to
what side of Hanlon's razor did WoSign's actions fall (or, to that matter,
of any CA). If it was incompetence, is there sufficient explanation for how
such incompetence happened? If there sufficient evidence that both the
specific incident and any underlying causes have been remediated?
Alternatively, if we allow it to be attributed to malice (or, for that
matter, greed), is it possible to design a system of trust that is robust
against such considerations? If not, is it an acceptable risk to take going
forward. If we can, what are those controls and expectations?

[Matthew Hardeman]

On Wed, Nov 22, 2017 at 12:00 PM, Ryan Sleevi <ry...@sleevi.com> wrote:

>
> Given that WoSign's CP/CPS itself was met by standard boilerplate, I would
> pose that it is insufficient - the past behaviour as a predictor of future
> behaviour means that the existing documentation approaches are insufficient
> to make an evaluation about the trustworthiness going forward.
>
> How would this be remedied? It seems at a minimum, there'd need to be
> safeguards within the new documents that sufficiently describe and mitigate
> the past failures of safeguards.
>
>

Presuming that the to-be-offered-up CP/CPS/infrastructure
architecture/key+cert chains proposed/self-assessment questionnaire, etc,
met the current definition of bog standard acceptable -- specifically,
those same documents with the name of a new entrant entity would be
accepted, it would seem that, in your position, we're back to applying a
different standard for this proposed inclusion?

Therefore, I think we must define what aspect of the same material
application with the same documents, save for entity name, makes it
acceptable in some cases and not acceptable in others.

Is it the fact that it is the same legal entity applying which causes this
proposed different standard to attach? I'll expound on why I believe that
would not be an appropriate marker.

Is it the fact that it is the same management team applying which causes
this proposed different standard to attach? Similarly, I'll explain why I
believe this IS a concern for which different standards can be applied.

It's really hard to look to a legal entity as a strict boundary for
behavior. The legally crafty entity can always spin up a sibling or child
entity to overcome that hurdle. We can then talk about beneficial
ownership as a factor, but as an entity scales larger, so too the
probability that the true beneficial ownership is merely an equity
investment player, broadly unconcerned with the day to day management. I
don't know a decent way to define the boundary of a CA as aligning to a
corporation or corporate family and then holding that legal entity
accountable for an indefinite period of time. There are just too many ways
around it. I think standards drawn this way are likely to have perverse
consequences both as to inclusion and exclusion.

If the particular investor/lendor who presently holds title to the proposed
CA is of little to no interest then, what can we rely on in those matters
which require us to extend this nebulous concept of trust and good faith?
I believe the key lies in those members of the management team and
operations team who have access and authority to impact the behavior of the
CA. I think those people are knowable and that reward and consequence can
be taxed upon those individuals as appropriate. I submit that the root
programs have both the carrot and stick with which to convey those same
said rewards and consequences.

If instead what Ryan proposes is that the now current definition of
"standard" for CP/CPS/other docs/etc should be modified to include specific
gotchas and mitigations for the history as learned from
WoSign/WoTrus/WoTrust/StartCom then I think there is a case to be made
there. Having said that, the things we're trying to codify from the
mentioned prior behavior will be really hard to codify. There's not an
easily written mitigation for "We're run by someone who'll sell anything,
including that which industry consensus says must not be sold."

>I think an important part of this discussion is trying to understand to
what side of Hanlon's razor did WoSign's actions fall (or, to that matter,
of any CA). If it was incompetence, is there sufficient explanation for how
such incompetence happened? If there >sufficient evidence that both the
specific incident and any underlying causes have been remediated?
Alternatively, if we allow it to be attributed to malice (or, for that
matter, greed), is it possible to design a system of trust that is robust
against such >considerations? If not, is it an acceptable risk to take
going forward. If we can, what are those controls and expectations?

As to this question, I put forth that the discussion should proceed as to
the hypothetical scenario in which greed, intentional non-compliance, and
intentional deception as an attempt to cover for said greed and
non-compliance were all the reality. The backdated issuance of an SHA1
server certificate for Australian payments process Tyro, for example, is
hard to imagine in another light. I suspect Tyro realized they suddenly
needed something that couldn't legitimately be ordered and started reaching
out to CAs that they thought might sell them something special for a
premium. I think someone (presumably the operations leadership) at
StartCom at that point saw a revenue opportunity with which he might
impress the ownership.

If all of that is how that played out, I reiterate my question: Is that
about the CA / proposed CA or is that about the individual management who
caused these matters to arise? I submit that it is properly taxed upon the
individual.

[Matthew Hardeman]

In defense of WoSign/WoTrus/StartCom's parent company, QiHoo 360...

While I don't personally attach a great value to the ethics of the owning
entity of the CA/proposed CA, for those who do or would attach such
importance, I would like to point out that the various vulnerabilities and
security research teams at QiHoo do a lot of good work and indeed are quite
often credited for discovery of vulnerabilities in a plurality of
complicated systems and products:

For example, QiHoo 360's researchers are among the largest contributors by
unique vulnerabilities discovered and documented in Google's Android OS.
Similarly, quite a lot of firmware and OS in Apple products have
vulnerability reports crediting QiHoo 360 for discovery of vulnerabilities.

These include such "big-ticket" banner issues as the Broadcom wi-fi driver
bug which allowed for arbitrary code execution.

It's clear that the parent organization employs a great many talented
security and vulnerability researchers who are materially contributing to
the overall security and integrity of computing, mobile, network, and
software technologies.

