On Tuesday, September 27, 2016 at 2:15:38 AM UTC-7, Gervase Markham wrote: > On 26/09/16 15:20, Gervase Markham wrote: > > However, this forum is the appropriate place for discussing it. Please > > feel free to cut and paste any parts you wish to quote and comment on. > > Participants may be interested in this blog post from Tyro: > https://tyro.com/blog/merchant-security-is-tyros-priority/ > > Gerv
So this is almost proof that WoSign/StartCom has been intentionally back-dating certificates to avoid blocks on SHA-1 issuance in browsers. And when being specifically asked about those certs, WoSign/StartCom expressively attempted to deceive this community by saying all certs are normal. Based on this new evidence, do you think the statement "This distrust would remain for a minimum of 1 year. After that time, WoSign/StartCom may be readmitted to the Mozilla trust program, under the following conditions" should be updated to reflect this? I think Audit only works for a benign party with unintentional mistakes. The new evidence suggest WoSign/StartCom is almost hostile. If WoSign/StartCom willfully deceives auditors, changes the code between audits, intentionally malpractices outside of auditing period, I don't think audits are a safe-guard against them. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy