On 10/14/2016 01:00 PM, Gervase Markham wrote:
K) StartCom impersonating mozilla.com.
https://bugzilla.mozilla.org/show_bug.cgi?id=471702 StartCom's
(former) CEO Eddy Nigg obtained a key and certificate for
www.mozilla.com and placed it on an Internet-facing server.
I do consider it a significant error of judgement for Eddy to have
chosen www.mozilla.com, rather than a site owned and controlled by him
or by a third party with whom he had an agreement, for his demonstration.
Well, at time I didn't think that much - I noticed it when requesting a
certificate for startcom.org in order to investigate a completely
different issue and later got one for mozilla.org (note it wasn't .com).
Initially I thought about some really high-profile name, but then I
tried with mozilla.org since I assumed that A) Mozilla will forgive me
and B) I was frequently involved here at that time. :-)
Surprisingly it worked and I got my certificate for mozilla.org....
On the other hand, this happened 8 years ago. I'd be interested in your
comments, Ryan, on whether you think it's appropriate for us to have
some sort of informal "statute of limitations". That is to say, in
earlier messages you were worried about favouring incumbents. But if
there is no such statute, doesn't that disadvantage incumbents? No code
is bug-free, and so a large CA with many products is going to have
occasional troubles over the years. If they then have a larger issue, is
it reasonable to go trawling back 10 years through the archives and pull
out every problem there's ever been? This is a genuine question, not a
rhetorical one.
I believe there is also something called "reasonability " - I believe
during my tenure StartCom tried to reduce risks first and foremost
through its policies, honestly and earnest. And then unintentional
mistakes and issues can happen....
Of course every CA wants to issue hundreds of thousands of certificates,
but it usually doesn't start like this. I admit that some of the issues
were due to growth pain, scalability or simply doesn't happen below a
certain number of users/certificates. Any programmer working on larger
scale projects and long enough in the profession can tell some stories
about bugs that happen only every 50K or 50M time.
I don't want to offer cheap excuses, but reality has it that things do
happen and this is also part of that "reasonability". CAs must however
have policies and procedures in order to evaluate issues that do happen,
make the correct assessment and deliver a reasonable solution based
thereof. This is the logic of a correctly functioning CA (or other
businesses for that matter), this is what auditors verify and what
software vendors should expect.
There is no business, no software and no certificate authority without
fault - realistically and reasonably.
--
Regards
Signer: Eddy Nigg, Founder
StartCom Ltd. <http://www.startcom.org>
XMPP: [email protected] <xmpp:[email protected]>
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
