On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On 01/05/17 07:52, Percy wrote: >> It seems that StartCom continues to sell untrusted certs. Neither their home page https://www.startcomca.com/ nor their announcement page https://www.startcomca.com/index/news mentions that those certs are not trusted. > > Why is this something that Mozilla should be concerned with? > > "Selling untrusted certs" is not a crime, or a violation of any > standard. Mozilla is not the global authority on what certificates may > be issued. If StartCom are providing certificates which do not do what > their customers expect, I'm sure those customers will let them know > about it soon enough.
What StartCom claims about compatibility is potentially more Mozilla-relevant than what they are silent about. At the bottom of their front page, it says "StartComâ„¢ / StartSSLâ„¢is supported by:" followed by icons. The icons include an early icon for Camino and the SeaMonkey icon. Since Camino was discontinued before Mozilla's change in trust in StartCom certificates, I guess having Camino there isn't technically incorrect, but is about as relevant as having the Flock icon there. However, is it correct to have the SeaMonkey icon there? The latest SeaMonkey release seems to post-date the Mozilla root program's trust change in StartCom certificates. (But then, it seems that there have been a number of Firefox ESR security patch releases that post-date the SeaMonkey release. Is SeaMonkey still active, despite appearing not to ship Gecko security updates, and does SeaMonkey implement the same trust special-casing as Firefox? It seems to produce nightlies still.) -- Henri Sivonen hsivo...@hsivonen.fi https://hsivonen.fi/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy