Hi Ryan,
Obviously it is just my personal opinion of the facts made in a public
discussion forum. Like many other participants in this forum, I only
give my professional point of view as a PKI expert. This does not mean
that my opinion and my arguments are shared by the company where I work.
I am not the person in charge of officially answering these issues at
Firmaprofesional (as can be seen on the Bugzilla incident website) and I
do not have the authorization from my company to do so. I reiterate that
these are only opinions and arguments made in a personal capacity. I
apologize if I have involuntarily hinted that this was the official
position of Firmaprofesional. Maybe I should have used a personal email
to participate in the forum.
I also wanted to take the opportunity to apologize if I have offended
you with any of my comments. It was not my intention at all. I believe
that both Google and Mozilla are doing a great job in defense of PKI
technology and digital certificates, putting the safety of users before
the economic interests of CAs. Thanks to this great work, the
willingness of CAs to fulfill their obligations has improved
dramatically in recent years. We all remember what the situation was 10
or 15 years ago, when bad practices and misissued certificates were the
usual practice without any consequences.
What we have achieved is a great achievement for the community, and we
must defend it. Although with some unilateral decisions, there is a risk
that this open and objective security model of CA control will become a
closed and totally arbitrary process, managed by a few multinational
companies.
I hope that within 24 hours Frmaprofesional will respond officially to
the open ticket.
I also hope and trust that in any case, Firmaprofesional will be treated
fairly and equitably with respect to the rest of the other affected CAs.
On 16/7/20 19:33, Ryan Sleevi wrote:
Hi Oscar,
Unfortunately, there's a number of factual errors here that I think
greatly call into question the ability for Firmaprofessional to work
with users and relying parties to understand the risks and to take
them seriously.
I would greatly appreciate if Firmaprofesional share their official
response on https://bugzilla.mozilla.org/show_bug.cgi?id=1649943
within the next 24 hours, so that we can avoid any further delays in
taking the appropriate steps to ensure users are protected and any
risks are appropriately mitigated. If this message is meant to be your
official response, please feel free to paste it there.
Unfortunately, I don't think discussing the point-by-point takedown of
your confusion here is useful, because I think we've moved beyond
discussing into the abstract and discussing very specifically about
the degree to which Firmaprofesional is interested (or not) in
collaborating to keep users safe.
I think, barring an update within the next 24 hours, it seems
reasonable to take this post as the final and official response, and
begin taking steps appropriately to reduce risk.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