I'm sure there's plenty to criticize about them as well, but the fact
remains... They are securing a lot of undisputed credit for novel
discovery of significant security issues in products millions are using
daily -- and they're disclosing these to the vendors and fixes are
happening.

If it is decided that we want to attach "corporate level" responsibility to
current and prospective CAs, I submit that this is a data point for
consideration.

As to my own opinion, I do not think the behavior of the ownership
hierarchy or corporate entity is of direct concern. Rather, I think the
behavior of the people involved is where the ultimate story starts and
stops.

On Wed, Nov 22, 2017 at 1:10 PM, Matthew Hardeman <mhar...@gmail.com>
wrote:

[uri...@gmail.com]

I think QiHoo 360's role does open some questions.

In particular, why would QiHoo 360 shut down efforts by Startcom, run by a relatively trusted member of the community, Inigo Barreira, to be accepted as a CA; and instead favor WoTrus, run by Richard Wang, an explicitly UN-trusted member of the community, to be accepted as a CA.

That's a fairly remarkable choice for them to make, considering the circumstances, and I think fairly clearly a choice *not* primarily based on trust considerations.

[Nick Lamb]

On Wed, 22 Nov 2017 13:00:40 -0500

Ryan Sleevi via dev-security-policy
<dev-secur...@lists.mozilla.org> wrote:

> But would such statements, such as "I promise I won't do X again, and
> look, here's a document that now says explicitly 'We have trained
> sharks and equipped them with lasers to ensure we do not do X again'"
> be seen as a sufficient mitigation?

I don't see any reason why we would want to take that risk.

It's not easy to spin up a new CA, but it's also not rocket surgery.
Why should we prefer to re-admit a previously distrusted organisation
over taking a chance with someone new and untried ? Is there a shortage
of organisations interested in this role ? I don't think so.

Running a publicly trusted CA is not a right which was temporarily
suspended, it's a privilege you might earn, Mozilla should operate with
a default assumption that losing this privilege is permanent.

Nick.

[Matthew Hardeman]

On Wed, Nov 22, 2017 at 3:34 PM, Nick Lamb via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

>
> I don't see any reason why we would want to take that risk.
>
> It's not easy to spin up a new CA, but it's also not rocket surgery.
> Why should we prefer to re-admit a previously distrusted organisation
> over taking a chance with someone new and untried ? Is there a shortage
> of organisations interested in this role ? I don't think so.
>
> Running a publicly trusted CA is not a right which was temporarily
> suspended, it's a privilege you might earn, Mozilla should operate with
> a default assumption that losing this privilege is permanent.
>
>

I would entirely concur with Mr. Lamb's position on the key issue of
trust/distrust versus any policy mitigations in CP/CPS/etc.

The long and storied history of the CA ecosystem certainly suggests that
key issues of trust and integrity of the operator are not able to be
effectively controlled for by policy mitigations.

I essentially agree on the matter of the "prefer" matter. I would put
forth that a CA being reborn out of the StartCom/WoSign/WoTrus debacle
should effectively be considered a new CA and given no free passes for
anything prior.

Again it's back to this "What _is_ the CA?" Is it the brand name? Is it
the legal entity? Is it the ownership, to such extent as we can determine
it? Or is it the least common denominator (trust and integrity wise) of
the set of privileged operations staff and executives at any given moment?

Certainly brand names can be tarnished: StartCom and WoSign, for example.
If I were them I'd never reapply in those names, but whatever... A brand
name is just that. It doesn't signify a scope upon which to place trust.

The legal entity? In most jurisdictions you don't even need an attorney to
quickly fashion a subsidiary and sibling entity with ownership in common.
If the same management team came forth with a whole new Deleware based (on
paper) corporation, would we actually give a free pass -- meaning no prior
actions by the management causing us to disadvantage the new CA -- to
"Phoenix Rising CA of Delaware totally not Chinese, Inc."? If we would....
forgive my bluntness... that's stupid. If we would not.... Why not? It's
a new company with a whole new (empty) history? How do you objectively
define that it's not really new?

We could say the ownership? Possible. QiHoo 360 owned StartCom, owned and
continues to own WoTrus. Maybe since the beneficial ownership is the same,
we consider them the same. This does not follow logically, however.
DigiCert is great CA. However, they're owned by a private equity concern:
Thoma Bravo. While their name has come up -- most recently due to the
Symantec certificate business acquisition -- I don't recall anyone here
ever having a serious discussion as to whether Thoma Bravo is fit to own
some of the most compatible and widespread root certs / keys. If DigiCert
is just another property Thoma Bravo owns, why should we be concerned? I
think, instinctively, we know that we'll judge DigiCert on the DigiCert
management's actions.

Leading me back to...

The people. It's not new if it's the same people in positions of
privileged access and decision authority. It is new if a competent
executive and operations team who haven't burned the community's good will
and trust step forward and indicate that they will be taking custody and
control of the assets and operations of the CA / prospective CA.

Speaking only with respect to my personal opinion, whether or not there's a
certificate authority called WoTrust / WoTrus in the root store doesn't
concern me. I am terribly concerned with whether or not Richard Wang has
authority and access at ANY trusted CA.

[Han Yuwei]

在 2017年11月22日星期三 UTC+8下午5:06:26，Gervase Markham写道：

To be short, I will object the application for these reasons if no more evidence presentes:

1. Richard should left management of WoTrus.

2. WoTrus can't provide community any new service. So why we take risks to accept their application?

3. China Internet community don't trust Qihoo 360 despite what Qihoo 360 did has nothing to do with CA. But this is about trust.

