> > For example, I think there is wisdom in what Ryan says about setting an > amount of time before a company can re-apply. In the case of StartCom we > did not set such a time, because I had thought they might do what I > recommended, which was to switch back from the new WoSign infra that we > didn't trust to the original StartCom infra, which we did. However, they > instead chose to implement new infra from scratch and rushed it, with the > result being the use of PHP, the use of coders without sufficient training in > security, and some terrible code written under extreme time pressure driven > by commercial considerations. >
All that "terrible" code written was before we went live and before we applied for re-inclusion. That´s not the code we use to issue certificates, in fact, the hierarchy was not built at that time so with this comment people may think that we´re using a bad code which is not true. What it´s true is that we wanted to re-apply the sooner because yes, we had some commercial issues, and we did have a timeline, which was 6 months. The reason for not using the old startcom code was due to some past issues arised during the time but the new code is much more secure than the old one and with more functionalities as have been explained. The misissuances we´ve made were before the re-application and none due to a bad code. I know this reply is not related to the email thread but wouldn´t like to leave the feeling that the code we are using is bad, or not secure, etc.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
