On 10/12/2016 10:11 PM, Ryan Sleevi wrote:
As Gerv suggested this was the official call for incidents with respect to StartCom, it seems appropriate to start a new thread.
Ryan, it was probably easy to dig up any possible claimed or proven issue ever surrounding StartCom during its ~ 10 years of operation. But if this is your level of measurement for remaining in a root store, than you have probably some other and larger CAs that would require your immediate attention more urgently....
Incidents with StartCom:
As most issues have been discussed and explained at that time, I'm not sure about it's usefulness to repeat the same arguments and explanations again. Most issues you are listing were mostly minor (but makes your list longer of course) and have been effectively and properly dealt with.
K) StartCom impersonating mozilla.com. https://bugzilla.mozilla.org/show_bug.cgi?id=471702 StartCom's (former) CEO Eddy Nigg obtained a key and certificate for www.mozilla.com and placed it on an Internet-facing server.
You make this appear as if StartCom used its capacity as a certificate authority to somehow abuse somebody or something, but for the wider audience:
I was able to obtain a certificate for mozilla.org from Comodo without having the authority to validate said domain name - in fact I could have obtained also wild cards and many more certificates for any domain name would I have been willing to pay for it. I installed the certificate at a local server as a proof in the same fashion millions of web sites install theirs. The private key has never published to any third party and was eventually destroyed.
Interesting that you are using it to shoot the messenger from back then and list this as an item against StartCom :-)
I hope the above show that the odds are if the original StartCom systems are restored, we're likely to continue to have significant BR violations - a pattern StartCom has repeatedly demonstrated over several years.
There is no plan to use software that doesn't comply to the various requirements and it has never been. I'm not claiming that there have been zero issues during the last ten years, but StartCom has had always clear policies and practices in place about how to deal with an issue reasonably according to its significance, seriousness and importance.
-- Regards Signer: Eddy Nigg, Founder StartCom Ltd. <http://www.startcom.org> XMPP: start...@startcom.org <xmpp:start...@startcom.org> _______________________________________________ dev-security-policy mailing list email@example.com https://lists.mozilla.org/listinfo/dev-security-policy