On 10/14/2016 01:00 PM, Gervase Markham wrote:
K) StartCom impersonating mozilla.com.
https://bugzilla.mozilla.org/show_bug.cgi?id=471702 StartCom's
(former) CEO Eddy Nigg obtained a key and certificate for
www.mozilla.com and placed it on an Internet-facing server.
I do consider it a significant error of judgement for Eddy to have
chosen www.mozilla.com, rather than a site owned and controlled by him
or by a third party with whom he had an agreement, for his demonstration.

Well, at time I didn't think that much - I noticed it when requesting a certificate for startcom.org in order to investigate a completely different issue and later got one for mozilla.org (note it wasn't .com). Initially I thought about some really high-profile name, but then I tried with mozilla.org since I assumed that A) Mozilla will forgive me and B) I was frequently involved here at that time. :-)

Surprisingly it worked and I got my certificate for mozilla.org....

On the other hand, this happened 8 years ago. I'd be interested in your
comments, Ryan, on whether you think it's appropriate for us to have
some sort of informal "statute of limitations". That is to say, in
earlier messages you were worried about favouring incumbents. But if
there is no such statute, doesn't that disadvantage incumbents? No code
is bug-free, and so a large CA with many products is going to have
occasional troubles over the years. If they then have a larger issue, is
it reasonable to go trawling back 10 years through the archives and pull
out every problem there's ever been? This is a genuine question, not a
rhetorical one.

I believe there is also something called "reasonability " - I believe during my tenure StartCom tried to reduce risks first and foremost through its policies, honestly and earnest. And then unintentional mistakes and issues can happen....

Of course every CA wants to issue hundreds of thousands of certificates, but it usually doesn't start like this. I admit that some of the issues were due to growth pain, scalability or simply doesn't happen below a certain number of users/certificates. Any programmer working on larger scale projects and long enough in the profession can tell some stories about bugs that happen only every 50K or 50M time.

I don't want to offer cheap excuses, but reality has it that things do happen and this is also part of that "reasonability". CAs must however have policies and procedures in order to evaluate issues that do happen, make the correct assessment and deliver a reasonable solution based thereof. This is the logic of a correctly functioning CA (or other businesses for that matter), this is what auditors verify and what software vendors should expect.

There is no business, no software and no certificate authority without fault - realistically and reasonably.

Signer:         Eddy Nigg, Founder
        StartCom Ltd. <http://www.startcom.org>
XMPP:   start...@startcom.org <xmpp:start...@startcom.org>

dev-security-policy mailing list

Reply via email to