[Hubert Kario]

On Wednesday, 22 November 2017 18:03:53 CET Matthew Hardeman via dev-security-

policy wrote:
> Hi,
>
> I touched on my thoughts on this matter a bit before.
>
> This is really about trust.
>
> I think several factors must be weighed here:
>
> 1. Is "trust" really required of a CA in a soon-to-be
> post-mandatory-CT-log world?

dealing with incidents burns people's time, making sure that this is minimised
is at the very least a common courtesy

--
Regards,
Hubert Kario
Senior Quality Engineer, QE BaseOS Security team
Web: www.cz.redhat.com
Red Hat Czech s.r.o., Purkyňova 115, 612 00 Brno, Czech Republic

[Hubert Kario]

[Jakob Bohm]

On 22/11/2017 18:03, Matthew Hardeman wrote:
> Hi,

(Please don't CC me on replies, I am subscribed to the newsgroup).

>
> I touched on my thoughts on this matter a bit before.
>
> This is really about trust.
>
> I think several factors must be weighed here:
>
> 1. Is "trust" really required of a CA in a soon-to-be
> post-mandatory-CT-log world?
>

Yes, because CT log checking cannot possibly cover the identity checking
of most certificate holders (very few legitimate certificate holders run
software to check the CT-logs daily for issuing of false certificates in
their names, even fewer non-certificate holders do so).

Also CT logs are limited to WebPKI certificates due to their total lack
of privacy. They are thus not applicable to e-mail, client or any other
kinds of non-web certificates.

> If some level of trust is required, then:
>
> 2. Can we say that the QiHoo 360 / WoSign / WoTrus / WoTrust / StartCom
> family of corporate entities has any left?

That is indeed a big question, especially given the failures during the
past year, notably:

1. StartCom using their current/future "live" root keys for testing

2. StartCom trying to get cross signed before applying for proper
vetting and inclusion.

(I do not blame StartCom for the specific way in which the cross-signing
CA handled their end of procedures).

3. WoTrust trying to submit code audits before submitting the simpler
paperwork items, and Richard Wang seemingly responding that only step
5 of a multi-step requirements list is relevant.

4. QiHoo seemingly promising to oust Richard Wang, then not doing so.
(Assuming that promise was not a misunderstanding on the Mozilla side
of things).

> And furthermore is trust in the
> corporate entity chain even necessary if...

Corporate owners can be good, neutral or bad for trust in a CA
subsidiary.

At one end of the spectrum, being owned by a highly trusted entity could
increase trust in a CA operation.

At the other end of the spectrum, being owned by a known hostile entity
such as the Sicilian Mafia would ruin trust regardless who is fronting
the operation, because that particular owner is notorious for forcing
people to act against their better judgement to the detriment of the
public at large.

>
> 3. Are individuals filling executive and executive operations positions
> taking personal responsibility for key generation and management, stand up
> of the infrastructure, day to day operation of the infrastructure? And if
> so, can those individuals represent that they're staking their personal
> reputations on personally managing this infrastructure or in the
> alternative guaranteeing to affirmatively notify the community that they
> are stepping down and can no longer be responsible?

That would certainly have been relevant for StartCom. In general this
would require the absence of any contract terms or other provisions that
could gag them against publicly disclosing such a step down.

>
> My take: Businesses are assets. Assets can be closely held or not. In
> many cases, the not closely held assets are traded around quite often,
> often with little oversight. I don't think we can make any assertions on
> trust as to the ownership. I do, however, believe that a company can be
> operated in such a manner that key executives can be identified and
> personal representations of those parties can be relied upon in as far as
> that consequences can be visited upon those individuals by the root
> programs.

See my comments above

>
> I do firmly support the spirit of this thread. I think it would be
> unethical of the community and of the Mozilla Root Program to dangle the
> theoretical possibility of inclusion / reinclusion -- encouraging the
> endeavor such that many external costs are taxed upon the prospect -- if
> they have knowledge that there are likely to be problems in the final
> approval in terms of community buy-in. The downside, of course, is that
> while this alternative pre-discussion allows for discussion of the nebulous
> concept of "trust" and integrity, it actually denies the community those
> matters which can be most objectively evaluated -- the CPS, the subscriber
> agreements, certificate policy, auditor's opinions, etc. (which makes
> sense -- the development of these is pricey).
>

Agree.

> I suppose, in summation, I believe this conversation only matters if we're
> really trying to have a discussion about trust and defining trust and
> importance of trust and whether there is a way that this CA can be trusted.
>
> Just my thoughts...
>
> Matt Hardeman
>

[Gervase Markham]

On 22/11/17 18:00, Ryan Sleevi wrote:
> I think an important part of this discussion is trying to understand to
> what side of Hanlon's razor did WoSign's actions fall (or, to that matter,
> of any CA). If it was incompetence, is there sufficient explanation for how
> such incompetence happened? If there sufficient evidence that both the
> specific incident and any underlying causes have been remediated?
> Alternatively, if we allow it to be attributed to malice (or, for that
> matter, greed), is it possible to design a system of trust that is robust
> against such considerations? If not, is it an acceptable risk to take going
> forward. If we can, what are those controls and expectations?

