On Monday, January 25, 2021 at 9:21:53 PM UTC-8, Ben Wilson wrote: > Dear All, > > We appreciate your comments and participation in the discussion about the > Summary of Camerfirma's Compliance Issues, > https://wiki.mozilla.org/CA:Camerfirma_Issues. > > Mozilla has not yet made a decision about Camerfirma's continuation in our > root store. We intend to continue with our public discussion process to > determine whether Camerfirma's root certificates can remain included in > Mozilla's root store, and what actions they need to take. > > Camerfirma has responded to the list of issues by providing a Remediation > Plan, > https://drive.google.com/file/d/1DV7cUSWqdOEh3WwKsM5k1U5G4rT9IXog/view?usp=sharing, > > with a commitment to align Camerfirma to the highest level of standards of > the Mozilla community. > > They asked if there are parts of the Remediation Plan that need > clarification and for suggestions to improve the Remediation Plan. > > We will appreciate your constructive feedback on it. > > - Do the proposed actions in the Remediation Plan address the underlying > issues?
In my opinion they do not. Camerfirma has demonstrated that they do not know what good management is, yet they ask us to trust in their ability to evaluate their sub CAs. Camerfirma has a history of not following through on their commitments, with multiple incidents with similar root causes despite committed to addressing the root causes. Camerfirma seems to depend on human evaluation in the issuance process to an alarming extent. I think it's worth revising the BRs to require extensive process automation. > > - If Camerfirma fully executes on this plan, will that be sufficient to > regain trust so that they can remain a CA in Mozilla's root store? I don't think this plan goes beyond what a reasonable person would have done in response to the incidents. It's too little, too late. The repetition of already existing commitments is alarming. Either they reneged then, or they are lying now. > > - Do you have additional recommendations for steps that you think > Camerfirma should take? Camerfirma should at minimum insource all subCA operations. Camerfirma should automate all BR requirements and steps in the issuance process that is humanly possible to automate, and ensure that all manual actions are reviewed independently before and after being acted upon. Camerfirma should also replace its current legal counsel with a competent one, and ask them to review all existing subscriber agreements and other contracts and the BRs and Mozilla root program requirements and determine if any conflicts exist, and if so remedy them. If conflicts are unresolveable Camerfirma should be distrusted. Camerfirma should halt all issuance until the plan is implemented. Given the extent of the possible SubCA problems all issuance from the old roots should sunset or be limited to explicitly disclosed intermediate certificates, no new ones created. Then new roots should be created and a de novo application for inclusion created. I'm not sure even this would assauge my worries. Ultimately the trust one can place in individuals is dependent upon their character, and Camerfirma has a history of being dilatory and lackadaisical with critically important issues, and I'm not sure what can change that kind of organizational rot. Sincerely, Watson Ladd > > Thanks, > > Ben _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
