On 12/10/16 20:11, Ryan Sleevi wrote: > As Gerv suggested this was the official call for incidents with > respect to StartCom, it seems appropriate to start a new thread.
There are indeed more of these than I remember or knew about. Perhaps it would have been sensible to start a StartCom issues list earlier. In my defence, investigating one CA takes up a lot of time on its own, let alone two :-) > K) StartCom impersonating mozilla.com. > https://bugzilla.mozilla.org/show_bug.cgi?id=471702 StartCom's > (former) CEO Eddy Nigg obtained a key and certificate for > www.mozilla.com and placed it on an Internet-facing server. I do consider it a significant error of judgement for Eddy to have chosen www.mozilla.com, rather than a site owned and controlled by him or by a third party with whom he had an agreement, for his demonstration. On the other hand, this happened 8 years ago. I'd be interested in your comments, Ryan, on whether you think it's appropriate for us to have some sort of informal "statute of limitations". That is to say, in earlier messages you were worried about favouring incumbents. But if there is no such statute, doesn't that disadvantage incumbents? No code is bug-free, and so a large CA with many products is going to have occasional troubles over the years. If they then have a larger issue, is it reasonable to go trawling back 10 years through the archives and pull out every problem there's ever been? This is a genuine question, not a rhetorical one. All the WoSign issues I documented where the past two years. Many of the StartCom issues you list are 2.5 - 3.5 years old. That may not be long enough, but how long is? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy