On Sat, Dec 19, 2020 at 1:03 AM Ramiro Muñoz via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> Hi Ben, Ryan, Burton and all: > > Camerfirma will present its claims based on a description of the problems > found by associating the references to the specific bugs. > After making a complete analysis of the bugs as presented by Ben, always > considering that bugs are the main source of truth, we see that the > explanations offered by Camerfirma could generally be better developed. We > hope to make up for these deficiencies with this report. > > It's worth pointing out that in April 2018, the Camerfirma '2016 roots' inclusion request [1] was denied [2] after a host of issues were documented. At that time it was made clear that ongoing trust in the older roots was in jeopardy [3]. While some progress was made, the number, severity, and duration of new and ongoing bugs since then remains quite high. In this context, I don't find these new disclosures and commitments from Camerfirma to form a convincing case for their trustworthiness. - Wayne [1] https://bugzilla.mozilla.org/show_bug.cgi?id=986854 [2] https://groups.google.com/g/mozilla.dev.security.policy/c/skev4gp_bY4/m/snIuP2JLAgAJ [3] https://groups.google.com/g/mozilla.dev.security.policy/c/skev4gp_bY4/m/ZbqPhO5FBQAJ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy