Hi Eddy,

While I have sympathy with what you say, your analysis is incomplete in
one respect.

On 11/10/16 09:41, Eddy Nigg wrote:
> The problematic issue in relation to StartCom is obviously the _two
> backdated SHA1 certificates_ 

There is also the case of StartEncrypt. While no known
cert-to-wrong-person misissuance occurred because the researchers in
question used domains they already controlled to prove their point, but
there seemed to be multiple holes by which this might be possible.


Of course, people can reasonably disagree on the seriousness of the
issue (standalone, and by comparison with e.g. WoSign issue N), and it
is true that StartCom took this codebase wholesale from WoSign, but it
seems incomplete to leave this out entirely.

> But by looking at StartCom's performance besides that, I believe that
> some of the voices and arguments haven't been reasonable during this
> discussion! Was there a CA certificate compromise? Has StartCom lost
> control of its issuance processes? Has StartCom in general failed to
> validate certificate properties correctly? Has StartCom lost its ability
> to abide and comply to the policies and requirements set forth? Has and
> does StartCom present an undue risk to the user-base of Mozilla (and
> relying parties in general)?

Eddy: does StartCom currently have any fully-automated certificate
issuance mechanisms, or does every certificate request pass by human
eyes before issuance?


dev-security-policy mailing list

Reply via email to