On 10/12/2016 10:11 PM, Ryan Sleevi wrote:
As Gerv suggested this was the official call for incidents with respect to
StartCom, it seems appropriate to start a new thread.
Ryan, it was probably easy to dig up any possible claimed or proven
issue ever surrounding StartCom during its ~ 10 years of operation. But
if this is your level of measurement for remaining in a root store, than
you have probably some other and larger CAs that would require your
immediate attention more urgently....
Incidents with StartCom:
As most issues have been discussed and explained at that time, I'm not
sure about it's usefulness to repeat the same arguments and explanations
again. Most issues you are listing were mostly minor (but makes your
list longer of course) and have been effectively and properly dealt with.
K) StartCom impersonating mozilla.com.
https://bugzilla.mozilla.org/show_bug.cgi?id=471702
StartCom's (former) CEO Eddy Nigg obtained a key and certificate for
www.mozilla.com and placed it on an Internet-facing server.
You make this appear as if StartCom used its capacity as a certificate
authority to somehow abuse somebody or something, but for the wider
audience:
I was able to obtain a certificate for mozilla.org from Comodo without
having the authority to validate said domain name - in fact I could have
obtained also wild cards and many more certificates for any domain name
would I have been willing to pay for it. I installed the certificate at
a local server as a proof in the same fashion millions of web sites
install theirs. The private key has never published to any third party
and was eventually destroyed.
Interesting that you are using it to shoot the messenger from back then
and list this as an item against StartCom :-)
I hope the above show that the odds are if the original StartCom systems are
restored, we're likely to continue to have significant BR violations - a
pattern StartCom has repeatedly demonstrated over several years.
There is no plan to use software that doesn't comply to the various
requirements and it has never been. I'm not claiming that there have
been zero issues during the last ten years, but StartCom has had always
clear policies and practices in place about how to deal with an issue
reasonably according to its significance, seriousness and importance.
--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: start...@startcom.org <xmpp:start...@startcom.org>
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
