On Thu, Sep 01, 2016 at 10:53:36AM +0300, Eddy Nigg wrote: > On 09/01/2016 04:20 AM, Matt Palmer wrote: > >You were knowingly violating a MUST provision of RFC5280. > > From experience there have been many RFC violations, sometimes even > knowingly and intentionally by software vendors (browsers), certificate > authorities and even policy writers such as CAB Forum.
"They did it too" is not a persuasive argument coming from my four-year-olds. It is no more persuasive coming from a Certification Authority. In the interests of the community being fully informed of StartCom's compliance with the standards which underlie the integrity of the web PKI, I'll ask the question again: what *other* MUST provisions of RFC5280, the CA/B Forum BRs, and other relevant specifications and guidance relevant to the operation of a Certification Authority present in the Mozilla trust store, is StartCom currently not in compliance with? Have your auditors proactively been made aware of these deficiencies? > Mozilla, Microsoft, Google and others are sometimes violating or not > conforming to RFCs for this reason or the other. The implication and > severity of such a violation matters probably. Not if your auditor and the wider community aren't aware of it, they're not. Your assessment of the impact of a violation may be in error, for starters. Not disclosing violations isn't behaviour calculated to inspire trust, and making misleading statements about compliance to the standards *certainly* isn't. > >>The audit letter included an attestation from Management that, during the > >>time of the audit, management believed that the CA complied with the > >>Baseline Requirements. > > True, we could demonstrate steps performed, plans produced, implementations > performed etc. on this particular issue. I'd rather like an answer to the question, "Thus, do you believe it was faithful and accurate for Management to warrant that the CA was operated in compliance with the BRs, given that Management was aware of incidents of non-compliance?" - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
