On Mon, 10 Oct 2016 12:11:49 +0100 Gervase Markham <[email protected]> wrote:
> > During the time that the incidents > > occurred, StartCom and WoSign were for all intents and purposes the > > same company, one wholly owned by the other, both managed by the > > same disgraced CEO, and sharing significant infrastructure. They > > should therefore be treated as the same company when responding to > > these incidents. > > This is not correct, for a complete value of "time the incidents > occurred". I believe the evidence shows that WoSign took > organizational control of StartCom in November 2015, and operational > control in late December 2015 when StartCom's systems were taken down > for 4 days to "upgrade" them to use the WoSign infrastructure. > > Issues D, F, H, J, L, N (significantly - this is a big one), O, and P > on the WoSign list all occurred before WoSign took control of > StartCom. > > Issue R refers to the purchase itself, and the lack of disclosure. > > Issue T turned out not to be WoSign's fault. > > There's no evidence that issue X applies to StartCom infra (although > there is no evidence that it doesn't). > > That leaves issue S, the backdated SHA-1 certs (WoSign backdated > 60-odd, StartCom backdated 2) and issue V, StartEncrypt (where > StartCom deployed some terrible WoSign-authored code). > > So I think it is not accurate to say that "during the time the > incidents occurred, they were the same company". During the time that > _some_ incidents occurred, one wholly owned and effectively > controlled the other. We agree that misissuances occurred under both roots during a time at which one company wholly owned and controlled the other. One of these misissuances - backdated SHA-1 certificates - is severe and was approved by the CEO of WoSign himself. The fact that some of the incidents occurred before one company controlled the other doesn't change my point that they were effectively one company at the time they were seriously mismanaged. To approach this matter from a different angle: if Qihoo can make a proposal for continuing to operate the StartCom roots which Mozilla would find acceptable, why not allow the WoSign roots to continue operating under the same proposal? Regards, Andrew _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
