On Thursday, October 13, 2016 at 2:03:05 AM UTC-7, Eddy Nigg wrote:
> Ryan, it was probably easy to dig up any possible claimed or proven 
> issue ever surrounding StartCom during its ~ 10 years of operation. But 
> if this is your level of measurement for remaining in a root store, than 
> you have probably some other and larger CAs that would require your 
> immediate attention more urgently....

As usual, you seem to be dismissive of any concerns about StartCom's compliance.

At core issue is whether StartCom is a trustworthy organization, if operated 
independently. Key to that is the ability of StartCom to abide by the Baseline 
Requirements and to treat the incidents as serious and warranting attention. 
Your reply, though unclear in what capacity you continue to represent StartCom, 
highlights the traditional dismissiveness - both of the message and the 
messenger - and the attempt to reply to incidents with "Somebody else did this".

If we are to accept that WoSign's past actions are not predictive of StartCom's 
future, then we must accept that Startcom's past actions are - and the past 
actions show a pattern of disregard. Whether or not others show that similar 
disregard is, to some extent, immaterial to the question as to whether StartCom 
was competently operated, is competently operated, and will be competently 

> As most issues have been discussed and explained at that time, I'm not 
> sure about it's usefulness to repeat the same arguments and explanations 
> again. Most issues you are listing were mostly minor (but makes your 
> list longer of course) and have been effectively and properly dealt with.

Isn't this the same response WoSign made? Isn't the fact that there is a 
pattern of misissuances - and dismissiveness - material to the claim as to 
whether StartCom ever was, or is, trustworthy?

> You make this appear as if StartCom used its capacity as a certificate 
> authority to somehow abuse somebody or something, 

I didn't - and the linked bug doesn't suggest that either.

> Interesting that you are using it to shoot the messenger from back then 
> and list this as an item against StartCom :-)

The ability to responsibly handle security incidents in the past is relevant to 
the ability to responsibly handle security incidents in the future.

> I'm not claiming that there have 
> been zero issues during the last ten years, but StartCom has had always 
> clear policies and practices in place about how to deal with an issue 
> reasonably according to its significance, seriousness and importance.

For those that do investigate into the linked bugs, I suspect they will likely 
reach a conclusion that you and StartCom have routinely underestimated 
significance, downplayed seriousness, and not always acted reasonably. 
Similarly, with respect to elements such as duplicate serial numbers or OCSP 
responders, patterns of behaviour which have short- and long-term negative 
effects on the WebPKI are routinely missed for deadlines and remediation.

This naturally argues for a conclusion that, for the set of outstanding issues 
to be remediated in response to the WoSign acquisition of StartCom, that 
StartCom may miss deadlines for remediation.

To some extent, this may be moot due to Kathleen's proposal, but I don't think 
your assertions should remain unchallenged while people mull and evaluate 
whether or not it's appropriate to treat StartCom as the WoSign subsidiary that 
it was and currently is.
dev-security-policy mailing list

Reply via email to