On 23/11/2022 12:02 π.μ., Kathleen Wilson wrote:
All,The discussion thus far is appreciated and has been both informative and constructive. My post on November 8 <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/WJXUELicBQAJ> indicated that if our concerns have not been resolved by today (November 22) and further investigation and discussion is still needed, that we would set the “Distrust for TLS After Date” and “Distrust for S/MIME After Date” to November 29, 2022, for the 3 TrustCor root certificates. However, we’d like to allow more time for any additional dialogue or external developments to transpire prior to sharing our intended course of action. We will continue our assessment and share out necessary next steps on Wednesday, November 30.Thanks, Kathleen --
FWIW, I worked several times with Trustcor's representatives within the Server Certificate WG of the CA/Browser Forum, and more closely at the Network Security Subcommittee (now a separate Working Group). One particular Trustcor representative was very actively working with the rest of the subcommittee on improving the network security requirements and raise the bar for all CAs, providing good guidance, strong requirements, all based on good security principles that they had already implemented internally. It is very hard for me to believe that a CA that applies good security principles/practices in one area (TLS Certificates) would not follow the same good security principles/practices in another (S/MIME).
Also, judging from the 4 closed security incidents handled by Trustcor until now (https://wiki.mozilla.org/CA/Closed_Incidents), this CA seems to have been responsive and handled security incidents meeting the expectations of this community.
I understand that it is an industry expectation for public CAs to have to face various challenges, including areas that are not directly related to Certificate issuance or Certificate management. It is also very difficult and stressful to handle multiple arguments in many areas including legal proceedings like company formations, headquarter transfers, data correlation, and all at the same time. I am sympathetic to any CA representative who has been in such position where the future of a business (and its employees) is being threatened. The burden is difficult to grasp. I take that into consideration when reading some of Trustcor's most recent spirited posts that may be taking the Mozilla Forum Etiquette <https://www.mozilla.org/en-US/about/forums/etiquette/> to its limits.
I believe a good summary of the specific accusations and the factual evidence, along with the CA responses against these specific accusations (leaving out any personal attacks) would be helpful, because some of the messages in this thread were IMHO unnecessarily long and hard to follow.
Thank you, Dimitris. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/6264d022-f06e-be5c-4b0f-3190e25b522b%40it.auth.gr.
OpenPGP_signature
Description: OpenPGP digital signature