While I do not want to make this discussion entirely about specific
people, as Mozilla's investigator of the issues at the time I am
satisfied that WoSign's actions at the time were taken with full
knowledge - that is, they were not due to incompetence. And those
decisions were overseen and approved by individual(s) who still control
WoSign/WoTrus.

Gerv

[Gervase Markham]

On 22/11/17 21:15, uri...@gmail.com wrote:
> In particular, why would QiHoo 360 shut down efforts by Startcom, run
> by a relatively trusted member of the community, Inigo Barreira, to
> be accepted as a CA; and instead favor WoTrus, run by Richard Wang,
> an explicitly UN-trusted member of the community, to be accepted as a
> CA.

Well, I don't think I'm saying anything controversial if I point out
they shut down StartCom because (by demonstration) they have the ability
to do so, and they saw (according to their statement) that the road to
acceptance was too long, rocky and uncertain for them. It was, it seems
to me, a business decision. Keeping it going costs money. They went out
of their way to state they are not unhappy with Inigo.

Why do they allow WoTrus to continue to operate? That question presumes
that they have the power to stop it operating. Whether they have that
power or not can probably only be determined by looking very carefully
at the ownership structure, and may involve needing to see documents
which are not public.

So I don't think you can assume it's as simple as "they like WoTrus and
they don't like StartCom".

Gerv

[Hector Martin 'marcan']

On 2017-11-22 21:10, Rob Stradling via dev-security-policy wrote:
> On 22/11/17 11:45, marcan via dev-security-policy wrote:
>> On 22/11/17 20:41, Tom via dev-security-policy wrote:

>>>> Although not listed in the Action plan in #1311824, it is noteworthy
>>>> that Richard Wang has apparently not been relieved of his other

>>>> responsibilities, only the CEO title
>>>
>>> Do you have a link about the relieved of the CEO title?
>>>

>>> https://www.wosign.com/english/about.htm has been updated with the new
>>> name, WoTrus, and currently says "Richard Wang, CEO&CTO"
>>>
>>

>> It was discussed here in the past (and IIRC was part of the requirements
>> for re-inclusion, since he was a large part of the problem), but the
>> fact that so far it seems Richard Wang has been the main person to
>> interact on this mailing list from the WoSign (now WoTrus) side makes me
>> wonder if that wasn't all a ruse. He certainly seems to still be very
>> much in charge.
>
> "Richard Wang will be relieved of his duties as CEO of WoSign and other
> responsibilities" seems to be a forward-looking statement with no firm
> implementation date. I think we should at least give WoTrus an
> opportunity to clarify Richard's position before we pass judgment on
> whether or not this was "all a ruse".

It's worth considering the implications of him remaining on board for an
extended period of time. Presumably the reason why him leaving was made
a requirement was because he has lost trust with the community and it
was deemed that he was directly responsible for a lot of WoSign's woes.
If that is the case, then it stands to reason that removing him as soon
as possible would be the best course of action for WoSign in order to
improve their security and recover community trust.

After all, if Richard Wang has been running the ship all along, then
leaves the day before a re-inclusion request is filed, should the
community trust the system and company which were built under his watch?
Sure, this meets the letter of the requirements, but I think it's fair
to say it wouldn't meet the spirit, or at least reduce confidence and
WoSign's chances for re-inclusion.

--
Hector Martin "marcan" (mar...@marcan.st)
Public Key: https://mrcn.st/pub

[Matthew Hardeman]

On Friday, November 24, 2017 at 6:07:44 AM UTC-6, Gervase Markham wrote:

> While I do not want to make this discussion entirely about specific
> people, as Mozilla's investigator of the issues at the time I am
> satisfied that WoSign's actions at the time were taken with full
> knowledge - that is, they were not due to incompetence. And those
> decisions were overseen and approved by individual(s) who still control
> WoSign/WoTrus.
>
> Gerv

This is core issue that I believe makes any proposed inclusion or re-inclusion of WoTrus/WoSign/et.al _as it presently exists_ a non-starter.

I can not fathom that the community would or should tolerate the extension of trust to an organization being managed by an individual who has knowingly violated the requirements, conventions, and standards demanded by the community.

The rare exception set aside, an individual does not generally experience an overnight turn-around and incorporate a strict adherence to ethics and rules.

Mozilla has previously allowed as much as to say that WoSign/StartCom engaged in intentional deception during the course of the investigation. You've now expressed confidence that the underlying actions in at least some of the violations were purposeful and performed while knowing that such actions were not in compliance.

All persons involved who had advance knowledge of the actions to be taken -- and of the impropriety of such actions -- in addition to the ability to stop those actions or ability to forewarn the community of those actions should be blacklisted as unfit for employment by any trusted CA.

I believe that with the current management and executive team in place, WoTrus is unfit for inclusion.

Modern society gives us plenty of other-than-CA examples of industries and functional roles within those industries in which the individuals are held to standards and the violations of those standards remove that individuals' ability to continue within that function. This is seen in both fully formalized rule making as well as in more informal contexts.

I offer up as just two examples among many possibles:

The various SEC rules disqualifying various "bad actors", convicted felons, etc from certain types of service in publicly traded corporations. They similarly have rules barring those individuals from new securities offerings.

