On Sat, Jan 9, 2021 at 1:44 PM Ramiro Muñoz via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > That Camerfirma does not understand or express appreciation for this > risk > > is, to the extent, of great cause for concern. > > Dear Ryan, > > We are looking at the same data but we’re reading two completely different > stories. > > We are reading a story of a small CA that had its own graduation journey, > struggled but eventually managed to emerge stronger from such journey. > > You are reading a story of deceitful and unreliable CA that represents the > worst danger to the entire community (your even wrote: “Camerfirma is as > bad or worse than WoSign and DigiNotar”!), even if you yourself recognised > that was your subjective opinion on the matter. I am concerned about the attempts to so significantly dismiss the concerns as merely subjective. I’m saddened that Camerfirma does not recognize the seriousness of these issues, despite this thread, as evidenced by this latest response. Camerfirma continues to suggest “risk” as if this is some absolute that should the the guiding pole. The analogy, in the hopes that it helps Camerfirma understand, is a bit like saying to a bank “I know we borrowed $100, and defaulted on that loan and never paid it back, but we were a small CA, we’ve grown, and now we would like to borrow $1 million. We cannot demonstrate our financials, nor can we offer collateral, but we believe we are low risk, because it was only $100”. More concretely, Camerfirma is viewing this through the lens of what did go wrong, and continuing to be blind to how that signals, from a risk perspective, of what can go wrong. They are asking to be judged based on the direct harm to users by their (many, more than any CA I can think of) failures, while similarly asking the community to disregard the significance of that pattern of failures, and what it says about the overall operations of the CA. In short, Camerfirma is asking to be trusted implicitly and explicitly for the future, and asking that their $100 default not hold back their $1m loan. In banking, as in trust, this is simply unreasonable. Some have suggested that “trust” is the ability to use pst actions to predict future outcomes. If you say you do X, and as long as I’ve known you, you’ve done X, then when I say I “trust” you to do X, it’s an indicator I believe your future actions will be consistent with those past actions. Camerfirma has, undisputed, shown a multi-year pattern that continues, which demonstrates both a failure to correctly implement requirements, but also a failure to reasonably and appropriately respond to and prevent future incidents. The incident responses, which Camerfirma would like to assert are signs of maturity, instead show a CA that has continued to operate below the baseline expectations for years. Camerfirma would like the community to believe that they now meet the bare minimum, as if that alone should be considered, and all of these past actions disregarded because of this. Yet the risk is real: that Camerfirma has not met the bare minimum at present, and that Camerfirma is not prepared to continue to meet that minimum as the requirements are improved over time. We have exhaustive evidence of this being the case in the past, and the only assurances we have that things are different now is Camerfirma’s management believing that, this time, they have finally got it right. However, the responses on even the most recent incidents continue to show that Camerfirma is continuing to pursue the same strategy for remediation it has for years: a strategy that has demonstrably failed to keep up with industry requirements, and failed to address the systemic issues. These are objective statements, demonstrated by the evidence presented, but Camerfirma would like to present them as subjective, because they take consideration of the full picture, and not merely the rosy, but misleading, image that Camerfirma would like to present. That these are persistent, sustained issues, without systemic change, is something demonstrably worse than DigiNotar. Further, when considering the capability for harm, and the sustained pattern of failure, it would be foolish to somehow dismiss the risk, pretending as if Chekhov’s gun of failure is not destined to go off in the next act. At the core, Camerfirma is treating this as if any response from the community should be directly proportional to the *individual* failures, as many as they are, and is asking the community to ignore both the systemic patterns and what it says about the future. This is abundantly clear when they speak of risk: they apparently are unable to comprehend or acknowledge what the patterns predict, and the risk of that, and thus ask such patterns be disregarded entirely as somehow, incorrectly, being too subjective. If these failures were to be plotted on a time series, there is no question that the slope of this graph is worrying, and the number of incidents - and the type and pattern of incidents - is worrying. Camerfirma would ask we ignore all such statistics and data, under the assertion that the slope of sheer number of incidents is trending downward. Yet to do so would be to disregard the data we have, and disregard the trendlines that show the type of incidents have not meaningfully changed, that even with a downward trend it is unacceptably above the baseline and will be for some time, and would like us to forget everything we know because, Finally, Once and For All, they’ve hired enough people to do the job that they’ve been required to do from the beginning. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
