On 07/10/16 18:25, Andrew Ayer wrote: > Consider the following hypothetical: Honest Achmed's Used Cars and
I would note in passing that amusing hypotheticals can sometimes work to obscure the actual point you are trying to make, because it's not clear which aspects of the hypothetical are pertinent and which aren't. So I will skip past that and engage with your point. > During the time that the incidents > occurred, StartCom and WoSign were for all intents and purposes the > same company, one wholly owned by the other, both managed by the same > disgraced CEO, and sharing significant infrastructure. They should > therefore be treated as the same company when responding to these > incidents. This is not correct, for a complete value of "time the incidents occurred". I believe the evidence shows that WoSign took organizational control of StartCom in November 2015, and operational control in late December 2015 when StartCom's systems were taken down for 4 days to "upgrade" them to use the WoSign infrastructure. Issues D, F, H, J, L, N (significantly - this is a big one), O, and P on the WoSign list all occurred before WoSign took control of StartCom. Issue R refers to the purchase itself, and the lack of disclosure. Issue T turned out not to be WoSign's fault. There's no evidence that issue X applies to StartCom infra (although there is no evidence that it doesn't). That leaves issue S, the backdated SHA-1 certs (WoSign backdated 60-odd, StartCom backdated 2) and issue V, StartEncrypt (where StartCom deployed some terrible WoSign-authored code). So I think it is not accurate to say that "during the time the incidents occurred, they were the same company". During the time that _some_ incidents occurred, one wholly owned and effectively controlled the other. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
