On 10/10/16 23:00, Ryan Hurst wrote:
> I also believe there are a few core questions that are relevant to
> “what it depends on”, these include: Is it reasonable for the
> operational and technical failures StartCom made prior to the
> acquisition to be handled as a separate incident?
I presume you mean "WoSign" here? I'm not aware of significant failures
at StartCom prior to the acquisition. But then you go on to talk about
due diligence in acquisition, so I'm confused. What failures at StartCom
pre-acquisition are you thinking of?
> Since the most severe issues boil down to the operational and
> technical practices of WoSign, and the systems were under the control
> of WoSign since last year, it seems it was only luck of the draw that
> saved the involvement of StartCom in the other issues.
Or that they used a different codebase for the CMS. But saying "it's
just luck" is an un-refutable statement. StartCom was not involved in
most of the issues; many of the ones on the list happened even before
the acquisition. We can only work with the issues we have, not ones that
might have hypothetically happened if the "luck" had been different.
> On the third question, I would argue that this is the smallest of the
> identified issues since both organizations were members of the root
> program, had active WebTrust audits, and contracts in place with
> various root stores. I say this because I believe that given these
> facts it is likely Mozilla and Microsoft would have raised no
> concerns and as a result this would have been a non-issue.
> This is not to say their total failure to notify is acceptable, just
> that the larger issue in my mind is the repeated misrepresentation
> about this transaction.
I agree - it was the misrepresentation when directly challenged which
concerned me on a trust level more than the lack of notification.
> It is also my understanding Qihoo, WoSign, and Startcom were all
> voting in the CAB/Forum during this period, in essence, giving one
> organization three votes. This may have been an oversight but it also
> puts into question the integrity of these organizations.
I think this is a matter for the CAB Forum.
dev-security-policy mailing list