Andrew Ayer [[email protected]] yazdi: Consider the following hypothetical: Honest Achmed's Used Cars and Certificates operates two roots, Honest Achmed Root A and Honest Achmed Root B. The two roots share much of the same infrastructure, and over the same period of time, both roots have serious incidents, including Honest Achmed himself approving the backdating of SHA-1 certificates under both roots.
Well this would never happen since backdating would imply that Honest Achmed is not Honest. Since Achmed is by definition Honest, he would never wind back the odometer on a car, backdate a SHA-1 certificate, or patch up a rusted panel in a lovely light blue 1972 Anadol A2 with only one previous owner using body filler, no matter what Cousin Husamettin says. After the incidents come to light, Honest Achmed's majority owner, Uncle Mehmet, fires Honest Achmed Honest Achmed is the sole owner of Honest Achmed's Used Cars and CA. Achmed's Uncle Mehmet passed away several years ago and never held any controlling interest. Nor did Cousin Ligg or Uncle Wang. Pay no attention to the holding company in the UK or the as-yet-undiscovered shell company in Malta. How is WoSign/StartCom different? I do not see how WoSign has done wrong. The purpose of a CA is to sell certificates and make money. If a client comes to the CA and asks for a certificate, the CA sells them one and makes a profit. This is what WoSign has done. This is what a CA does. What is the problem? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
