I see many reactions that are not in line with the reality because you don’t 
have all the history on the subject.
I’ll try to summarize.
Approximately one year ago Inigo was CTO of Izenpe (CA of the Basque Country) 
and he left this company in order to join StartCom.
Not long after he arrives at StartCom (days? Weeks? I don’t know) we discover 
the deal that has been made by the previous CEO (Eddy Nigg) with the Chinese’s 
guys and the relations with WoSign.
Inigo could have resign in regard to the trap the hiring was, but he decided to 
face, and to setup the remediation plan defined by Mozilla community.
As said Jon Snow in S07E01: “I will not punish a son for this father’s sins”.
So instead of denigrate Inigo’s work, as a community we should encourage and 
support him.
Setting up a new company, with a new datacentre, new pki software, NO client, 
NO revenue, with Chinese employees far away speaking not fluent English and 
with the pressure of the market, it is definitely not an easy task! Personally 
I would not have tried this, so bravo for Inigo’s bravery…
One of the major thing to solve in addition of the remediation plan was to be 
back in the business as soon as possible, because without any incomes a company 
cannot survive.
So Inigo contacted me to know if Certinomis could help him to be back in the 
business. As you can imagine we did not said yes immediately.
But Inigo is not an anonymous guy coming from a strange area of Spain. He has 
been for many years an active CABForum member. He is also an active expert at 
ESTI, where he was editing the CA policy for web authentication certificates. 
Inigo is known for his expertise, trustworthiness, honesty and not the least 
his sympathy. So when he said that he will build a new StartCom and engage the 
remediation plan, we could trust him.
We are a community, not only in order to do the “police” but also to support 
each other’s. So my answer was “yes, we will see how we can help you in respect 
with community expectations”.
There was different possibilities to be back in the business while waiting for 
a brand new CA root included in the browsers; reselling Certinomis 
certificates, becoming a Certinomis RA, creation a StartCom subCA under our 
root using our technology or a cross-signing operation on new StartCom sub 
The cross signing was not the very first option we studied because it requires 
that the new StartCom infrastructure be ready. But the other options were not 
so trivial, in a technical point of view but also in the context of restoring 
StartCom trust.
Then in November 2016 I contacted Kathleen and Gerv to know if there was some 
stoppers to work with Inigo to help StartCom to be back in the business.
There was no opposition as long as we follow the requirements of the 
remediation plan. Gerv also answered that our plan was good to him.
So with Inigo we studied the different possibilities and finally, taking into 
account cost and delay, the more efficient solution was cross signing new sub 
certificates from a StartCom full new pki with CT log and get this audited.
On April 2017 the new StartCom datacentre with EJBCA pki software were ready, 
and StartCom was able to create a new root and some sub CAs.
Then Inigo work on the CT log activation in the EJBCA software, not an easy 
task, and the bugs to solve. He also engaged the webtrust audit with PwC.
On April it was also the mouth when Certinomis had planned to use its offline 
root in order to sign the authority revocation list (ARL, the root CRL). So 
there was an opportunity to save money by also cross signing StartCom CAs 
during this operation. But it was strictly clear with Inigo that we will not 
give him the certificates as long as the remediation plan is not completed.
By the end of June the audit was completed and so Inigo send me the report on 
July 3rd.
I sent it to Kathleen to be sure that the auditor company was an acceptable one 
and that the editor’s opinion was in line with the Mozilla policy. Kathleen 
pointed out some minor issues, so I asked Inigo to correct them.
By mid July Inigo had corrected the remaining minor issues, he published the 
updated policies and audit assessment report on StartCom web site (July 14/07) 
and updated the remediation bug (1311832) stating that all remediation steps 
where achieved (17/07).
Back from vacation on August first, I read Inigo’s emails, checked the StartCom 
policies, audit report, remediation bug progress, and it appears that every 
steps was done. So I asked a confirmation to my management to let StartCom 
having the cross signing certificates.
The day after I received the go from my management, so I filled the CCADB with 
all the corresponding information: policies, practices, audit dates, audit 
report, certificates fingerprints… And then sent to Inigo the cross signed 

It appeared that some people think that there is a policy violation about the 
delay for CCADB disclosure.
Maybe I misunderstood the policy requirements on the subject. I really took 
care that no certificates could use the path to our root (by holding the certs 
in my safe) until all remediation steps were met. So I’m very sorry about this 
misunderstanding and I apologize to you.
But in my opinion, asking for a revocation without a full understanding of the 
situation, is not a balanced and a fair answer.

If you have any other question, I’ll do my best to answer (sorry for the basic 
English but I’m not English native nor English fluent).

Best regards
Franck Leroy
dev-security-policy mailing list

Reply via email to