Hi all, I agree with Watson. The original concerns, except the potential links to a spyware operation, didn't feel like grounds for distrust to me. However, the way this CA approached the claims leaves me with no trust in their operations. Every communication was combative, condescending, not forthcoming, vaguely threatening, and showing contempt for the forum and the process. Multiple times they point fingers at other operators, rather than take the opportunity to note potential improvement areas. They tell us what we are supposed to care about, instead of proactively striving for transparency.
Overall, I can't tell if the core concern—the link to a spyware operation—is assuaged or drowned and misdirected, but I do leave with the impression that TrustCor can only be relied upon to operate at the minimum common denominator of the baseline requirements. My understanding is that the baseline requirements are just that, a rock bottom that no CA may drop below, and not a bar that is sufficient to clear to deserve trust. Instead, TrustCor seems to believe meeting the baseline is all that is required of them, and disputes any other concerns by remarking they meed the baseline. Fundamentally, a baseline CA is not particularly valuable, especially if it serves a single relatively low-volume customer, and it would seem to me it exposes the Mozilla and WebPKI community to more risk than it's worth. Best, Filippo 2022-11-27 17:10 GMT+01:00 Watson Ladd <[email protected]>: > Dear Rachel, > > It has never been the case that compliance with a narrow set of rules creates > trust in a human endeavor. The decision to trust a CA is an ongoing one, and > the behavior of its representatives is evaluated in that light, as > representative of the attitude taken by the organization to its > responsibilities. Your aggressive bloviation and evasion contrasts quite > negatively to the openness with which other CAs have addressed issues before, > and is most certainly affecting the trust that I would consider reasonable to > place in TrustCor. > > In particular it is not clear to me what the entities and people being > discussed who have ownership of TrustCore CA are, what all the jurisdictions > where operations or entities were formed are, how these structures change > over time, and what transactions were supposed to effect these changes. All > we hear is a few pieces and disputing that we need to care about the rest. > You talk about an operational insulation agreement, but haven't provided any > details or indicated where details might be found. This incompleteness makes > it difficult for me to assess your assertions about the entities involved. > Nitpicking the tense and grammar of questions reminds me of nothing so much > as a former President. > > Ultimately as we've seen with WoSign, etc the CA business is much like > banking. When you need to say "we've got good credit", your credit is > actually worthless already. And given that TrustCor seems to have only one > customer, there really isn't much of a reason not to expel them. > > Sincerely, > Watson Ladd > > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0ck3ZjQbakCTCL59GhrT%2BhwgHTEr3gv3LeVu2SSGxgYGGA%40mail.gmail.com > > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0ck3ZjQbakCTCL59GhrT%2BhwgHTEr3gv3LeVu2SSGxgYGGA%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/59ce57f4-c47e-479d-b31d-c3467ae14c03%40app.fastmail.com.
