First, I think your idea is not a proper metaphor because 360 browser can't compare to Google browser, Google browser have absolutely strong market share to say YES/NO to all CAs, but I am sure not to Google CA.
Second, I think Google to be a global public CA is a wrong decision, this is the same situation that one person is the athlete and the judge, how to guarantee the fair? This two business have conflict of interest.
Third, your comparison of Apple and Microsoft is also not correct, they use its own CA system for their own system use only, not for public, not to be a global public CA like Google.
So, I think accepting Google root to Mozilla trust store don't benefit for anyone except Google only, not for the Internet security community, not for the CA industry and not for end users.
Ryan, thank you for still remembering WoSign.
Best Regards,
Richard Wang
-------- Original message --------
From: Ryan Sleevi via dev-security-policy
Received: 2018-09-26 14:48:28
To: Jeremy Rowley
Cc: mozilla-dev-s...@lists.mozilla.org
Subject: Re: Google Trust Services Root Inclusion Request
Thanks for your point out the link "https://wiki.mozilla.org/CA:WoSign_Issues'. I think I need to say more words about "misleading" and "lie".
I like to expose some FACTs to show the public, to let public know who is misleading and lie.
For the initiate WoSign issues email in M.D.S.P in Aug 24, 2016 -- Issue 0 (a.k.a. Issue L: Any Port (Jan - Apr 2015), Mozilla wrote:
"This problem was reported to Google, and thence to WoSign and resolved.
Mozilla only became aware of it recently.”
The FACT is Google Ryan Sleevi sent email to Richard Wang at April 4th 2015 to point out the problems (see below original email), NOT WoSign reported to Google, this is the first misleading and lie.
The second "lie" is Ryan Sleevi is the Mozilla Module Peer, this mean Mozilla know this case, why someone say “Mozilla only became aware of it recently."(August 24, 2016)? This is second misleading and lie.
-------------------------------------------------------------------------------------
-------- Original Message --------
From: Ryan Sleevi <sle...@google.com>
Received: Saturday, 04 April 2015 09:25
To: Richard Wang
Subject: WoSign Irregularities
Hi Richard,
It's come to our attention that WoSign may be issuing certificates that are not conforming to your CPS and not conforming to the Baseline Requirements.
While we're still investigating the nature and scope, I was hoping you could take the opportunity and ensure that the certificates you're issuing are consistent with the Baseline Requirements and consistent to your CPS.
Among other things, I've noted irregularities in:
- Subject Information
- Extensions
- Certificate Policies
- Issuer Alternative Name
Could you please examine your certificates and let me know of any irregularities that you have detected and what steps have been taken (per Section 8.2 of your CPS)
Also, can you please provide your most recent audit? The most recent BR audit available was for the period of 1 January 2013 through 31 December 2013, completed on 28 March 2014. I see you've already completed Seals 1843 (Principles & Practices) and 1842 (EV). When do you expect an audit for the period of 1 January 2014 through 31 December 2014 to be made available?
-----------------------------------------------------------------------------------
Best Regards,
Richard Wang
-------- Original Message --------
From: Ryan Sleevi via dev-security-policy
Hi Richard,
A few corrections:
There are two facts to support my opinion:
(1) For StartCom sanction, Mozilla agreed in Oct 2nd 2016 London meeting that if we separate StartCom completely from WoSign, then Mozilla don't sanction StartCom that still trust StartCom root. But Google as peer of Mozilla Module don't agree this, and Ryan even found many very very old problems of StartCom to be a "fact" that must be distrusted. Google changed the Mozilla decision!
(2) For Symantec sanction, everyone can see the argues in M.D.S.P discussion from Ryan Sleevi that Google changed the Mozilla initial decision, this also is the fact.
So, we can see Ryan not just a Mozilla Module Peer, he represents Google browser that affect Mozilla to make the right decision.
Ryan, don't feel too good about yourself. Peoples patiently look at your long emails at M.D.S.P and listen to your bala bala speaking at the CABF meeting, this is because you represent Google Chrome, and Google Chrome seriously affects Mozilla that have the power to kill any CAs. If you leave Google, you will be nothing, no one will care about your existence, and no one will care what you say. So, please don't declare that you don't represent Google before you speak next time, nonsense!
Your myopic has brought global Internet security to the ditch. Chrome display "Secure" for a website just it has SSL(https). Many fake banking websites and fake PayPal websites have Lets Encrypt certificates, and Google Chrome say it is "Secure", this completely misleads global Internet users, resulting in many users are deceived and lost property. Encryption is not equal to secure. Secure means not only encryption, but also need to tell user the website's true identity. Does a fake bank website encryption mean anything? nothing and more worse.
Ryan, 别自我感觉太好,别人耐心看你在M.D.S.P的长篇大论和听你在CABF meeting上说过没完 ,是因为你代表谷歌浏览器,而谷歌浏览器严重影响Mozilla对所有CA有生杀大权。如果你离开谷歌,你将什么也不是,没有人会理会你的存在,也没有人会在意你说的话。所以下次不要在发言之前就声明不代表谷歌,废话哦!
你的短视把全球互联网安全带到了沟里,认为有SSL证书(https)就安全,许多假冒银行网站、假冒PayPal 网站都有Lets Encrypt证书,谷歌浏览器显示为安全,完全误导了全球互联网用户,导致许多用户上当受骗和财产损失。已加密并不等于安全,安全不仅意味着需要加密,而且还需要告知用户此网站的真实身份,一个假冒银行网站加密有任何意义吗?没有并且更糟糕。
Best Regards,
Richard Wang
-------- Original Message --------
From: Ryan Sleevi via dev-security-policy
Received: Thursday, 27 September 2018 00:53
To: Jeremy Rowley
Cc: Ryan Sleevi ; mozilla-dev-security-policy
Subject: Re: Google Trust Services Root Inclusion Request
On Wed, Sep 26, 2018 at 12:04 PM Jeremy Rowley <jeremy...@digicert.com>
wrote:
> I also should also emphasize that I’m speaking as Jeremy Rowley, not as
> DigiCert.
>
>
>
> Note that I didn’t say Google controlled the policy. However, as a module
> peer, Google does have significant influence over the policy and what CAs
> are trusted by Mozilla. Although everyone can participate in Mozilla
> discussions publicly, it’s a fallacy to state that a general participant