I think that the steps against StartCom are too extreme and I would like to tell my personal opinion. First of all, I want to say that I don't have any benefits when I tell this opinion, since I personally already switched to a different CA.
(1) I did find any public answer from Apple, Google or Mozilla in regards to the Remediation plan by StartCom. I have the feeling, that the sanctions were applied without considering this document. ( https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf ) You didn't even reply to this document after it was mentioned here in this discussion. (2) I am a bit upset about the cuttling line Mozilla set (and which was adopted by Chrome yesterday) Mozilla announced on October, 24th, that certificates signed on 22 October or later will be not verified by their future browser versions. Are you aware that this is really unfair to all customers who have ordered certificates in the time frame between 22 and 24 October (without including the time it takes until the press spread the news)? They had no chance to base their buying decision on the sanction, because the sanction was not published at this time, or published by the press / news pages. Correct would have been if Mozilla set the cutting line to a future date, after the sanction was announced, for example 1 November. You, the browser vendors, are not punishing the CAs with this unfortunate deadline - you are affecting the webmasters who paid for certificates they ordered between 22-24 October, who didn't had any chance to know Mozilla's decision. (3) Since I have read a few variant forms of Mozilla's sanction plan (probably some of them were just beta), I have read that it was/is cosidered, that there will be a 1 year phase of distrust, before the re-inclusion can happen again. Somewhere else I read that the re-inclusion can be July 2017. In any case, that's unrealistic and hilarious; If the second largest browser vendor (Mozilla) will distrust a CA, then the CA will most likely become bankrupt a few months later. I don't think they could survive 1 year. DigiNotar, for example, fell into insolvency just a few weeks after they lost the trust by the vendors. (4) I am also a bit upset about Google's decision. They not only also used that unfair cutting line date (22 October), but also ruled out every chance in rescuing the trust and finding a compromise. I do think every person or company should get a second chance. From what I have read and heared, I do think that StartCom is now willing to do drastic changes and won't make the same mistakes again. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
