Yes, thank you for letting us know.

Best regards

Iñigo Barreira
StartCom CA Limited

-----Original Message-----
From: dev-security-policy 
[] On 
Behalf Of Lewis Resmond via dev-security-policy
Sent: miércoles, 3 de mayo de 2017 19:49
Subject: Re: StartCom continues to sell untrusted certificates

Am Montag, 1. Mai 2017 16:49:32 UTC+2 schrieb Henri Sivonen:
> On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via 
> dev-security-policy <> wrote:
> > On 01/05/17 07:52, Percy wrote:
> >> It seems that StartCom continues to sell untrusted certs. Neither 
> >> their
> home page nor their announcement page 
> mentions that those certs are 
> not trusted.
> >
> > Why is this something that Mozilla should be concerned with?
> >
> > "Selling untrusted certs" is not a crime, or a violation of any 
> > standard. Mozilla is not the global authority on what certificates 
> > may be issued. If StartCom are providing certificates which do not 
> > do what their customers expect, I'm sure those customers will let 
> > them know about it soon enough.
> What StartCom claims about compatibility is potentially more 
> Mozilla-relevant than what they are silent about. At the bottom of 
> their front page, it says "StartCom™ / StartSSL™is supported by:" 
> followed by icons. The icons include an early icon for Camino and the 
> SeaMonkey icon.
> Since Camino was discontinued before Mozilla's change in trust in 
> StartCom certificates, I guess having Camino there isn't technically 
> incorrect, but is about as relevant as having the Flock icon there. 
> However, is it correct to have the SeaMonkey icon there? The latest 
> SeaMonkey release seems to post-date the Mozilla root program's trust change 
> in StartCom certificates.
> (But then, it seems that there have been a number of Firefox ESR 
> security patch releases that post-date the SeaMonkey release. Is 
> SeaMonkey still active, despite appearing not to ship Gecko security 
> updates, and does SeaMonkey implement the same trust special-casing as 
> Firefox? It seems to produce nightlies still.)
> --
> Henri Sivonen

It seems like they have removed the icons.
dev-security-policy mailing list

Attachment: smime.p7s
Description: S/MIME cryptographic signature

dev-security-policy mailing list

Reply via email to