On Monday, January 25, 2021 at 9:21:53 PM UTC-8, Ben Wilson wrote:
> Dear All,
>
> We appreciate your comments and participation in the discussion about the
> Summary of Camerfirma's Compliance Issues,
> https://wiki.mozilla.org/CA:Camerfirma_Issues.
>
> Mozilla has not yet made a decision
On Mon, 25 Jan 2021 22:21:31 -0700
Ben Wilson via dev-security-policy
wrote:
> Camerfirma has responded to the list of issues by providing a Remediation
> Plan,
> https://drive.google.com/file/d/1DV7cUSWqdOEh3WwKsM5k1U5G4rT9IXog/view?usp=sharing,
> with a commitment to align Camerfirma to the
Ben,
Here are my thoughts:
- First off, we have given Camerfirma the benefit of the doubt for too long
and Mozilla can't continue to trust Camerfirma while they remediate these
problems. With all the documented issues and Camerfirma's response, that
would represent an unacceptable ongoing risk
All,
So far there have been several good comments. Please keep them coming.
I want to take this opportunity just to clarify a few of things.
First, it has been Mozilla's long-standing position that, "We believe that
the best approach to safeguarding secure browsing is to work with CAs as
In my personal opinion, given that most of the actions for the remediation plan
are expected to be completed during the first quarter of 2021, if the community
considers that the plan adequately prevents further issues, it would be
reasonable to establish a deadline to take such a decision
On Tue, Jan 26, 2021, at 00:21, Ben Wilson via dev-security-policy wrote:
>
> - Do the proposed actions in the Remediation Plan address the underlying
> issues?
>
> - If Camerfirma fully executes on this plan, will that be sufficient to
> regain trust so that they can remain a CA in Mozilla's
On Tue, 26 Jan 2021 at 06:21, Ben Wilson via dev-security-policy
wrote:
>
> - Do the proposed actions in the Remediation Plan address the underlying
> issues?
One of the underlying issues is that Camerfirma has multiple SubCAs
with each their own control over ICA keys, CPS, certificate profiles,
Hi Ben,
The CA has been given chance after chance to improve after incident after
incident but failed to do so. The remediation plan is a doorstop plan for
the CA to wedge the door open to remain in the Mozilla root store but it's
time to face the inevitable conclusion and the door must close on
In my opinion, Mozilla is too soft on violators... (sorry)
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
9 matches
Mail list logo
