On 02/11/2016 13:44, [email protected] wrote:
I think that the steps against StartCom are too extreme and I would like to
tell my personal opinion. First of all, I want to say that I don't have any
benefits when I tell this opinion, since I personally already switched to a
different CA.
(1) I did find any public answer from Apple, Google or Mozilla in regards to
the Remediation plan by StartCom. I have the feeling, that the sanctions were
applied without considering this document. (
https://www.startssl.com/report/StartCom_Remediation_Plan_14102016.pdf )
You didn't even reply to this document after it was mentioned here in this
discussion.
(2) I am a bit upset about the cuttling line Mozilla set (and which was adopted
by Chrome yesterday)
Mozilla announced on October, 24th, that certificates signed on 22 October or
later will be not verified by their future browser versions. Are you aware that
this is really unfair to all customers who have ordered certificates in the
time frame between 22 and 24 October (without including the time it takes until
the press spread the news)? They had no chance to base their buying decision on
the sanction, because the sanction was not published at this time, or published
by the press / news pages. Correct would have been if Mozilla set the cutting
line to a future date, after the sanction was announced, for example 1 November.
At least internally and to WoSign and StartCom, the October 21 deadline
was announced before it took place (See for example the posting by
Kathleen Wilson titled "Remediation Plan for WoSign and StartCom" on
2016-10-13), but for some dubious reason, they continued selling
certificates they knew would not work.
You, the browser vendors, are not punishing the CAs with this unfortunate
deadline - you are affecting the webmasters who paid for certificates they
ordered between 22-24 October, who didn't had any chance to know Mozilla's
decision.
If they sold anyone a certificate after the browser cut-off dates
(Apple used a cut of date of 2016-09-19), those webmasters should
demand their money back, and if possible, block any payment by credit
card through their bank.
(3) Since I have read a few variant forms of Mozilla's sanction plan (probably
some of them were just beta), I have read that it was/is cosidered, that there
will be a 1 year phase of distrust, before the re-inclusion can happen again.
Somewhere else I read that the re-inclusion can be July 2017. In any case,
that's unrealistic and hilarious; If the second largest browser vendor
(Mozilla) will distrust a CA, then the CA will most likely become bankrupt a
few months later. I don't think they could survive 1 year. DigiNotar, for
example, fell into insolvency just a few weeks after they lost the trust by the
vendors.
(4) I am also a bit upset about Google's decision. They not only also used that
unfair cutting line date (22 October), but also ruled out every chance in
rescuing the trust and finding a compromise. I do think every person or company
should get a second chance. From what I have read and heared, I do think that
StartCom is now willing to do drastic changes and won't make the same mistakes
again.
When someone else mentioned that earlier, Ryan Sleevi of Google
explained that their customer announcement didn't rule out reinclusion,
they simply didn't say anything. So as far as the official Google
announcement goes, there is no (published) minimum return date for
Chrome (the second largest browser).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
