On Sat, 11 May 2024 at 15:04, 'Chris Bailey' via [email protected] <[email protected]> wrote:
> To that end, I want to confirm our intent to provide a full written > response to you and the community prior to June 7. > > o_o > a full written response to you and the community prior to June 7. > > o_O > prior to June 7 > O_______O Date: Fri, 7 Jun 2024 12:53:10 -0700 (PDT) From: "'Bruce Morton' via [email protected]" <[email protected]> To: "[email protected]" <[email protected]> Cc: Ben Wilson <[email protected]> Subject: Re: Recent Entrust Compliance Incidents In another context, I would think this to not even be worth joking about, but here it's just the cherry on the top of this whole process. I have time booked this week to go through the report in more detail (every time I start I turn over another thing that is wrong? it's fractal) but I have to say, now that we've reached the end of this part of the process, that I find Entrust's response--in specific and in general--to be well beneath not only the expectations but indeed the mere *dignity* of the Mozilla root program process, the CA/BF commitments, and the trusted role that Entrust seems to so arrogantly believe cannot be lost. I am generally known as a pretty charitable person, and in the mists of time when I was responsible for the Mozilla root CA process I very often advocated or outright decided in favour of using incidents as a tool for learning far beyond being a tool for culling underperforming CAs from our root store. Even at the point at which Ben posted the (extremely understated) message beginning this thread, I had hoped that we would see Entrust wake up from its long operational-quality slumber. I had hoped, sincerely, that Entrust would provide plans that were transparent, concrete, thorough, and sufficiently evident of meaningful reflection that the response would be celebrated as an improvement in the health of the WebPKI. It would mean that revenue from the financial disincentive that Entrust puts in place against Subscriber automation (I believe it's called "SUB-PKI-CEG-ACME") might in some small way be put towards strengthening the integrity of the web's security. I was bewildered by the non-responses that kept appearing in the bugs, but honestly I'm a sucker so I remained hopeful. There were VPs involved, Entrust values its security brand so much, their history is so long (I was doing infosec in the Ottawa area in the early 90s)--they were going to come through now that it had been made so abundantly clear that things were structurally broken. Sadly, I then opened the response posted by Bruce. When I first read the CPS URI incident, it seemed that Entrust thought that the Mozilla root community wasn't watching them. (To be sure, there had been some evidence in the preceding 4 years that this was the case.) When the demeanour of Entrust's responses changed immediately after Ryan Dickson of the Chrome Root Program entered the bug, it made me feel that Entrust thought that the Mozilla root program and community didn't matter, and that their commitments to that program were not meaningful. When the third spokesperson, of increasing seniority, restated Entrust's earnestness and pedigree without any actual concrete, measurable commitments, I started to suspect that Entrust thought that they could just "post through it", as the kids say. But when I read this report, and especially when I compare it to the exceptionally clear request from Ben in his original message, I can only conclude that Entrust believes that this community and its participants are in fact medically-grade stupid. I honestly hope that someone there is ashamed of this. Mike -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqtWvCAGMv97b5eJK_XqajGuAbhVFq_AUX85CxAZXyDWkg%40mail.gmail.com.
