Hi Particia, On 12/24/2008 01:58 AM, patri...@certstar.com:
Dear all,
Upfront, as such for me, I accept your apology - sincerely. However your apology is only for half the story, please read on...
Having worked intensively with this case I can truly say that Comodo is indeed taking their responsibility extremely seriously and taking huge efforts to ensure that safety of their root. Currently we are going through a number certificate to double ensure that no further mis-issuances have occurred.
Look, the problem isn't your implementations alone, this failure is a broader set of failures not only by your company, but that of Comodo. Comodo has clearly failed in their duties, in their concepts, controls and policies. The responsibility of domain validation shouldn't be with you, but part of Comodo's procedures and data flow. As much as your system perhaps failed - you aren't the only one to take blame and responsibility.
Besides that, I want to repeat that there was no validation performed at all. There was no such step, not even a hint of it.
Personally I do feel that it would have been appropriate if we had been contacted by StartCom Ltd when they found this flow so that it could have been fixed faster. Being our competitor I am not sure if we could expect this, but it would indeed have been generous move.
I tell you something about generosity hereby. You have spammed, phished and mislead our customers by sending those emails, with it everything started. StartCom has contacted you (myself personally) and requested to talk to the owners of your company and somebody with the name Mark answered me. I replied with full disclosure about those emails you are sending and with immediate request to shut down your activities. Unfortunately *OUR* email was ignored and we never received a reply thereafter.
My request was reasonable in light of the potential damage you have caused us and other certification authorities and whoever makes a mistake has to pay for it. Your site should have been taken down then.
Also Comodo replied laconically to my complaint. In that respect, and the way Comodo handled this incident, nobody should be surprised that who make foes, will not be treated friendly either. It would have been generous from *YOU* to address the first problem appropriately and come to terms with us when we requested it.
The technical verification procedure has been improved and is now on a very high security level. Comodo will also review our implementation to ensure that it comply with all standards and cannot be abused.
As long as those validations are performed at a hosted site at some hosting provider (yes, I made my researches in this respect) and not by Comodo's infrastructure, there can't be any talk of "improvement", period. This is simply not serious! I hope that everybody takes note on this.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
