Le samedi 11 mai 2019 11:16:30 UTC+2, okaphone....@gmail.com a écrit : > On Friday, 10 May 2019 19:00:11 UTC+2, Wayne Thayer wrote: > > ... > > > I share the concern that option #2 sends a confusing message. As Jonathan > > stated, why should we distrust a CA for all but the most important websites > > they secure? > > I'd say that both "too big to fail" and "too important to fail" are not > particularly good reasons for trusting something/somebody. > > It's understandable that as a browser you'd want to limit the collateral > damage of distrusting a CA, but your first priority should definitely be > limiting the possible damage from trusting a CA that has turned out not to be > trustworthy. > > CU Hans
Dear All, First, seeing the post of Wayne THAYER dated 10th of May I want to precise how my own answer dated 9th of May covers the different issues: - Action 1 is our response to Issue B, C, D (work in progress), E and is a guaranty that Issue A will not happen again; - Action 2 to 6 target Issue F; In detail: Issue A found its source in the good relationships between Franck and Iñigo, who both are no more in charge; Issue B: we have identified since last year that a non-operational contact person will be the best way to follow the relation with the Mozilla Community; after a first attempt we are looking for someone and I am now the acting contact person. Issue C: there is now a team (not a single man) in charge of audits. Issue D: the CP is currently under revision, and later in translation, in response of the Certinomis’ Issues page; and afterwards it will be followed by the contact person and controlled by the audit team, that will maintain the quality and the update of the document. Issue E: is past and happened under the former organisation too. The separation between project management and audit team is our solution to control internally the conformity of implementation. As you can see, most of these issues are from the past, fixed or on their way to be fixed soon. Issue F in various occurrences is a consequence of too much reliance on human controls. To fix that, 5 quick actions have been initiated among them 4 are achieved. Second, all these progresses have been obtained in few months and we made this real effort (all over technical subjects have been frozen last three months) to demonstrate our concern about BR conformity. Since problems are 90% fixed, I believe that it would not threaten the security to keep trust in Certinomis’ Root. Even more, distrusting us at the very moment when we are achieving corrections is not encouraging security, in my opinion. For this reason, I calls for rejecting option#1 that is an answer to the past, not to the present nor to next future. Third, if really option#2 must be considered, there is for sure one first operator who will without any hesitation grant us its trust: French group La Poste, to which Certinomis belongs to. And I will easily obtain official request for domain names owned by the group (“laposte.fr”, “labanquepostale.fr”, “Docaposte.fr” etc.) But of course I would really appreciate that there would be a clear distinction in considering apart events of the past (before 1st of December 2018) from present and coming events, because we really initiated a strong change in Certinomis’ technical management. Kind Regards, François CHASSERY, CEO Certinomis _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