Less formally, look to cases such as the Wells Fargo fraudulent account opening debacle. It is unlikely that Wells' CEO and upper management committed a crime in building an incentive structure which caused literally thousands of employees to engage in actual criminal frauds. However, it was clear that the people of the US, the congress, and the various regulatory agencies were not content to leave the CEO and upper management which caused those actions to come about in place. At no point was there a discussion of whether or not the Wells Fargo bank would continue. There was always question of whether the leadership could continue. Ultimately, their own board resolved the matter by ousting those who had to go. It immediately reduced external animus toward the bank.

However uncomfortable the situation may be, I believe that the community and the root program must find a way to adopt a position vests trust with the executive and management team -- and pulls that trust appropriately.

I think it is not an uncontroversial position to suggest that Richard Wang should not have privileged access at any publicly trusted CA.

If that is truly uncontroversial, the rest of the decisions are just details to hammer out.

I can well imagine that the tough one is how to break that to the CA / proposed CA. I can also imagine that the precedent set in doing so will have broader ramifications for the root program.

Nevertheless, WoTrus is (presumably) a commercial operation. Whoever owns that organization bought or built it with an expectation of at least the possibility of commercial success (profit). The organization's long term success requires inclusion in major root programs.

If that organization will never get such trust and inclusion regardless of technical prowess or audits -- while person X is in place -- the community and program owe it to the ownership to make that crystal clear.

Matt Hardeman

[Tom]

> Nevertheless, WoTrus is (presumably) a commercial operation. Whoever owns that organization bought or built it with an expectation of at least the possibility of commercial success (profit). The organization's long term success requires inclusion in major root programs.

For information, WoSign/WoTrus can already sells WoSign-branded EV
certificates accepted by major trusts stores, Mozilla's included.

The intermediate certificate "WoSign EV SSL Pro CA" (
https://crt.sh/?id=146206939 ) is signed by "DigiCert High Assurance EV
Root CA".

As stated by DigiCert, WoSign/WoTrus doesn't control the private key of
"WoSign EV SSL Pro CA", DigiCert do:
https://bugzilla.mozilla.org/show_bug.cgi?id=1418451#c4 )

And the fact that they are simply a reseller (as they doesn't control
the private key nor do themselves the validation) is even well hidden by
FireFox UI, which state "Certified by: WoSign CA limited".

[Matthew Hardeman]

On Friday, November 24, 2017 at 5:36:20 PM UTC-6, Tom wrote:

> For information, WoSign/WoTrus can already sells WoSign-branded EV
> certificates accepted by major trusts stores, Mozilla's included.
>
> The intermediate certificate "WoSign EV SSL Pro CA" (
> https://crt.sh/?id=146206939 ) is signed by "DigiCert High Assurance EV
> Root CA".

I'm completely fine with them being a tightly controlled SubCA of someone else who has come up with contractual and technical controls sufficient for which that sponsoring CA is willing to take any risks of the activity.

In this case, I imagine DigiCert is doing all the work and essentially just letting WoTrus sell their services.

This is fine, as it doesn't place WoTrus or its management in a trusted position.

Clearly, they intend to seek re-inclusion themselves so as to be able to attain all the profit from the sales.

[Danny 吴熠]

Dear Gerv, Kethleen, other community friends,

First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion.
Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security.
Here is our response covered your questions that we don’t reply the emails one by one.

Part One: What we have done in the past year since the sanction
(1)After we knew the distrust sanction would be started from Oct. 20, 2016, we started to talk to some CAs to deal with the Managed Sub CA solution, and we signed agreement with Certum and started to resell their SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30, 2017.
(2)We sent replacement notices to all charged customer and we have replaced more than 6000 certificates for customers for free.
(3)We realized our big problem is the compliant with the Standard, so we set up a department: Risk Control & Compliance Department (RCC), which have 5 persons, the manager is from the bank IT risk control department, he leads team for the risk control management and internal audit. Two English major employees, they are responsible to translate all WebTrust documents and all CAB Forum documents into Chinese to let all employees learn the Standard more clearly. And one is responsible for checking CAB Forum mailing list to produce a weekly brief in Chinese for CAB Forum activity to all department managers, one is responsible for checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they produce summary report if some CA have accident report to let us learn how to prevent the same mistakes and how to response to the Community. Another two employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, they are responsible for the system test and security test to two RD team developed system. And this department setup many internal management regulations, it is the internal auditor to check and verify every CA operation is complaint with the Standard.
(4)We started to develop new PKI/CA system including validation system, OCSP system, CT system and develop new BUY system and CMS system. All systems were finished in June 2017 and passed the Mozilla approved security auditor - Cure 53 white box source code security test, the test summary report was posted to the Community at July 7, 2017, and the detailed report was sent to all browser’s key person but no feedback.
We set up new infrastructure with the new security audit passed system, the new system integrated the CABFlint, X509lint and Zlint for all pre-issued SSL certificate to make sure every pre-issued certificate complies with the Standard.
(5)We stopped updating the old roots CPS and prepared a new CPS that complies with all Standards for new planned coming roots. The RCC Department are responsible for the CPS updates and check every CA operation comply with CPS, this department has super right to supervise all CA operation that nobody including Richard Wang can have a finger in the pie to violate the Standard. Every employee has learnt a deep lesson from the Sanction.
(6)At Aug 24, 2017, we changed our company English name from “WoSign CA Limited” to “WoTrus CA Limited” in order to make clear difference for the planned coming new roots.
(7)Even though we have experienced the tough time, we didn’t fire any employee. We have 55 employees in October 2016, and now we have 58 employees, in which we hired more customer service employees to provide certificate replacement work to minimize the sanction impact.
(8)We didn’t fire the 20 RD employees that we are developing some certificate related software and hardware. Those products will be released in Q1 2018. All the software is being tested or will be tested by Cure 53 voluntarily to guarantee its code security.

