On Tuesday, October 11, 2016 at 1:28:42 AM UTC-7, Gervase Markham wrote: > I presume you mean "WoSign" here? I'm not aware of significant failures > at StartCom prior to the acquisition. But then you go on to talk about > due diligence in acquisition, so I'm confused. What failures at StartCom > pre-acquisition are you thinking of?
No I meant Startcom. I was not referring to a specific issue. I was simply stating that when you buy something, you get the good, and the bad and that includes you tainting your purchase with your own issues. This is not unique to the WebPKI ecosystem, this is the way acquisitions work. >> Or that they used a different codebase for the CMS. But saying "it's >> just luck" is an un-refutable statement. StartCom was not involved in >> most of the issues; many of the ones on the list happened even before >> the acquisition. We can only work with the issues we have, not ones that >> might have hypothetically happened if the "luck" had been different. Given how manual the process was and that the keys were under both logically and physically the control of WoSign the different code base is somewhat immaterial. Control is control. My statement about “luck” is an attempt to speak to that. >> I think this is a matter for the CAB Forum. I think that is a bad position to take. Certainly the trustworthiness of an operator is of paramount importance to Mozilla when considering to make an accommodation on behalf of the issuer? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
