On Friday, November 24, 2017 at 6:07:44 AM UTC-6, Gervase Markham wrote: > While I do not want to make this discussion entirely about specific > people, as Mozilla's investigator of the issues at the time I am > satisfied that WoSign's actions at the time were taken with full > knowledge - that is, they were not due to incompetence. And those > decisions were overseen and approved by individual(s) who still control > WoSign/WoTrus. > > Gerv
This is core issue that I believe makes any proposed inclusion or re-inclusion of WoTrus/WoSign/et.al _as it presently exists_ a non-starter. I can not fathom that the community would or should tolerate the extension of trust to an organization being managed by an individual who has knowingly violated the requirements, conventions, and standards demanded by the community. The rare exception set aside, an individual does not generally experience an overnight turn-around and incorporate a strict adherence to ethics and rules. Mozilla has previously allowed as much as to say that WoSign/StartCom engaged in intentional deception during the course of the investigation. You've now expressed confidence that the underlying actions in at least some of the violations were purposeful and performed while knowing that such actions were not in compliance. All persons involved who had advance knowledge of the actions to be taken -- and of the impropriety of such actions -- in addition to the ability to stop those actions or ability to forewarn the community of those actions should be blacklisted as unfit for employment by any trusted CA. I believe that with the current management and executive team in place, WoTrus is unfit for inclusion. Modern society gives us plenty of other-than-CA examples of industries and functional roles within those industries in which the individuals are held to standards and the violations of those standards remove that individuals' ability to continue within that function. This is seen in both fully formalized rule making as well as in more informal contexts. I offer up as just two examples among many possibles: The various SEC rules disqualifying various "bad actors", convicted felons, etc from certain types of service in publicly traded corporations. They similarly have rules barring those individuals from new securities offerings. Less formally, look to cases such as the Wells Fargo fraudulent account opening debacle. It is unlikely that Wells' CEO and upper management committed a crime in building an incentive structure which caused literally thousands of employees to engage in actual criminal frauds. However, it was clear that the people of the US, the congress, and the various regulatory agencies were not content to leave the CEO and upper management which caused those actions to come about in place. At no point was there a discussion of whether or not the Wells Fargo bank would continue. There was always question of whether the leadership could continue. Ultimately, their own board resolved the matter by ousting those who had to go. It immediately reduced external animus toward the bank. However uncomfortable the situation may be, I believe that the community and the root program must find a way to adopt a position vests trust with the executive and management team -- and pulls that trust appropriately. I think it is not an uncontroversial position to suggest that Richard Wang should not have privileged access at any publicly trusted CA. If that is truly uncontroversial, the rest of the decisions are just details to hammer out. I can well imagine that the tough one is how to break that to the CA / proposed CA. I can also imagine that the precedent set in doing so will have broader ramifications for the root program. Nevertheless, WoTrus is (presumably) a commercial operation. Whoever owns that organization bought or built it with an expectation of at least the possibility of commercial success (profit). The organization's long term success requires inclusion in major root programs. If that organization will never get such trust and inclusion regardless of technical prowess or audits -- while person X is in place -- the community and program owe it to the ownership to make that crystal clear. Matt Hardeman _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
