On 22/11/2017 10:05, Gervase Markham wrote:
We understand that WoTrus (WoSign changed their name some months ago)
are working towards a re-application to join the Mozilla Root Program.
Richard Wang recently asked us to approve a particular auditor as being
suitable to audit their operations.
In the WoSign Action Items bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=1311824
Kathleen wrote "WoSign may apply for inclusion of new (replacement) root
certificates[1] following Mozilla's normal root inclusion/change
process[2] (minus waiting in the queue for the discussion), after they
have completed all of the following action items, and no earlier than
June 1, 2017."
However, one step in the inclusion process is the public discussion, and
we have some reason to believe that this may lead to significant
objections being raised. It would not be reasonable to encourage WoSign
to complete all the other steps in the process if there was little or no
chance of them being approved in public discussion.
So Kathleen and I thought it would be best to have a pre-discussion now,
in order to make sure that expectations are set appropriately. If WoTrus
had completed all the action items in the bug and arrived at the public
discussion part of the application, what would people say? If you raise
an objection, please say if there is any way at all that you think
WoTrus could address your issue.
Thanks for your input,
Gerv
Some notes about previously discussed items:
In bug #1311824 mentioned above, step 1 is for WoTrus to present a list
of changes to be implemented. Has this been done yet?
Step 2 is for WoTrus to update their CP/CPS. Has this been done yet?
Also in Bug #1311824, Richard Wang has posted a summary of a code audit
report the full text of which was made available to the module owners of
the root program. Was the report contents acceptable or did it leave
open questions and outstanding issues?
On 07/10/2016 13:12, Gervase Markham wrote:
> As noted by Richard Wang, WoSign have just published an updated Incident
> Report:
> https://www.wosign.com/report/WoSign_Incident_Report_Update_07102016.pdf
>
> I think we are now in a position to discuss whether the plan proposed
here:
>
https://docs.google.com/document/d/1C6BlmbeQfn4a9zydVi2UvjBGv6szuSB4sMYUcVrR8vQ/edit#
> is still appropriate for WoSign.
>
> ...
>
> * There will be personnel changes:
>
> - StartCom’s chairman will be Xiaosheng Tan (Chief Security Officer
> of Qihoo 360).
> - StartCom’s CEO will be Inigo Barreira (formerly GM of StartCom
> Europe).
> - Richard Wang will be relieved of his duties as CEO of WoSign and
> other responsibilities. It is not decided who will replace him.
>
> ...
Although not listed in the Action plan in #1311824, it is noteworthy
that Richard Wang has apparently not been relieved of his other
responsibilities, only the CEO title. Was this part of the old plan
officially dropped?
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