Part Two: About Richard Wang
(1)In the remediation plan, Richard Wang is relieved as CEO and Qihoo 360 start to find a proper candidate since Nov. 2016, and Mr. Tan Xiaosheng has updated this in the March CAB Forum meeting that Richard Wang is the COO.
(2)It is very hard to find a suitable person in China for this position that understand PKI/CA technology and know the CA business, so the CEO position is empty and the company is still charged by Richard Wang as COO.
(3)At Aug 24, 2017, the company board of directors approved the company name change and restored Richard Wang’s CEO position.
(4)Richard Wang is not just a CEO & CTO, he is the company founder and the shareholder. He learned the big lesson from this sanction and he can’t control everything due to the internal audit mechanism designed as described in Part One.

Part Three: Our future plan
(1) If Mozilla decides to let us move on to do the PITRA audit and WebTrust audit and process our new root inclusion application, then we will do it strictly according to the WoSign Action Items bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824
(2) If Mozilla decides to reject our new root inclusion at this beginning stage, then we can wait for another one year. We continue being the reseller of Certum and DigiCert. We don’t have any plan to close our company.
(3) In the past 13 years, WoSign/WoTrus has done its best to provide best certificate products and best service to Chinese customer and worldwide customers, we are sure China need a best local CA to make the China Internet more secure and trusted, and I am sure WoTrus is the one. China Internet secure, then the global Internet secure.

Finally, as a CA, we fully understand that the mistakes we have made are significant. By the sanction, we learned the importance of maintaining trust and compliance, and we hope to provide excellent products and services as compensation for our mistakes, and to serve the Internet security to regain public trust.
We’d love to hear your feedback and we are trying to do better and better, thanks.

Best Regards,

WoTrus CA Limited

-----Original Message-----
From: dev-security-policy [mailto:dev-security-policy-bounces+pa4=wotru...@lists.mozilla.org] On Behalf Of Gervase Markham via dev-security-policy
Sent: Wednesday, November 22, 2017 5:06 PM
To: mozilla-dev-s...@lists.mozilla.org
Subject: Possible future re-application from WoSign (now WoTrus)

We understand that WoTrus (WoSign changed their name some months ago) are working towards a re-application to join the Mozilla Root Program.
Richard Wang recently asked us to approve a particular auditor as being suitable to audit their operations.

In the WoSign Action Items bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824
Kathleen wrote "WoSign may apply for inclusion of new (replacement) root certificates[1] following Mozilla's normal root inclusion/change process[2] (minus waiting in the queue for the discussion), after they have completed all of the following action items, and no earlier than June 1, 2017."

However, one step in the inclusion process is the public discussion, and we have some reason to believe that this may lead to significant objections being raised. It would not be reasonable to encourage WoSign to complete all the other steps in the process if there was little or no chance of them being approved in public discussion.

So Kathleen and I thought it would be best to have a pre-discussion now, in order to make sure that expectations are set appropriately. If WoTrus had completed all the action items in the bug and arrived at the public discussion part of the application, what would people say? If you raise an objection, please say if there is any way at all that you think WoTrus could address your issue.

Thanks for your input,

Gerv

[Danny 吴熠]

Dear Gerv, Kethleen, other community friends,

First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion.
Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security.

Here is our response covered your questions that we don’t reply the emails one by one.

Part One: What we have done in the past year since the sanction

(1)After we knew the distrust sanction would be started from Oct. 20, 2016, we started to talk to some CAs to deal with the Managed Sub CA solution, and we signed agreement with Certum and started to resell their SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30, 2017.

(2)We sent replacement notices to all charged customer and we have replaced more than 6000 certificates for customers for free.

(3)We realized our big problem is the compliance with the Standard, so we set up a department: Risk Control & Compliance Department (RCC), which have 5 persons, the manager is from the bank IT risk control department, he leads team for the risk control management and internal audit. Two English major employees, they are responsible to translate all WebTrust documents and all CAB Forum documents into Chinese to let all employees learn the Standard more clearly. And one is responsible for checking CAB Forum mailing list to produce a weekly brief in Chinese for CAB Forum activity to all department managers, one is responsible for checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they produce summary report if some CA have accident report to let us learn how to prevent the same mistakes and how to response to the Community. Another two employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, they are responsible for the system test and security test to two RD team developed system. And this department setup many internal management regulations, it is the internal auditor to check and verify every CA operation is complaint with the Standard.

[westm...@gmail.com]

Here it is also a question of a dangerous precedent. Should Mozilla always forgive all bad CA in the future and take a formal approach to security?

[Matthew Hardeman]

The position that WoTrus (and apparently QiHoo 360) take(s) here does seem
to clarify a matter involving the reinclusion.

It sounds like they are insisting that Richard Wang would be part of the
plan and would, in fact, retain a position of material control and
responsibility in the post-reinclusion WoTrus.

I believe that opens the door to directly addressing the question as to
whether or not the community would support WoTrus' reinclusion under those
terms.

While it also probably opens that door without having to address the larger
question of individual trust in the abstract, I submit that the missed
opportunity would seem to only kick that can down the road...

