Hi Percy, Yes, you´re right, that was on the table and also suggested by Mozilla, but the issue was that people from 360 are used to code in PHP and the old one was in Java and some other for which they are not so familiar and then was decided to re-write all the code in PHP trying to keep the same functionality. Besides, the old code had to be integrated with the new PKI infrastructure, EJBCA, and that was not an easy task. All in all on the table, integration with new systems, maintenance of the old code if issues arise due to this integration or any other problem, not good language knowledge, get used to PHP, etc. made us took that decission. Furthermore, with this decission, we also wanted to let the community know that this is totally a new CA system in all aspects, nothing related to the past, everything from scratch, so new coding, new programming language, new PKI system, infrastructure, etc. hoping this would make the community have a better impression of the new Startcom regarding the distrust issue.
Best regards Iñigo Barreira CEO StartCom CA Limited > -----Original Message----- > From: dev-security-policy [mailto:dev-security-policy- > bounces+inigo=startcomca....@lists.mozilla.org] On Behalf Of Percy via dev- > security-policy > Sent: jueves, 14 de septiembre de 2017 22:13 > To: mozilla-dev-security-pol...@lists.mozilla.org > Subject: Re: StartCom inclusion request: next steps > > "Conclusion: StartCom's attempt to restart the CA was rushed." > > "It was a very hard task in very few time but the people at 360 tried > everything to get it done by that date, end of december 2016, and yes, we > reached the date but with many failures" > > May I ask why StartCom choose to rush everything in PHP from the ground up > rather than using the more secure system already in place in the old > StartCom? From my understanding, the distrust of StartCom is more related > to the secret acquisition by WoSign an Qihoo 360 rather than insecure > infrastructure. So if the deadline is so imminent as you stated and pressure is > so high from customers, can't you use the reasonably secure old code base > rather than rushing everything from the ground up? Then you will have more > time transition to another system if needed with sufficient time for secure > processes? > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy