Le vendredi 10 mai 2019 06:37:11 UTC+2, Wayne Thayer a écrit : > On Thu, May 9, 2019 at 8:56 PM Jakob Bohm via dev-security-policy < > dev-security-policy@lists.mozilla.org> wrote: > > > On 10/05/2019 02:22, Wayne Thayer wrote: > > > Thank you for this response Francois. I have added it to the issues list > > > [1]. Because the response is not structures the same as the issues list, > > I > > > did not attempt to associate parts of the response with specific issues. > > I > > > added the complete response to the bottom of the page. > > > > > > On Thu, May 9, 2019 at 9:27 AM fchassery--- via dev-security-policy < > > > dev-security-policy@lists.mozilla.org> wrote: > > > > > >> ... > > > ... > > > > > > In response to the email from Franck that you mention, Gerv responded [1] > > > by quoting the plan he had approved and stating "This seems to be very > > > different to the plan you implemented." By cross-signing Startcom's old > > > roots, Certinomis did assist Startcom in circumventing the remediation > > > plan, and by proposing one plan then implementing a different one, > > > Certinomis did so without Mozilla's consent. > > > > > > > As can be seen from your [3] link, Certinomis cross-signed StartCom's > > NEW supposedly remediated 2017 hierarchy, not the old root. > > > > Thank you for correcting me Jakob. I was confused by a statement in the > 2017 thread that I referenced, but I see now that Certinomis only > cross-signed Startcom's new roots. Since Certinomis cross-signed Startcom's > new roots before the remediation plan was completed, I believe the > statements I made are otherwise correct.
Dear Wayne, I’m not arguing that signing the new Startom root was a mistake.In fact, as soon as we were told, we backed off. Our understanding at that time was that the remediation plan had been fully implemented. But the Mozilla staff did not agree and had another interpretation of the situation. I do not know how or when a distortion was introduced between Franck’s exchange with the Mozilla staff and our action. But there was no intent to circumvent the Mozilla plan, and we corrected it immediately when we were asked to do so. That is why I do not understand why this subject is included in the present discussions: if there has been an error, it is a past error, corrected in the past and on which no further action is possible. At a minimum it should only be recalled as a problem that has been solved. Kind Regards, François _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
