Yes, thank you for letting us know.

Best regards

Iñigo Barreira
CEO
StartCom CA Limited

-----Original Message-----
From: dev-security-policy 
[mailto:dev-security-policy-bounces+inigo=startcomca....@lists.mozilla.org] On 
Behalf Of Lewis Resmond via dev-security-policy
Sent: miércoles, 3 de mayo de 2017 19:49
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom continues to sell untrusted certificates

Am Montag, 1. Mai 2017 16:49:32 UTC+2 schrieb Henri Sivonen:
> On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via 
> dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > On 01/05/17 07:52, Percy wrote:
> >> It seems that StartCom continues to sell untrusted certs. Neither 
> >> their
> home page https://www.startcomca.com/ nor their announcement page 
> https://www.startcomca.com/index/news mentions that those certs are 
> not trusted.
> >
> > Why is this something that Mozilla should be concerned with?
> >
> > "Selling untrusted certs" is not a crime, or a violation of any 
> > standard. Mozilla is not the global authority on what certificates 
> > may be issued. If StartCom are providing certificates which do not 
> > do what their customers expect, I'm sure those customers will let 
> > them know about it soon enough.
> 
> What StartCom claims about compatibility is potentially more 
> Mozilla-relevant than what they are silent about. At the bottom of 
> their front page, it says "StartCom™ / StartSSL™is supported by:" 
> followed by icons. The icons include an early icon for Camino and the 
> SeaMonkey icon.
> Since Camino was discontinued before Mozilla's change in trust in 
> StartCom certificates, I guess having Camino there isn't technically 
> incorrect, but is about as relevant as having the Flock icon there. 
> However, is it correct to have the SeaMonkey icon there? The latest 
> SeaMonkey release seems to post-date the Mozilla root program's trust change 
> in StartCom certificates.
> (But then, it seems that there have been a number of Firefox ESR 
> security patch releases that post-date the SeaMonkey release. Is 
> SeaMonkey still active, despite appearing not to ship Gecko security 
> updates, and does SeaMonkey implement the same trust special-casing as 
> Firefox? It seems to produce nightlies still.)
> 
> --
> Henri Sivonen
> hsivo...@hsivonen.fi
> https://hsivonen.fi/

It seems like they have removed the icons.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to