On Thursday, October 13, 2016 at 2:03:05 AM UTC-7, Eddy Nigg wrote: > Ryan, it was probably easy to dig up any possible claimed or proven > issue ever surrounding StartCom during its ~ 10 years of operation. But > if this is your level of measurement for remaining in a root store, than > you have probably some other and larger CAs that would require your > immediate attention more urgently....
As usual, you seem to be dismissive of any concerns about StartCom's compliance. At core issue is whether StartCom is a trustworthy organization, if operated independently. Key to that is the ability of StartCom to abide by the Baseline Requirements and to treat the incidents as serious and warranting attention. Your reply, though unclear in what capacity you continue to represent StartCom, highlights the traditional dismissiveness - both of the message and the messenger - and the attempt to reply to incidents with "Somebody else did this". If we are to accept that WoSign's past actions are not predictive of StartCom's future, then we must accept that Startcom's past actions are - and the past actions show a pattern of disregard. Whether or not others show that similar disregard is, to some extent, immaterial to the question as to whether StartCom was competently operated, is competently operated, and will be competently operated. > As most issues have been discussed and explained at that time, I'm not > sure about it's usefulness to repeat the same arguments and explanations > again. Most issues you are listing were mostly minor (but makes your > list longer of course) and have been effectively and properly dealt with. Isn't this the same response WoSign made? Isn't the fact that there is a pattern of misissuances - and dismissiveness - material to the claim as to whether StartCom ever was, or is, trustworthy? > You make this appear as if StartCom used its capacity as a certificate > authority to somehow abuse somebody or something, I didn't - and the linked bug doesn't suggest that either. > Interesting that you are using it to shoot the messenger from back then > and list this as an item against StartCom :-) The ability to responsibly handle security incidents in the past is relevant to the ability to responsibly handle security incidents in the future. > I'm not claiming that there have > been zero issues during the last ten years, but StartCom has had always > clear policies and practices in place about how to deal with an issue > reasonably according to its significance, seriousness and importance. For those that do investigate into the linked bugs, I suspect they will likely reach a conclusion that you and StartCom have routinely underestimated significance, downplayed seriousness, and not always acted reasonably. Similarly, with respect to elements such as duplicate serial numbers or OCSP responders, patterns of behaviour which have short- and long-term negative effects on the WebPKI are routinely missed for deadlines and remediation. This naturally argues for a conclusion that, for the set of outstanding issues to be remediated in response to the WoSign acquisition of StartCom, that StartCom may miss deadlines for remediation. To some extent, this may be moot due to Kathleen's proposal, but I don't think your assertions should remain unchallenged while people mull and evaluate whether or not it's appropriate to treat StartCom as the WoSign subsidiary that it was and currently is. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
