On 07/10/16 13:23, Jakob Bohm wrote: > On 07/10/2016 13:12, Gervase Markham wrote: >> ... * WoSign agrees it should have been more forthcoming about its >> purchase of StartCom, and announced it earlier. >> >> * WoSign and StartCom are to be legally separated, with the >> corporate structure changed such that Qihoo 360 owns them both >> individually, rather than WoSign owning StartCom. >> >> * There will be personnel changes: >> >> - StartCom’s chairman will be Xiaosheng Tan (Chief Security >> Officer of Qihoo 360). - StartCom’s CEO will be Inigo Barreira >> (formerly GM of StartCom Europe). ... * StartCom will soon provide >> a plan on how they will separate their operations and technology >> from that of WoSign. >> >> * In the light of these changes, Qihoo 360 request that WoSign and >> StartCom be considered separately. >> >> >> Mozilla is minded to agree that it is reasonable to at least >> consider the two companies separately, although that does not >> preclude the possibility that we might decide to take the same >> action for both of them. Accordingly, Mozilla continues to await >> the full remediation plan from StartCom so as to have a full >> picture. However, I think we can work towards a conclusion for >> WoSign now. >> > > As an outsider, here is one question: If StartCom has not yet > decided on a technical separation plan, could one acceptable option > for such a plan be to reactivate the old (pre-acquisition) > infrastructure and software and take it from there? > > An answer to that might help StartCom choose an acceptable plan.
I think a good approach for StartCom's remediation plan would be to follow the conditions for readmission suggested by Mozilla: > * A Point-In-Time Readiness Audit (PITRA) from a Mozilla-agreed > WebTrust auditor; > * A full code security audit of their issuing infrastructure from a > Mozilla-chosen security auditor; > * 100% embedded CT for all issued certificates, logged to at least > one Google and one non-Google log not controlled by WoSign/StartCom; _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
