Thank you for this response Francois. I have added it to the issues list [1]. Because the response is not structures the same as the issues list, I did not attempt to associate parts of the response with specific issues. I added the complete response to the bottom of the page.
On Thu, May 9, 2019 at 9:27 AM fchassery--- via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > > I don’t want to finish this answer without going back to the A issue, the > Startcom cross-sign. > I will not repeat all the history, Franck LEROY had detailed it in his > e-mail of 07/08/2017 at 11.21:46 (UTC+2), but simply summarize my point of > view: at no time did we in this case violate an existing rule, nor did we > assist or seek to assist Startcom in circumventing the remediation plan > proposed by Mozilla; on the contrary, we asked the Mozilla staff beforehand > if what we wanted to do was acceptable, we clearly made it a condition for > Iñigo to follow the plan and waited to be convinced that he had done so, > and when, after all these precautions, we were told that we had not > understood this remedial plan, we revoked both CAs without discussion. > I hadn’t heard anything about it in those two years. > So what is the factual criticism that is being made now, two years later? > I don’t know about that. > And what is the link with our difficulties of this year? None! > > In response to the email from Franck that you mention, Gerv responded [1] by quoting the plan he had approved and stating "This seems to be very different to the plan you implemented." By cross-signing Startcom's old roots, Certinomis did assist Startcom in circumventing the remediation plan, and by proposing one plan then implementing a different one, Certinomis did so without Mozilla's consent. Startcom misissued a number of certificates (e.g. [3]) under that cross-signing relationship that Certinomis is responsible for as the Mozilla program member. By cross-signing Startcom's roots, Certinomis also took responsibility for Startcom's qualified audit. I will also add this information to the issues list. - Wayne [1] https://wiki.mozilla.org/CA/Certinomis_Issues [2] https://groups.google.com/d/msg/mozilla.dev.security.policy/RJHPWUd93xE/lyAX9Wz_AQAJ [3] https://crt.sh/?opt=cablint&id=160150786 _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
