Gerv, Again, this mail represents my own personal beliefs and does not necessarily represent the beliefs of my employer, Google, or Let’s Encrypt where I am an advisor.
I agree an appropriate response depends on the facts, so as you say, it depends. I also believe there are a few core questions that are relevant to “what it depends on”, these include: Is it reasonable for the operational and technical failures StartCom made prior to the acquisition to be handled as a separate incident? Did the operational changes that occurred after the acquisition impact the trustworthiness of StartCom as an independent entity? How severe is the failure of both WoSign and StartCom to notify the root programs of the change of ownership? Should the misrepresentation of facts regarding the acquisition and other issues, by both parties, have an impact on the faith in any claims made by the two organizations? On the first question, I can see arguments in both directions. When a company is purchased, you inherit both the assets and liabilities of that organization. This is why due diligence is such an important part of acquisitions. In short, under this line of reasoning, if Qihoo/Wosign failed to do sufficient due diligence as part of the acquisition, this is their problem and not the problem of the WebPKI. In other words, with this line of thinking treating both sets of issues as one “incident” could be seen as reasonable and expected. The alternative view would be to say that the most severe issues were a function of WoSign’s leadership and technical practices. This, combined with StartCom’s past good practices, might carry sufficient weight to justify special casing the StartCom issues. I struggle with this second view. To understand why let’s look at DigiCert’s acquisition of the Verizon PKI business. We all know how poorly Verizon managed that infrastructure, it was, a liability to the WebPKI. I am confident that if DigiCert had not taken on the burden to repair their dysfunction Verizon would have been distrusted. In this respect my view is that DigiCert spent the trust and goodwill they had earned in the past for a grace period to clean up the Verizon mess. In the case of Qihoo/WoSign/Startcom the prior goodwill is, in what is for all intents and purposes, a non-existent organization (Startcom). I say this because it is now under new ownership and new management. In other words, the new management has no equivalent goodwill to spend. On the second question, based on Xiaosheng’s email, it seems the CA and OCSP services have been under the administrative and operational control of WoSign since December 2015. It also seems the RA (the CMS) system has been in a shared control situation for what we can only assume is the same period. These are the material systems covered by Webtrust audits, the others while potentially relevant are arguably not material to the issuance of SSL certificates. Since the most severe issues boil down to the operational and technical practices of WoSign, and the systems were under the control of WoSign since last year, it seems it was only luck of the draw that saved the involvement of StartCom in the other issues. On the third question, I would argue that this is the smallest of the identified issues since both organizations were members of the root program, had active WebTrust audits, and contracts in place with various root stores. I say this because I believe that given these facts it is likely Mozilla and Microsoft would have raised no concerns and as a result this would have been a non-issue. This is not to say their total failure to notify is acceptable, just that the larger issue in my mind is the repeated misrepresentation about this transaction. On the fourth question, while this is not the technical or contractual requirement of the Mozilla root program, being truthful is the foundation of any good relationship. The “goodwill” one gets in a relationship is always a function of the quality of that relationship. It is also my understanding Qihoo, WoSign, and Startcom were all voting in the CAB/Forum during this period, in essence, giving one organization three votes. This may have been an oversight but it also puts into question the integrity of these organizations. As such, it seems to me, that offering goodwill to organizations that has a history of acting in bad faith (on purpose or otherwise) without other mitigating factors sets a bad precedent. In summary, I am still inclined to say the right response is to treat the two sets of incidents as one. The gestures being made by Qihoo are the right ones to be made, but they do not nullify the past actions. Instead, I believe, the good faith steps being made by Qihoo to address this situation should be given heavy weight in any resubmission process. I would add that Mozilla should update its policies to make it clear how important the ownership notification process is to maintaining trust in the WebPKI ecosystem. Ryan _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
