On 07/08/2017 11:21, Franck Leroy wrote:
Hello
I see many reactions that are not in line with the reality because you don’t
have all the history on the subject.
I’ll try to summarize.
Approximately one year ago Inigo was CTO of Izenpe (CA of the Basque Country)
and he left this company in order to join StartCom.
Not long after he arrives at StartCom (days? Weeks? I don’t know) we discover
the deal that has been made by the previous CEO (Eddy Nigg) with the Chinese’s
guys and the relations with WoSign.
Inigo could have resign in regard to the trap the hiring was, but he decided to
face, and to setup the remediation plan defined by Mozilla community.
As said Jon Snow in S07E01: “I will not punish a son for this father’s sins”.
So instead of denigrate Inigo’s work, as a community we should encourage and
support him.
Setting up a new company, with a new datacentre, new pki software, NO client,
NO revenue, with Chinese employees far away speaking not fluent English and
with the pressure of the market, it is definitely not an easy task! Personally
I would not have tried this, so bravo for Inigo’s bravery…
One of the major thing to solve in addition of the remediation plan was to be
back in the business as soon as possible, because without any incomes a company
cannot survive.
So Inigo contacted me to know if Certinomis could help him to be back in the
business. As you can imagine we did not said yes immediately.
But Inigo is not an anonymous guy coming from a strange area of Spain. He has
been for many years an active CABForum member. He is also an active expert at
ESTI, where he was editing the CA policy for web authentication certificates.
Inigo is known for his expertise, trustworthiness, honesty and not the least
his sympathy. So when he said that he will build a new StartCom and engage the
remediation plan, we could trust him.
We are a community, not only in order to do the “police” but also to support
each other’s. So my answer was “yes, we will see how we can help you in respect
with community expectations”.
There was different possibilities to be back in the business while waiting for
a brand new CA root included in the browsers; reselling Certinomis
certificates, becoming a Certinomis RA, creation a StartCom subCA under our
root using our technology or a cross-signing operation on new StartCom sub
certificates.
The cross signing was not the very first option we studied because it requires
that the new StartCom infrastructure be ready. But the other options were not
so trivial, in a technical point of view but also in the context of restoring
StartCom trust.
Then in November 2016 I contacted Kathleen and Gerv to know if there was some
stoppers to work with Inigo to help StartCom to be back in the business.
There was no opposition as long as we follow the requirements of the
remediation plan. Gerv also answered that our plan was good to him.
So with Inigo we studied the different possibilities and finally, taking into
account cost and delay, the more efficient solution was cross signing new sub
certificates from a StartCom full new pki with CT log and get this audited.
On April 2017 the new StartCom datacentre with EJBCA pki software were ready,
and StartCom was able to create a new root and some sub CAs.
Then Inigo work on the CT log activation in the EJBCA software, not an easy
task, and the bugs to solve. He also engaged the webtrust audit with PwC.
On April it was also the mouth when Certinomis had planned to use its offline
root in order to sign the authority revocation list (ARL, the root CRL). So
there was an opportunity to save money by also cross signing StartCom CAs
during this operation. But it was strictly clear with Inigo that we will not
give him the certificates as long as the remediation plan is not completed.
By the end of June the audit was completed and so Inigo send me the report on
July 3rd.
I sent it to Kathleen to be sure that the auditor company was an acceptable one
and that the editor’s opinion was in line with the Mozilla policy. Kathleen
pointed out some minor issues, so I asked Inigo to correct them.
By mid July Inigo had corrected the remaining minor issues, he published the
updated policies and audit assessment report on StartCom web site (July 14/07)
and updated the remediation bug (1311832) stating that all remediation steps
where achieved (17/07).
Back from vacation on August first, I read Inigo’s emails, checked the StartCom
policies, audit report, remediation bug progress, and it appears that every
steps was done. So I asked a confirmation to my management to let StartCom
having the cross signing certificates.
The day after I received the go from my management, so I filled the CCADB with
all the corresponding information: policies, practices, audit dates, audit
report, certificates fingerprints… And then sent to Inigo the cross signed
certificates.
It appeared that some people think that there is a policy violation about the
delay for CCADB disclosure.
Maybe I misunderstood the policy requirements on the subject. I really took
care that no certificates could use the path to our root (by holding the certs
in my safe) until all remediation steps were met. So I’m very sorry about this
misunderstanding and I apologize to you.
But in my opinion, asking for a revocation without a full understanding of the
situation, is not a balanced and a fair answer.
If you have any other question, I’ll do my best to answer (sorry for the basic
English but I’m not English native nor English fluent).
As an "outside" observer, I would say that it would have been better if
the following additional things had been done:
1. At StartCom: The various tests should have been done with a dedicated
"test hierarchy" running on the production hardware but not chaining
to the intended production roots. This could also become a long term
test hierarchy for e.g. new software versions.
2. At StartCom: Remember to revoke certificates that get cancelled
between CT logging and actual issuance. I don't know if EJBCA can do
this without actually issuing the bad certificate, but hopefully there
is a way.
3. At Certinomis: Be more public up front about the "sealed" signing of
the cross certificate. Also, I am not sure how often your ARL signing
ceremonies happen, but if its every 3 months, the signing could have
happened in July instead.
4. At Certinomis: Maybe the cross-cert should have been post-dated to
a date when StartCom expected to be ready (as communicated privately).
5. At StartCom, Mozilla and Google: Should have been more clear if the
remediation plan did or did not require StartCom to seek
Mozilla/Google prior approval before getting cross-signed (if such
cross-signing were to occur before Mozilla approval of the new roots).
6. At StartCom: Be more clear if any of the "Chinese" staff is working
at, under or otherwise near WoSign and/or Richard Wang.
7. At Quihoo: Actually get rid of Richard Wang, not just change his
title from CEO to COO.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
