To play the devil's advocate... If everything is as Mr. Leroy of Certinomis points out, I don't see the problem with the cross-sign.
In that version of events, the vast majority of the issues in the new PKI (test certs, etc) had already been revoked and measures put in place to prevent that sort of issuance prior to Startcom being provided the cross-sign certificates. They've committed to logging everything in CT and I can not recall any suggestion that any issuances have occurred which evaded CT. At this point, why not let them sink or swim? Allow the cross-signs to stand. If Inigo has prior CA management experience and is running the technical picture at Startcom now, why not allow them to proceed under this new PKI infrastructure with past issues set aside and take a serious stance to any issues going forward. As far as I know, the current manager of Startcom has not been previously accused of deception or bad action. Far more than has been problematic in this early testing phase of their new PKI has been forgiven by the root programs before. Is it not possible that they're getting increased animus just for being called Startcom? I say "being called" because they have clearly undertaken a great deal of work to bring up an entirely new PKI infrastructure and have new and experienced management, according to Mr. Leroy's assertions. Nothing disastrous or intentionally dishonest has been done in their new PKI. Why not grant them a gentleman's chance to proceed and address any further issues with great scrutiny? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
