On Fri, Oct 7, 2016 at 9:50 AM, Ryan Sleevi <[email protected]> wrote: > On Friday, October 7, 2016 at 9:10:29 AM UTC-7, Gervase Markham wrote: >> I have my own opinions, which clearly will carry some weight, >> but the decision is not mine. So the following is an explanation of how >> I myself am viewing the situation. > > with that same disclaimer...
I will add my own disclaimer: opinions here are my own and do not necessarily represent those of my employer. >> Once WoSign bought StartCom >> and StartCom started being influenced by WoSign technology and >> management, things went downhill there too. But I feel that >> re-separation of the two - at all levels, ownership, management and >> technology - might allow StartCom to continue as a going concern. This >> would imply StartCom has management Mozilla trusts, no ownership >> connection through WoSign, and uses reliable technology not authored at >> WoSign. > > Well, there can never be a perfect separation - though the WoSign report > indicates that there wasn't a complete close of financial disbursements, > there was a significant organizational and operational shift made under the > terms of the contract that StartCom is, at present, significantly enmeshed > with WoSign, and that process happened over a year. I think that this is key. A CA operator is a legal entity run by people. Which people own what percentage of the operator is one relevant input to the discussion. How much they have been paid or not been paid might be an interesting story for tabloids (maybe I should pitch it to NetCraft), but should have no relevance. What is relevant is who has operational management over the CA. There is no question at this point that WoSign exercised control over StartCom. The report clearly states that the CEO of WoSign directed StartCom to issue a certificate in June 2016 that was on contravention to the StartCom CPS and StartCom complied. I don't think there can be much stronger evidence. And, just to be clear, WoSign's own reports clearly show that the CEO of WoSign had operational control of WoSign. In the 4 September 2016 report from WoSign, Figures 4 and 5 clearly show that the CEO approved all changes to systems. So there should be no question of shared operational control of StartCom and WoSign in addition to WoSign owning StartCom. >> As I said in my previous email, Qihoo's plans are enough, I think, count >> as "data relevant to our current view" and I think we should at least >> consider the two CAs separately, although that doesn't preclude reaching >> the same conclusion for each. > > I'm uncomfortable with this, because it's a promise, with no timeline for > delivery, and significant risk until it's met. This gets back to the question > of priorities and goals for the root program. Would we accept a new CA that > presented serious issues but promised to resolve them? I think history shows > quite clearly that no - the community rejects such applications until the CA > is able to resolve, and demonstrate they resolve them. The fact that this > causes delays to the CA's application therefore incentivizes getting it > correct. > > If the view is that once you're in, there's a higher bar to get out, then it > sets a double standard as to how the program is maintained, and one that I > fear may put users at risk. > >> As noted above, no agreement has been reached. However, as the person >> who took a meeting with Qihoo's Head of Security, who will now chair >> StartCom, I feel that he does understand the issues and I am willing to >> give his chairmanship and Inigo Barreia's CEO-ship an opportunity to >> demonstrate they can run a CA well. Inigo's track record at Izenpe is >> good - I'm not aware of any incidents involving them. > > No, but it suggests that if you play the game of organizational structuring, > you can reduce risk of consequence. It suggests that, rather than integrate > systems (such as Symantec has done with brands, or as Entrust is doing with > AffirmTrust), you maintain them as "arms-distance" (legally speaking) > entities, while the elements that the public cannot see are shared. Is that > uncertainty worth introducing into the ecosystem? Is it something we already > accept? I'm not sure, but I'm quite uncomfortable with the implications of > the line of thinking. I think that the plans to both change the ownership structure and operational control should be seen a positive steps and the beginning of the process for applying to rejoin as two separate CAs. "Organizational Structuring", as you put it, is very relevant to determining whether two entites should be treated as independent when it comes to their membership in the Mozilla CA program. We know that Thawte, Inc., GeoTrust, Inc. and Symantec Corporation are each legal entities (see the EV certs on the websites for confirmation). However they have clearly decided to operate as one, based their interactions with Mozilla. On the other hand, I think there are legitmate indepedence cases where two or more CAs share some part of their operations. For example, EJBCA from PrimeKey is apparently a commonly used CA software. I multiple CAs in the Mozilla program use this and effectively share development costs by paying PrimeKey to develop the software. I'm sure there are also cases where two CAs use the same data center or the same HSM provider. Just because there is shared technical infrastructure does not mean there is not independence. I think the proposal from 360 to operate WoSign and StartCom as separate subsidiaries is interesting and something that is well worth reviewing if/when they apply to rejoin the program. However that does not change the past. WoSign and StartCom were, at least as of a month ago, under common control with WoSign owning and directing operations of StartCom. Therefore I think they must be treated as one when reviewing what actions to take as a result of their past behavior. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
