RE: StartCom continues to sell untrusted certificates

2017-05-03 Thread Inigo Barreira via dev-security-policy
Yes, thank you for letting us know.

Best regards

Iñigo Barreira
CEO
StartCom CA Limited

-Original Message-
From: dev-security-policy 
[mailto:dev-security-policy-bounces+inigo=startcomca@lists.mozilla.org] On 
Behalf Of Lewis Resmond via dev-security-policy
Sent: miércoles, 3 de mayo de 2017 19:49
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: StartCom continues to sell untrusted certificates

Am Montag, 1. Mai 2017 16:49:32 UTC+2 schrieb Henri Sivonen:
> On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via 
> dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> > On 01/05/17 07:52, Percy wrote:
> >> It seems that StartCom continues to sell untrusted certs. Neither 
> >> their
> home page https://www.startcomca.com/ nor their announcement page 
> https://www.startcomca.com/index/news mentions that those certs are 
> not trusted.
> >
> > Why is this something that Mozilla should be concerned with?
> >
> > "Selling untrusted certs" is not a crime, or a violation of any 
> > standard. Mozilla is not the global authority on what certificates 
> > may be issued. If StartCom are providing certificates which do not 
> > do what their customers expect, I'm sure those customers will let 
> > them know about it soon enough.
> 
> What StartCom claims about compatibility is potentially more 
> Mozilla-relevant than what they are silent about. At the bottom of 
> their front page, it says "StartCom™ / StartSSL™is supported by:" 
> followed by icons. The icons include an early icon for Camino and the 
> SeaMonkey icon.
> Since Camino was discontinued before Mozilla's change in trust in 
> StartCom certificates, I guess having Camino there isn't technically 
> incorrect, but is about as relevant as having the Flock icon there. 
> However, is it correct to have the SeaMonkey icon there? The latest 
> SeaMonkey release seems to post-date the Mozilla root program's trust change 
> in StartCom certificates.
> (But then, it seems that there have been a number of Firefox ESR 
> security patch releases that post-date the SeaMonkey release. Is 
> SeaMonkey still active, despite appearing not to ship Gecko security 
> updates, and does SeaMonkey implement the same trust special-casing as 
> Firefox? It seems to produce nightlies still.)
> 
> --
> Henri Sivonen
> hsivo...@hsivonen.fi
> https://hsivonen.fi/

It seems like they have removed the icons.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


smime.p7s
Description: S/MIME cryptographic signature
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: StartCom continues to sell untrusted certificates

2017-05-03 Thread Lewis Resmond via dev-security-policy
Am Montag, 1. Mai 2017 16:49:32 UTC+2 schrieb Henri Sivonen:
> On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> > On 01/05/17 07:52, Percy wrote:
> >> It seems that StartCom continues to sell untrusted certs. Neither their
> home page https://www.startcomca.com/ nor their announcement page
> https://www.startcomca.com/index/news mentions that those certs are not
> trusted.
> >
> > Why is this something that Mozilla should be concerned with?
> >
> > "Selling untrusted certs" is not a crime, or a violation of any
> > standard. Mozilla is not the global authority on what certificates may
> > be issued. If StartCom are providing certificates which do not do what
> > their customers expect, I'm sure those customers will let them know
> > about it soon enough.
> 
> What StartCom claims about compatibility is potentially more
> Mozilla-relevant than what they are silent about. At the bottom of their
> front page, it says "StartCom™ / StartSSL™is supported by:" followed by
> icons. The icons include an early icon for Camino and the SeaMonkey icon.
> Since Camino was discontinued before Mozilla's change in trust in StartCom
> certificates, I guess having Camino there isn't technically incorrect, but
> is about as relevant as having the Flock icon there. However, is it correct
> to have the SeaMonkey icon there? The latest SeaMonkey release seems to
> post-date the Mozilla root program's trust change in StartCom certificates.
> (But then, it seems that there have been a number of Firefox ESR security
> patch releases that post-date the SeaMonkey release. Is SeaMonkey still
> active, despite appearing not to ship Gecko security updates, and does
> SeaMonkey implement the same trust special-casing as Firefox? It seems to
> produce nightlies still.)
> 
> -- 
> Henri Sivonen
> hsivo...@hsivonen.fi
> https://hsivonen.fi/

It seems like they have removed the icons.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: StartCom continues to sell untrusted certificates

