El domingo, 10 de enero de 2021 a las 17:27:01 UTC+1, Ryan Sleevi escribió: > On Sat, Jan 9, 2021 at 1:44 PM Ramiro Muñoz via dev-security-policy < > dev-secur...@lists.mozilla.org> wrote: > > > > That Camerfirma does not understand or express appreciation for this > > risk > > > is, to the extent, of great cause for concern. > > > > Dear Ryan, > > > > We are looking at the same data but we’re reading two completely different > > stories. > > > > We are reading a story of a small CA that had its own graduation journey, > > struggled but eventually managed to emerge stronger from such journey. > > > > You are reading a story of deceitful and unreliable CA that represents the > > worst danger to the entire community (your even wrote: “Camerfirma is as > > bad or worse than WoSign and DigiNotar”!), even if you yourself recognised > > that was your subjective opinion on the matter. > I am concerned about the attempts to so significantly dismiss the concerns > as merely subjective. > > I’m saddened that Camerfirma does not recognize the seriousness of these > issues, despite this thread, as evidenced by this latest response. > Camerfirma continues to suggest “risk” as if this is some absolute that > should the the guiding pole. > > The analogy, in the hopes that it helps Camerfirma understand, is a bit > like saying to a bank “I know we borrowed $100, and defaulted on that loan > and never paid it back, but we were a small CA, we’ve grown, and now we > would like to borrow $1 million. We cannot demonstrate our financials, nor > can we offer collateral, but we believe we are low risk, because it was > only $100”. > > More concretely, Camerfirma is viewing this through the lens of what did go > wrong, and continuing to be blind to how that signals, from a risk > perspective, of what can go wrong. They are asking to be judged based on > the direct harm to users by their (many, more than any CA I can think of) > failures, while similarly asking the community to disregard the > significance of that pattern of failures, and what it says about the > overall operations of the CA. > > In short, Camerfirma is asking to be trusted implicitly and explicitly for > the future, and asking that their $100 default not hold back their $1m > loan. In banking, as in trust, this is simply unreasonable. > > Some have suggested that “trust” is the ability to use pst actions to > predict future outcomes. If you say you do X, and as long as I’ve known > you, you’ve done X, then when I say I “trust” you to do X, it’s an > indicator I believe your future actions will be consistent with those past > actions. > > Camerfirma has, undisputed, shown a multi-year pattern that continues, > which demonstrates both a failure to correctly implement requirements, but > also a failure to reasonably and appropriately respond to and prevent > future incidents. The incident responses, which Camerfirma would like to > assert are signs of maturity, instead show a CA that has continued to > operate below the baseline expectations for years. > > Camerfirma would like the community to believe that they now meet the bare > minimum, as if that alone should be considered, and all of these past > actions disregarded because of this. > > Yet the risk is real: that Camerfirma has not met the bare minimum at > present, and that Camerfirma is not prepared to continue to meet that > minimum as the requirements are improved over time. We have exhaustive > evidence of this being the case in the past, and the only assurances we > have that things are different now is Camerfirma’s management believing > that, this time, they have finally got it right. However, the responses on > even the most recent incidents continue to show that Camerfirma is > continuing to pursue the same strategy for remediation it has for years: a > strategy that has demonstrably failed to keep up with industry > requirements, and failed to address the systemic issues. > > These are objective statements, demonstrated by the evidence presented, but > Camerfirma would like to present them as subjective, because they take > consideration of the full picture, and not merely the rosy, but misleading, > image that Camerfirma would like to present. > > That these are persistent, sustained issues, without systemic change, is > something demonstrably worse than DigiNotar. Further, when considering the > capability for harm, and the sustained pattern of failure, it would be > foolish to somehow dismiss the risk, pretending as if Chekhov’s gun of > failure is not destined to go off in the next act. > > At the core, Camerfirma is treating this as if any response from the > community should be directly proportional to the *individual* failures, as > many as they are, and is asking the community to ignore both the systemic > patterns and what it says about the future. This is abundantly clear when > they speak of risk: they apparently are unable to comprehend or acknowledge > what the patterns predict, and the risk of that, and thus ask such patterns > be disregarded entirely as somehow, incorrectly, being too subjective. > > If these failures were to be plotted on a time series, there is no question > that the slope of this graph is worrying, and the number of incidents - and > the type and pattern of incidents - is worrying. Camerfirma would ask we > ignore all such statistics and data, under the assertion that the slope of > sheer number of incidents is trending downward. Yet to do so would be to > disregard the data we have, and disregard the trendlines that show the type > of incidents have not meaningfully changed, that even with a downward trend > it is unacceptably above the baseline and will be for some time, and would > like us to forget everything we know because, Finally, Once and For All, > they’ve hired enough people to do the job that they’ve been required to do > from the beginning.
Dear Ryan: We’re not asking to ignore statistics, as matter of fact we’ve shown our objective bug evolution trend in our previous message. We don’t ask the community to disregard the data, on the contrary we ask the community to analyze the data thoroughly including the impacts produced. We acknowledge we have room for improvement but, we’re not applying for a loan we won’t be able to pay back. We are one of the largest and oldest CA in Spain, we issue (overall, not only SSL) more than 200.000 SMIME certificates per year and in our long history we’ve never caused any damage to anyone. Some certificates may have been syntactically incorrect due to misinterpretation, but we have never compromised any vetting, identification or information validation. We’ve been an active and collaborative member of this community since 2008. We take our responsibility as a CA very seriously and the safeguard of all our stakeholders (including this community and all our clients) is our outmost priority. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
