On 10/07/2016 12:38 PM, Gervase Markham wrote:
I am a little surprised it hasn't appeared by now. We did not agree a
specific deadline, but my impression was that it would appear in a few
days, which I mentally interpreted as "by the end of the week". Today is
Friday, so there is still time for my vague expectations to be met :-)
I'm sure Edward, Tan and Inigo are working on it furiously. Perhaps they
can give a status update and an estimated time of publication?
Hi Gerv,
I'm sorry for the somewhat late reply due to holidays/weekends and
flight connections of the participants of the meeting. First thanks for
hosting the meeting and I'm sorry that I personally couldn't attend.
WoSign already provided its incident report which includes basically
most information regarding the various issues and failures. There were
parts of the proposed steps mentioned already, hereby I'm trying to
summarize it. Next week we'll add sub sections and dates to it:
1) Legal Structure - Separation of StartCom and Wosign's legal
structure - StartCom reports directly to Qihoo 360.
2) Management / Board - Mr. Tan is appointed Chairman of StartCom,
Inigo Barreira appointed CEO/Director of StartCom.
3) Team / Operations - Tan and Inigo work to separate StartCom and
Wosign verification, development and management teams. Basically any
previously shared functions (where they existed) will be separated.
4) System / Software - Any shared infrastructure will be separated
from WoSign, current code base will be reviewed by Qihoo 360 and audited
internally. StartCom makes the systems available for an external
security audit as necessary.
5) All certificates past, present and future will be logged with CT
compliant log servers.
6) Public Documentation - StartCom will present its near-term plan
and update as it progresses.
Item 6 is currently the outlined steps above, plus most specifications,
sub steps, specific dates in particular for items 3 and 4. I assume that
steps and promises StartCom commits to will be audible and/or easy to be
confirmed.
I assume that Inigo will report to the mailing list sometimes directly
too in order to update on the progress.
--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: [email protected] <xmpp:[email protected]>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
