On Thursday, October 13, 2016 at 2:03:05 AM UTC-7, Eddy Nigg wrote:
> Ryan, it was probably easy to dig up any possible claimed or proven
> issue ever surrounding StartCom during its ~ 10 years of operation. But
> if this is your level of measurement for remaining in a root store, than
> you have probably some other and larger CAs that would require your
> immediate attention more urgently....
As usual, you seem to be dismissive of any concerns about StartCom's compliance.
At core issue is whether StartCom is a trustworthy organization, if operated
independently. Key to that is the ability of StartCom to abide by the Baseline
Requirements and to treat the incidents as serious and warranting attention.
Your reply, though unclear in what capacity you continue to represent StartCom,
highlights the traditional dismissiveness - both of the message and the
messenger - and the attempt to reply to incidents with "Somebody else did this".
If we are to accept that WoSign's past actions are not predictive of StartCom's
future, then we must accept that Startcom's past actions are - and the past
actions show a pattern of disregard. Whether or not others show that similar
disregard is, to some extent, immaterial to the question as to whether StartCom
was competently operated, is competently operated, and will be competently
> As most issues have been discussed and explained at that time, I'm not
> sure about it's usefulness to repeat the same arguments and explanations
> again. Most issues you are listing were mostly minor (but makes your
> list longer of course) and have been effectively and properly dealt with.
Isn't this the same response WoSign made? Isn't the fact that there is a
pattern of misissuances - and dismissiveness - material to the claim as to
whether StartCom ever was, or is, trustworthy?
> You make this appear as if StartCom used its capacity as a certificate
> authority to somehow abuse somebody or something,
I didn't - and the linked bug doesn't suggest that either.
> Interesting that you are using it to shoot the messenger from back then
> and list this as an item against StartCom :-)
The ability to responsibly handle security incidents in the past is relevant to
the ability to responsibly handle security incidents in the future.
> I'm not claiming that there have
> been zero issues during the last ten years, but StartCom has had always
> clear policies and practices in place about how to deal with an issue
> reasonably according to its significance, seriousness and importance.
For those that do investigate into the linked bugs, I suspect they will likely
reach a conclusion that you and StartCom have routinely underestimated
significance, downplayed seriousness, and not always acted reasonably.
Similarly, with respect to elements such as duplicate serial numbers or OCSP
responders, patterns of behaviour which have short- and long-term negative
effects on the WebPKI are routinely missed for deadlines and remediation.
This naturally argues for a conclusion that, for the set of outstanding issues
to be remediated in response to the WoSign acquisition of StartCom, that
StartCom may miss deadlines for remediation.
To some extent, this may be moot due to Kathleen's proposal, but I don't think
your assertions should remain unchallenged while people mull and evaluate
whether or not it's appropriate to treat StartCom as the WoSign subsidiary that
it was and currently is.
dev-security-policy mailing list