"Conclusion: StartCom's attempt to restart the CA was rushed." "It was a very hard task in very few time but the people at 360 tried everything to get it done by that date, end of december 2016, and yes, we reached the date but with many failures"
May I ask why StartCom choose to rush everything in PHP from the ground up rather than using the more secure system already in place in the old StartCom? From my understanding, the distrust of StartCom is more related to the secret acquisition by WoSign an Qihoo 360 rather than insecure infrastructure. So if the deadline is so imminent as you stated and pressure is so high from customers, can't you use the reasonably secure old code base rather than rushing everything from the ground up? Then you will have more time transition to another system if needed with sufficient time for secure processes? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy