On 09/11/2018 15:52, Hanno Böck wrote:
On Fri, 9 Nov 2018 14:56:41 +0100
Jakob Bohm via dev-security-policy
<dev-security-policy@lists.mozilla.org> wrote:
However there are also some very harsh punishments handed out, such as
distrusting some CAs (most notably happened to Symantec and WoSign,
but others are also teetering), and distrusting auditors (most notably
happened to the branch of Ernst & Young that audited the bad parts of
those two).
A line of arguments often seen is that someone failed once to do
<something> completely right, therefore they cannot be trusted to do
anything similar to <something> right at all, therefore they should no
longer be trusted.
I don't think anyone ever said something like that. Particularly
I'm not aware of any recent incident where a CA failed *once* and got
distrusted.
All 3 lines of reasoning I mentioned (with variations from case to case)
can be found in two of the most recent threads on this list.
In the cases you mention - Symantec and Wosign - there were multiple
issues. In both cases there was also plenty of opportunity for the
affected CAs to explain and improve things before a distrust was
even considered. It was repeated failures and a long list of issues
that led to the distrust.
I am not saying those two didn't deserve it. I was just replying to a
claim that only mild punishments have been used. I also noted that some
other CAs are currently being removed or pressured to remove themselves
for various reasons.
However since the successful distrust of WoSign and Symantec, some here
seem to have gotten "the taste for blood" and are threatening the same
punishments for much smaller issues.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
