Dear Gerv, Kethleen, other community friends, First, thanks for Gerv and Kathleen’s so kind consideration and so great arrangement for this pre-discussion. Second, thanks for the community participants to help us know our problem clearly in the past year, we wish you can give us a chance to serve the Internet security.
Here is our response covered your questions that we don’t reply the emails one by one. Part One: What we have done in the past year since the sanction (1)After we knew the distrust sanction would be started from Oct. 20, 2016, we started to talk to some CAs to deal with the Managed Sub CA solution, and we signed agreement with Certum and started to resell their SSL certificates since Nov. 21, 2016. And we set up second Managed Sub CA from DigiCert since June 30, 2017. (2)We sent replacement notices to all charged customer and we have replaced more than 6000 certificates for customers for free. (3)We realized our big problem is the compliance with the Standard, so we set up a department: Risk Control & Compliance Department (RCC), which have 5 persons, the manager is from the bank IT risk control department, he leads team for the risk control management and internal audit. Two English major employees, they are responsible to translate all WebTrust documents and all CAB Forum documents into Chinese to let all employees learn the Standard more clearly. And one is responsible for checking CAB Forum mailing list to produce a weekly brief in Chinese for CAB Forum activity to all department managers, one is responsible for checking Mozilla D.S.P. mailing list to produce a weekly brief in Chinese. And they produce summary report if some CA have accident report to let us learn how to prevent the same mistakes and how to response to the Community. Another two employees are security test, one from PKI/CA RD team, one is from Buy/CMS RD team, they are responsible for the system test and security test to two RD team developed system. And this department setup many internal management regulations, it is the internal auditor to check and verify every CA operation is complaint with the Standard. (4)We started to develop new PKI/CA system including validation system, OCSP system, CT system and develop new BUY system and CMS system. All systems were finished in June 2017 and passed the Mozilla approved security auditor - Cure 53 white box source code security test, the test summary report was posted to the Community at July 7, 2017, and the detailed report was sent to all browser’s key person but no feedback. We set up new infrastructure with the new security audit passed system, the new system integrated the CABFlint, X509lint and Zlint for all pre-issued SSL certificate to make sure every pre-issued certificate complies with the Standard. (5)We stopped updating the old roots CPS and prepared a new CPS that complies with all Standards for new planned coming roots. The RCC Department are responsible for the CPS updates and check every CA operation comply with CPS, this department has super right to supervise all CA operation that nobody including Richard Wang can have a finger in the pie to violate the Standard. Every employee has learnt a deep lesson from the Sanction. (6)At Aug 24, 2017, we changed our company English name from “WoSign CA Limited” to “WoTrus CA Limited” in order to make clear difference for the planned coming new roots. (7)Even though we have experienced the tough time, we didn’t fire any employee. We have 55 employees in October 2016, and now we have 58 employees, in which we hired more customer service employees to provide certificate replacement work to minimize the sanction impact. (8)We didn’t fire the 20 RD employees that we are developing some certificate related software and hardware. Those products will be released in Q1 2018. All the software is being tested or will be tested by Cure 53 voluntarily to guarantee its code security. Part Two: About Richard Wang (1)In the remediation plan, Richard Wang is relieved as CEO and Qihoo 360 start to find a proper candidate since Nov. 2016, and Mr. Tan Xiaosheng has updated this in the March CAB Forum meeting that Richard Wang is the COO. (2)It is very hard to find a suitable person in China for this position that understand PKI/CA technology and know the CA business, so the CEO position is empty and the company is still charged by Richard Wang as COO. (3)At Aug 24, 2017, the company board of directors approved the company name change and restored Richard Wang’s CEO position. (4)Richard Wang is not just a CEO & CTO, he is the company founder and the shareholder. He learned the big lesson from this sanction and he can’t control everything due to the internal audit mechanism designed as described in Part One. Part Three: Our future plan (1) If Mozilla decides to let us move on to do the PITRA audit and WebTrust audit and process our new root inclusion application, then we will do it strictly according to the WoSign Action Items bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 (2) If Mozilla decides to reject our new root inclusion at this beginning stage, then we can wait for another one year. We continue being the reseller of Certum and DigiCert. We don’t have any plan to close our company. (3) In the past 13 years, WoSign/WoTrus has done its best to provide best certificate products and best service to Chinese customer and worldwide customers, we are sure China need a best local CA to make the China Internet more secure and trusted, and I am sure WoTrus is the one. China Internet secure, then the global Internet secure. Finally, as a CA, we fully understand that the mistakes we have made are significant. By the sanction, we learned the importance of maintaining trust and compliance, and we hope to provide excellent products and services as compensation for our mistakes, and to serve the Internet security to regain public trust. We’d love to hear your feedback and we are trying to do better and better, thanks. Best Regards, WoTrus CA Limited -----Original Message----- From: dev-security-policy [mailto:[email protected]] On Behalf Of Gervase Markham via dev-security-policy Sent: Wednesday, November 22, 2017 5:06 PM To: [email protected] Subject: Possible future re-application from WoSign (now WoTrus) We understand that WoTrus (WoSign changed their name some months ago) are working towards a re-application to join the Mozilla Root Program. Richard Wang recently asked us to approve a particular auditor as being suitable to audit their operations. In the WoSign Action Items bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 Kathleen wrote "WoSign may apply for inclusion of new (replacement) root certificates[1] following Mozilla's normal root inclusion/change process[2] (minus waiting in the queue for the discussion), after they have completed all of the following action items, and no earlier than June 1, 2017." However, one step in the inclusion process is the public discussion, and we have some reason to believe that this may lead to significant objections being raised. It would not be reasonable to encourage WoSign to complete all the other steps in the process if there was little or no chance of them being approved in public discussion. So Kathleen and I thought it would be best to have a pre-discussion now, in order to make sure that expectations are set appropriately. If WoTrus had completed all the action items in the bug and arrived at the public discussion part of the application, what would people say? If you raise an objection, please say if there is any way at all that you think WoTrus could address your issue. Thanks for your input, Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
