Hi, I agree with Watson and Filippo. The inability to answer a question so basic as "in which jurisdictions are you a legal entity?" is not exactly great for building trust. Additionally Rachel is making it unnecessarily time consuming and confusing to follow what is going on by repeating themselves, mentioning irrelevant things, and not answering the questions but rather explaining why we seemingly don't deserve to know basically anything about TrustCor. The correct course of action here would have been to give clear answers to the questions raised, which would probably be quite easy to do if everything was in order I would think. Most other CAs are able to answer questions about their operations without going into speculating about the motives of the people who initially questioned them.
I feel the same way as Filippo about the initial concerns, I don't know if they are actual issues or not. However the replies from TrustCor made me lose any trust I might have had for them and in my opinion it would probably be for the best if Mozilla distrusted TrustCor, especially given the very limited customer base. -Cynthia On Sun, Nov 27, 2022 at 7:56 PM Filippo Valsorda <[email protected]> wrote: > > Hi all, > > I agree with Watson. The original concerns, except the potential links to a > spyware operation, didn't feel like grounds for distrust to me. However, the > way this CA approached the claims leaves me with no trust in their > operations. Every communication was combative, condescending, not > forthcoming, vaguely threatening, and showing contempt for the forum and the > process. Multiple times they point fingers at other operators, rather than > take the opportunity to note potential improvement areas. They tell us what > we are supposed to care about, instead of proactively striving for > transparency. > > Overall, I can't tell if the core concern—the link to a spyware operation—is > assuaged or drowned and misdirected, but I do leave with the impression that > TrustCor can only be relied upon to operate at the minimum common denominator > of the baseline requirements. My understanding is that the baseline > requirements are just that, a rock bottom that no CA may drop below, and not > a bar that is sufficient to clear to deserve trust. Instead, TrustCor seems > to believe meeting the baseline is all that is required of them, and disputes > any other concerns by remarking they meed the baseline. > > Fundamentally, a baseline CA is not particularly valuable, especially if it > serves a single relatively low-volume customer, and it would seem to me it > exposes the Mozilla and WebPKI community to more risk than it's worth. > > Best, > Filippo > > 2022-11-27 17:10 GMT+01:00 Watson Ladd <[email protected]>: > > Dear Rachel, > > It has never been the case that compliance with a narrow set of rules creates > trust in a human endeavor. The decision to trust a CA is an ongoing one, and > the behavior of its representatives is evaluated in that light, as > representative of the attitude taken by the organization to its > responsibilities. Your aggressive bloviation and evasion contrasts quite > negatively to the openness with which other CAs have addressed issues before, > and is most certainly affecting the trust that I would consider reasonable to > place in TrustCor. > > In particular it is not clear to me what the entities and people being > discussed who have ownership of TrustCore CA are, what all the jurisdictions > where operations or entities were formed are, how these structures change > over time, and what transactions were supposed to effect these changes. All > we hear is a few pieces and disputing that we need to care about the rest. > You talk about an operational insulation agreement, but haven't provided any > details or indicated where details might be found. This incompleteness makes > it difficult for me to assess your assertions about the entities involved. > Nitpicking the tense and grammar of questions reminds me of nothing so much > as a former President. > > Ultimately as we've seen with WoSign, etc the CA business is much like > banking. When you need to say "we've got good credit", your credit is > actually worthless already. And given that TrustCor seems to have only one > customer, there really isn't much of a reason not to expel them. > > Sincerely, > Watson Ladd > > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CACsn0ck3ZjQbakCTCL59GhrT%2BhwgHTEr3gv3LeVu2SSGxgYGGA%40mail.gmail.com. > > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/59ce57f4-c47e-479d-b31d-c3467ae14c03%40app.fastmail.com. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKw1M3OdHZcksthMCGq7JL7aOrEPwEy2TcVU96RJPWxzOF84_g%40mail.gmail.com.