[Jakob Bohm]

On 27/11/2017 09:38, Danny 吴熠 wrote:
> Dear Gerv, Kethleen, other community friends,
>
> First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion.
> Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security.
>
> Here is our response covered your questions that we don’t reply the emails one by one.
>
> Part One: What we have done in the past year since the sanction
>
> (1)After we knew the distrust sanction would be started from Oct. 20, 2016, we started to talk to some CAs to deal with the Managed Sub CA solution, and we signed agreement with Certum and started to resell their SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30, 2017.
>
> (2)We sent replacement notices to all charged customer and we have replaced more than 6000 certificates for customers for free.
>
> (3)We realized our big problem is the compliance with the Standard, so we set up a department: Risk Control & Compliance Department (RCC), which have 5 persons, the manager is from the bank IT risk control department, he leads team for the risk control management and internal audit. Two English major employees, they are responsible to translate all WebTrust documents and all CAB Forum documents into Chinese to let all employees learn the Standard more clearly. And one is responsible for checking CAB Forum mailing list to produce a weekly brief in Chinese for CAB Forum activity to all department managers, one is responsible for checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they produce summary report if some CA have accident report to let us learn how to prevent the same mistakes and how to response to the Community. Another two employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, they are responsible for the system test and security test to two RD team developed system. And this department setup many internal management regulations, it is the internal auditor to check and verify every CA operation is complaint with the Standard.
>
> (4)We started to develop new PKI/CA system including validation system, OCSP system, CT system and develop new BUY system and CMS system. All systems were finished in June 2017 and passed the Mozilla approved security auditor - Cure 53 white box source code security test, the test summary report was posted to the Community at July 7, 2017, and the detailed report was sent to all browser’s key person but no feedback.
> We set up new infrastructure with the new security audit passed system, the new system integrated the CABFlint, X509lint and Zlint for all pre-issued SSL certificate to make sure every pre-issued certificate complies with the Standard.
>

There were plenty of negative responses to that Cure 53 report on
mozilla.dev.security.policy by the people who actually received the full
audit report. At least one of those people said that from their reading
of the Cure 53 report, WoSign would not be able to regain trusted CA
status without major changes to the audited code.

Richard Wang replied to some of those responses in a manner that didn't
exactly inspire further confidence.

[adis...@gmail.com]

After seeing the forced shutdown of StartCom, I see no reason to allow them back in. Richard Wang is back in his role as CEO and everything is back to square one except all trust is gone now. They killed a good brand/company (StartCom) and did more harm to the public CA ecosystem than Symantec's shenanigans.

Allowing them back in is insulting IMO.

[Matthew Hardeman]

On Mon, Nov 27, 2017 at 3:07 PM, adisor19--- via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:

>
> After seeing the forced shutdown of StartCom, I see no reason to allow
> them back in. Richard Wang is back in his role as CEO and everything is
> back to square one except all trust is gone now. They killed a good
> brand/company (StartCom) and did more harm to the public CA ecosystem than
> Symantec's shenanigans.
>
> Allowing them back in is insulting IMO.
>
>

I also lament the passing of StartCom. I liked it before the acquisition.
I was a paying customer.

It brings an interesting point though. If I were assessing his fitness to
run a CA at this point, I would probably fault Eddy Nigg quite harshly, too.

While he clearly wasn't responsible for the improper actions undertaken by
Mr. Wang, he shirked a responsibility to the community in not announcing
that he was no longer supervising and controlling StartCom, delaying the
discovery and remediation.

To the extent that he made any kind of NDA or other agreement with WoSign
as part of the sale, that's still a choice he made to sign on to and such
choices have consequences -- especially when it comes to trust.

Matt Hardeman

[Peter Kurrasch]

Danny, can you please clarify your role? Are you a WoTrus employee and are you speaking on behalf of Richard Wang?

Thanks.

  Original Message  
From: Danny 吴熠 via dev-security-policy
Sent: Monday, November 27, 2017 2:39 AM‎

Dear Gerv, Kethleen, other community friends,

First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion.
Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security.

Here is our response covered your questions that we don’t reply the emails one by one.

...snip...

Finally, as a CA, we fully understand that the mistakes we have made are significant. By the sanction, we learned the importance of maintaining trust and compliance, and we hope to provide excellent products and services as compensation for our mistakes, and to serve the Internet security to regain public trust.
We’d love to hear your feedback and we are trying to do better and better, thanks.

Best Regards,

WoTrus CA Limited‎

[Danny 吴熠]

Hi Peter,

I am working for WoTrus as a Compliance Coordinator in the Risk Control & Compliance Department and I am the representative of WoTrus for communication in the community.

Best regards,
Danny

[Peter Kurrasch]

While it is to the benefit of everyone that Richard Wang and other employees at WoSign/WoTrus have learned valuable lessons ‎over the past year, it seems to me that far too much damage has been done for Mozilla to seriously consider a CA which has Richard in any sort of management position, much less as CEO. I look at the depth and breadth of his deceptive acts, the technical/policy/compliance issues that were present at WoSign and StartCom under his leadership, the defiance of any expectation that CA's should exhibit reasonable levels of transparency and forthrightness, the amount of time and effort spent in this forum on the myriad WoSign and StartCom issues....

One is left to consider how much tolerance remains in the community for further mistakes and transgressions th‎at might arise from WoTrus? What incentive does Richard have to be forthcoming in the future knowing that the community might take harsh action against his company? How much time should WoTrus be allowed to consume knowing it might unfairly affect the inclusion requests of new CA's or the addressing of situations that arise at other CA's or the discussion of ideas for advancing security throughout the global PKI?

