On Wed, Nov 22, 2017 at 11:16 AM, Jakob Bohm via dev-security-policy < [email protected]> wrote: > > Mozilla did not formally require this, but it is true that as far as we >> can see, Richard Wang is still effectively in charge of WoSign/WoTrus. >> >> > I think assessing and discussing the viability of a return of WoSign > would be a lot easier if we had at least a proposed draft master plan > from WoSign, so we could discuss if that plan (if correctly and honestly > implemented) would be sufficient.
Alternatively, and I think what Gerv was requesting, was what concerns people would raise with respect to a reapplication, such that WoSign/WoTrus could ensure sufficient consideration went into such plans. Obviously, there will be concerns with implementation details, and finding those out before WoTrus implements is a useful and viable task. But similarly, by outlining the broader concerns, it might help inform. For example, one theme that can be picked up on this thread is a concern around the potential inconsistencies with respect to Richard Wang's role at WoTrus. Given his direct and personal involvement in the misissuance practices, one view might be that he's a fundamentally untrustworthy actor who has repeatedly displayed behaviours that undermine community trust in the organizations he is affiliated with. The statements about his transition out of CEO, and his apparent resumption of those duties, might underscore concerns about the management structure. It may be that a solution is for a response similar to what Mozilla recently shared with respect to DigiCert and Symantec, and a concern that any organization in which Richard Wang has a decision making capacity may not be a trustworthy organization. Or it might be that some feel that is too strong, and look for technical measures - such as no inclusion of WoTrus logs until Mozilla has the technical capability to enforce Certificate Transparency on such certificates, such that any risks can be expediently detected and trust removed. These are all concerns that would arise during a discussion phase - after the stated requirements of Mozilla have been met, but due to potential overwhelming community concern about any trust in a Richard Wang-affiliated CA or an organization with a history as sordid as WoTrus/WoSign/WoTrust. If we assume good faith of WoTrus, which may be overly generous given past behaviour, then the goal of this discussion would be addressing the concerns that would exist with _future_ trust, now that the past/present trust has been addressed, such that systems can be designed and evaluated to appropriately consider such feedback. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