2017-05-03 Thread Percy via dev-security-policy
On Monday, May 1, 2017 at 7:49:32 AM UTC-7, Henri Sivonen wrote:
> On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via dev-security-policy <
> dev-security-policy@lists.mozilla.org> wrote:
> > On 01/05/17 07:52, Percy wrote:
> >> It seems that StartCom continues to sell untrusted certs. Neither their
> home page https://www.startcomca.com/ nor their announcement page
> https://www.startcomca.com/index/news mentions that those certs are not
> trusted.
> >
> > Why is this something that Mozilla should be concerned with?
> >
> > "Selling untrusted certs" is not a crime, or a violation of any
> > standard. Mozilla is not the global authority on what certificates may
> > be issued. If StartCom are providing certificates which do not do what
> > their customers expect, I'm sure those customers will let them know
> > about it soon enough.
> 
> What StartCom claims about compatibility is potentially more
> Mozilla-relevant than what they are silent about. At the bottom of their
> front page, it says "StartCom™ / StartSSL™is supported by:" followed by
> icons. The icons include an early icon for Camino and the SeaMonkey icon.
> Since Camino was discontinued before Mozilla's change in trust in StartCom
> certificates, I guess having Camino there isn't technically incorrect, but
> is about as relevant as having the Flock icon there. However, is it correct
> to have the SeaMonkey icon there? The latest SeaMonkey release seems to
> post-date the Mozilla root program's trust change in StartCom certificates.
> (But then, it seems that there have been a number of Firefox ESR security
> patch releases that post-date the SeaMonkey release. Is SeaMonkey still
> active, despite appearing not to ship Gecko security updates, and does
> SeaMonkey implement the same trust special-casing as Firefox? It seems to
> produce nightlies still.)
> 
> -- 
> Henri Sivonen
> hsivo...@hsivonen.fi
> https://hsivonen.fi/

Ha, it seems that they removed those icons in response to your comments. Now 
they only list Edge, IE, Android and windows.
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: StartCom continues to sell untrusted certificates

2017-05-01 Thread Henri Sivonen via dev-security-policy
On Mon, May 1, 2017 at 11:31 AM, Gervase Markham via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:
> On 01/05/17 07:52, Percy wrote:
>> It seems that StartCom continues to sell untrusted certs. Neither their
home page https://www.startcomca.com/ nor their announcement page
https://www.startcomca.com/index/news mentions that those certs are not
trusted.
>
> Why is this something that Mozilla should be concerned with?
>
> "Selling untrusted certs" is not a crime, or a violation of any
> standard. Mozilla is not the global authority on what certificates may
> be issued. If StartCom are providing certificates which do not do what
> their customers expect, I'm sure those customers will let them know
> about it soon enough.

What StartCom claims about compatibility is potentially more
Mozilla-relevant than what they are silent about. At the bottom of their
front page, it says "StartCom™ / StartSSL™is supported by:" followed by
icons. The icons include an early icon for Camino and the SeaMonkey icon.
Since Camino was discontinued before Mozilla's change in trust in StartCom
certificates, I guess having Camino there isn't technically incorrect, but
is about as relevant as having the Flock icon there. However, is it correct
to have the SeaMonkey icon there? The latest SeaMonkey release seems to
post-date the Mozilla root program's trust change in StartCom certificates.
(But then, it seems that there have been a number of Firefox ESR security
patch releases that post-date the SeaMonkey release. Is SeaMonkey still
active, despite appearing not to ship Gecko security updates, and does
SeaMonkey implement the same trust special-casing as Firefox? It seems to
produce nightlies still.)

-- 
Henri Sivonen
hsivo...@hsivonen.fi
https://hsivonen.fi/
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy


Re: StartCom continues to sell untrusted certificates

2017-05-01 Thread Gervase Markham via dev-security-policy
On 01/05/17 07:52, Percy wrote:
> It seems that StartCom continues to sell untrusted certs. Neither their home 
> page https://www.startcomca.com/ nor their announcement page 
> https://www.startcomca.com/index/news mentions that those certs are not 
> trusted. 

Why is this something that Mozilla should be concerned with?

"Selling untrusted certs" is not a crime, or a violation of any
standard. Mozilla is not the global authority on what certificates may
be issued. If StartCom are providing certificates which do not do what
their customers expect, I'm sure those customers will let them know
about it soon enough.

Gerv
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy