I think that the steps against StartCom are too extreme and I would like to 
tell my personal opinion. First of all, I want to say that I don't have any 
benefits when I tell this opinion, since I personally already switched to a 
different CA.

(1) I did find any public answer from Apple, Google or Mozilla in regards to 
the Remediation plan by StartCom. I have the feeling, that the sanctions were 
applied without considering this document. ( 
https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf )
You didn't even reply to this document after it was mentioned here in this 
discussion.

(2) I am a bit upset about the cuttling line Mozilla set (and which was adopted 
by Chrome yesterday)

Mozilla announced on October, 24th, that certificates signed on 22 October or 
later will be not verified by their future browser versions. Are you aware that 
this is really unfair to all customers who have ordered certificates in the 
time frame between 22 and 24 October (without including the time it takes until 
the press spread the news)? They had no chance to base their buying decision on 
the sanction, because the sanction was not published at this time, or published 
by the press / news pages. Correct would have been if Mozilla set the cutting 
line to a future date, after the sanction was announced, for example 1 November.

You, the browser vendors, are not punishing the CAs with this unfortunate 
deadline - you are affecting the webmasters who paid for certificates they 
ordered between 22-24 October, who didn't had any chance to know Mozilla's 
decision.

(3) Since I have read a few variant forms of Mozilla's sanction plan (probably 
some of them were just beta), I have read that it was/is cosidered, that there 
will be a 1 year phase of distrust, before the re-inclusion can happen again. 
Somewhere else I read that the re-inclusion can be July 2017. In any case, 
that's unrealistic and hilarious; If the second largest browser vendor 
(Mozilla) will distrust a CA, then the CA will most likely become bankrupt a 
few months later. I don't think they could survive 1 year. DigiNotar, for 
example, fell into insolvency just a few weeks after they lost the trust by the 
vendors.

(4) I am also a bit upset about Google's decision. They not only also used that 
unfair cutting line date (22 October), but also ruled out every chance in 
rescuing the trust and finding a compromise. I do think every person or company 
should get a second chance. From what I have read and heared, I do think that 
StartCom is now willing to do drastic changes and won't make the same mistakes 
again.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to