El domingo, 10 de enero de 2021 a las 17:27:01 UTC+1, Ryan Sleevi escribió:
> On Sat, Jan 9, 2021 at 1:44 PM Ramiro Muñoz via dev-security-policy <
> dev-secur...@lists.mozilla.org> wrote:
>
> > > That Camerfirma does not understand or express appreciation for this
> > risk
> > > is, to the extent, of great cause for concern.
> >
> > Dear Ryan,
> >
> > We are looking at the same data but we’re reading two completely different
> > stories.
> >
> > We are reading a story of a small CA that had its own graduation journey,
> > struggled but eventually managed to emerge stronger from such journey.
> >
> > You are reading a story of deceitful and unreliable CA that represents the
> > worst danger to the entire community (your even wrote: “Camerfirma is as
> > bad or worse than WoSign and DigiNotar”!), even if you yourself recognised
> > that was your subjective opinion on the matter.
> I am concerned about the attempts to so significantly dismiss the concerns
> as merely subjective.
>
> I’m saddened that Camerfirma does not recognize the seriousness of these
> issues, despite this thread, as evidenced by this latest response.
> Camerfirma continues to suggest “risk” as if this is some absolute that
> should the the guiding pole.
>
> The analogy, in the hopes that it helps Camerfirma understand, is a bit
> like saying to a bank “I know we borrowed $100, and defaulted on that loan
> and never paid it back, but we were a small CA, we’ve grown, and now we
> would like to borrow $1 million. We cannot demonstrate our financials, nor
> can we offer collateral, but we believe we are low risk, because it was
> only $100”.
>
> More concretely, Camerfirma is viewing this through the lens of what did go
> wrong, and continuing to be blind to how that signals, from a risk
> perspective, of what can go wrong. They are asking to be judged based on
> the direct harm to users by their (many, more than any CA I can think of)
> failures, while similarly asking the community to disregard the
> significance of that pattern of failures, and what it says about the
> overall operations of the CA.
>
> In short, Camerfirma is asking to be trusted implicitly and explicitly for
> the future, and asking that their $100 default not hold back their $1m
> loan. In banking, as in trust, this is simply unreasonable.
>
> Some have suggested that “trust” is the ability to use pst actions to
> predict future outcomes. If you say you do X, and as long as I’ve known
> you, you’ve done X, then when I say I “trust” you to do X, it’s an
> indicator I believe your future actions will be consistent with those past
> actions.
>
> Camerfirma has, undisputed, shown a multi-year pattern that continues,
> which demonstrates both a failure to correctly implement requirements, but
> also a failure to reasonably and appropriately respond to and prevent
> future incidents. The incident responses, which Camerfirma would like to
> assert are signs of maturity, instead show a CA that has continued to
> operate below the baseline expectations for years.
>
> Camerfirma would like the community to believe that they now meet the bare
> minimum, as if that alone should be considered, and all of these past
> actions disregarded because of this.
>
> Yet the risk is real: that Camerfirma has not met the bare minimum at
> present, and that Camerfirma is not prepared to continue to meet that
> minimum as the requirements are improved over time. We have exhaustive
> evidence of this being the case in the past, and the only assurances we
> have that things are different now is Camerfirma’s management believing
> that, this time, they have finally got it right. However, the responses on
> even the most recent incidents continue to show that Camerfirma is
> continuing to pursue the same strategy for remediation it has for years: a
> strategy that has demonstrably failed to keep up with industry
> requirements, and failed to address the systemic issues.
>
> These are objective statements, demonstrated by the evidence presented, but
> Camerfirma would like to present them as subjective, because they take
> consideration of the full picture, and not merely the rosy, but misleading,
> image that Camerfirma would like to present.
>
> That these are persistent, sustained issues, without systemic change, is
> something demonstrably worse than DigiNotar. Further, when considering the
> capability for harm, and the sustained pattern of failure, it would be
> foolish to somehow dismiss the risk, pretending as if Chekhov’s gun of
> failure is not destined to go off in the next act.
>
> At the core, Camerfirma is treating this as if any response from the
> community should be directly proportional to the *individual* failures, as
> many as they are, and is asking the community to ignore both the systemic
> patterns and what it says about the future. This is abundantly clear when
> they speak of risk: they
