On Friday, January 22, 2021 at 10:01:22 AM UTC-8, Ramiro Muñoz wrote: > El miércoles, 20 de enero de 2021 a las 5:04:27 UTC+1, Matt Palmer escribió: > > On Tue, Jan 19, 2021 at 07:28:17AM -0800, Ramiro Muñoz via > > dev-security-policy wrote: > > > Camerfirma is not the member with the highest number of > > > incidents nor the member with the most severe ones. > > No, but Camerfirma's got a pretty shocking history of poor incident > > response, over an extended period, with no substantive evidence of > > improvement. *That* makes me not want to trust Camerfirma, because I have > > no confidence that problems are being handled in a manner befitting a > > globally-trusted CA. Further, Camerfirma's continued insistence that "it's > > all better now", in the face of all the contrary evidence, does not inspire > > confidence that there will be future improvement. > > > > - Matt > Hi Matt. > > As we recognized previously, we have room for improvement. As we remain open > to suggestions, we are still working a lot on incident response, action > details and language skills.
Why exactly should Mozilla trust your record of failure to improve on these after the first, second, third, fourth, fifth, sixth, seventh, eighth, etc. time? Far from getting better Camerfirma continues to have issues with implementing obvious steps to manage risks in the issuance process. It is not the job of members of this forum to tell CAs how to shape up, it's the job of CAs to not misissue certificates. It's actually more important than issuing certificates. Why should I believe that Camerfirma can do the job? We're on to double Latin letters for a CA that has a very small issuance volume over very few years. About once every 1.5 months on average Camerfirma has a deficiency. It's a shocking error rate, made even more shocking by the failure to learn lessons and its worsening over time. Many of the issues stem from a reliance on manual processing and inability or unwillingness to automate routine validity checks, even after the folly of this approach has been made clear. Another class of issues involve failure to properly manage delegation of authority, be it trusting WoSign, uncontrolled CAs not disclosed, etc. A third overarching theme is continued denial and making of excuses. This is not the right attitude a publicly trusted CA should have. Every one of these incidents was an unacceptable violation of trust, that by the terms of inclusion needed to be reported with a detailed answer as to actions taken in response. You've consistently failed to articulate in these incidents a root cause analysis, what steps will be taken to prevent a recurrence, and failed to learn from the failures of other CAs or even your own issues. In several cases commitments Camerfirma made to the community were not followed through on: see issue LL, where commitments from issues J and Z were seemingly undone, and the supposed remediation was incomplete. After issue R, issues T, PP, and RR should have been impossible. It is not your English that is lacking but your candor and sense of duty to the responsibilities with which you have been entrusted. I do not understand how any statements on your part can restore confidence given this record. I do not understand how Mozilla can trust any remediation plan Camerfirma articulates when the past response to incidents has been lackluster, incomplete, and, incredibly, continued to get worse. The proposed remediation actions strike me as woefully insufficient and should have been taken as part of any incident response already. I see no remedy but distrust. Sincerely, Watson Ladd > > Ramiro _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