When the initial sanction against WoSign and StartCom took place I think many in this forum would have been content to let both CA's fade away into the land of distrust and ultimate removal. That Mozilla allowed both to remain was, I think, an act of generosity with the expectation being(?) that, with a change in leadership and a new technology infrastructure, the global PKI will be better off for keeping WoSign/StartCom as trusted CA's‎. It's not (yet) clear that enough improvements have been made to the infrastructure and, obviously, there has been no change in leadership.

With everything taken together I just don't see the benefit of including WoTrus in the trusted CA program. The costs to the community have been high--and probably will continue to be high. The risks have been many--and probably will continue to be many. And the benefits would appear to be too few.

From: Danny 吴熠 via dev-security-policy Sent: Monday, November 27, 2017 2:39 AM‎

Dear Gerv, Kethleen, other community friends,

First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion.
Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security.

Here is our response covered your questions that we don’t reply the emails one by one.

Part One: What we have done in the past year since the sanction

(1)After we knew the distrust sanction would be started from Oct. 20, 2016, we started to talk to some CAs to deal with the Managed Sub CA solution, and we signed agreement with Certum and started to resell their SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30, 2017.

(2)We sent replacement notices to all charged customer and we have replaced more than 6000 certificates for customers for free.

(3)We realized our big problem is the compliance with the Standard, so we set up a department: Risk Control & Compliance Department (RCC), which have 5 persons, the manager is from the bank IT risk control department, he leads team for the risk control management and internal audit. Two English major employees, they are responsible to translate all WebTrust documents and all CAB Forum documents into Chinese to let all employees learn the Standard more clearly. And one is responsible for checking CAB Forum mailing list to produce a weekly brief in Chinese for CAB Forum activity to all department managers, one is responsible for checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they produce summary report if some CA have accident report to let us learn how to prevent the same mistakes and how to response to the Community. Another two employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, they are responsible for the system test and security test to two RD team developed system. And this department setup many internal management regulations, it is the internal auditor to check and verify every CA operation is complaint with the Standard.

(4)We started to develop new PKI/CA system including validation system, OCSP system, CT system and develop new BUY system and CMS system. All systems were finished in June 2017 and passed the Mozilla approved security auditor - Cure 53 white box source code security test, the test summary report was posted to the Community at July 7, 2017, and the detailed report was sent to all browser’s key person but no feedback.
We set up new infrastructure with the new security audit passed system, the new system integrated the CABFlint, X509lint and Zlint for all pre-issued SSL certificate to make sure every pre-issued certificate complies with the Standard.

(5)We stopped updating the old roots CPS and prepared a new CPS that complies with all Standards for new planned coming roots. The RCC Department are responsible for the CPS updates and check every CA operation comply with CPS, this department has super right to supervise all CA operation that nobody including Richard Wang can have a finger in the pie to violate the Standard. Every employee has learnt a deep lesson from the Sanction.

(6)At Aug 24, 2017, we changed our company English name from “WoSign CA Limited” to “WoTrus CA Limited” in order to make clear difference for the planned coming new roots.

(7)Even though we have experienced the tough time, we didn’t fire any employee. We have 55 employees in October 2016, and now we have 58 employees, in which we hired more customer service employees to provide certificate replacement work to minimize the sanction impact.

(8)We didn’t fire the 20 RD employees that we are developing some certificate related software and hardware. Those products will be released in Q1 2018. All the software is being tested or will be tested by Cure 53 voluntarily to guarantee its code security.

Part Two: About Richard Wang

(1)In the remediation plan, Richard Wang is relieved as CEO and Qihoo 360 start to find a proper candidate since Nov. 2016, and Mr. Tan Xiaosheng has updated this in the March CAB Forum meeting that Richard Wang is the COO.

(2)It is very hard to find a suitable person in China for this position that understand PKI/CA technology and know the CA business, so the CEO position is empty and the company is still charged by Richard Wang as COO.

(3)At Aug 24, 2017, the company board of directors approved the company name change and restored Richard Wang’s CEO position.

(4)Richard Wang is not just a CEO & CTO, he is the company founder and the shareholder. He learned the big lesson from this sanction and he can’t control everything due to the internal audit mechanism designed as described in Part One.

Part Three: Our future plan

(1) If Mozilla decides to let us move on to do the PITRA audit and WebTrust audit and process our new root inclusion application, then we will do it strictly according to the WoSign Action Items bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1311824

(2) If Mozilla decides to reject our new root inclusion at this beginning stage, then we can wait for another one year. We continue being the reseller of Certum and DigiCert. We don’t have any plan to close our company.

(3) In the past 13 years, WoSign/WoTrus has done its best to provide best certificate products and best service to Chinese customer and worldwide customers, we are sure China need a best local CA to make the China Internet more secure and trusted, and I am sure WoTrus is the one. China Internet secure, then the global Internet secure.

[Gervase Markham]

On 22/11/17 09:05, Gervase Markham wrote:
> We understand that WoTrus (WoSign changed their name some months ago)
> are working towards a re-application to join the Mozilla Root Program.
> Richard Wang recently asked us to approve a particular auditor as being
> suitable to audit their operations.

Thank you to everyone who contributed to this discussion in a thoughtful
and measured way. Mozilla has emailed WoTrus and Qihoo 360 with our
summary of the sentiment of the group, which we hope will be useful to
them in making their future plans.

Gerv