Hi Ryan, I agree with your five tenets. And you ask a very important question:
On 07/10/16 18:43, Ryan Hurst wrote: > The problem is that this sets a dangerous precedent. Let’s assume a > similar situation happens in the future with another CA who owns > multiple brands. Would you ignore the violations of the rules and > allow them to carve off one brand because you liked who they would > let manage it if you do? > > I would hope the answer is no. I think the answer is that it depends on what happened. What is now Symantec, ex-Verisign, has bought several CAs over the years. Thawte was fully integrated; GeoTrust, AIUI, was not - they still have separate issuing systems. Therefore, if there was a catastrophic failure of technology in those GeoTrust systems, there would at least be a case for any sanctions to apply only to GeoTrust-operated roots. If (hypothetically!) there was evidence of conspiracy to misissue by the common management, there would be little case for treating the brands differently. As Xiaosheng Tan has posted, the technical situation with StartCom and WoSign is complex. Some systems are shared (cloned code), some are not. > I would say that holding them equally accountable is the right thing > to do, since for the time in question, they were equivalently managed > and operated. See my other message for why I don't think that is totally true. Many of the incidents on the list, including the major cert-to-the-wrong-person Issues L and N, occurred before WoSign bought StartCom. StartEncrypt had a hole allowing this, although StartCom did have additional "high value domain" checking and no-one actually achieved it. Opinions may reasonably vary on whether this is equally as bad as Issue N. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
