On Thu, Aug 03, 2017 at 05:27:03PM -0700, Kathleen Wilson via dev-security-policy wrote: > Along this line of discussion, I have not felt comfortable with StartCom's > current root inclusion request (bug #1381406), because Hanno raised a > concern about the private key used by the new root is also used by two > intermediate certificates, one of them revoked. This doesn't see like > good practice to me, and I'm not sure that Inigo's response is sufficient. > So, I'm also wondering if I should close Bug #1381406 and request StartCom > to start completely over with their new CA Hierarchy, and get it right, > before creating their next root inclusion request.
I think it makes the most sense to ask StartCom to start "clean", as well. Hierarchies that are to be globally trusted should not be used as "experimental playgrounds", even if those experiments are revoked, because as we all know revocation is not 100% effective. Further, if Mozilla allows the existing hierarchy to be admitted, there's no demonstration that StartCom is actually *capable* of doing things correctly. A fully compliant hierarchy would be a demonstration that they *do* know how, and got it wrong last time, as opposed to being incapable. Once there's a fully-compliant setup in place, there's then no reason to use a broken setup, given that it isn't currently used by anyone, anyway. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
