On 22/11/17 18:00, Ryan Sleevi wrote: > I think an important part of this discussion is trying to understand to > what side of Hanlon's razor did WoSign's actions fall (or, to that matter, > of any CA). If it was incompetence, is there sufficient explanation for how > such incompetence happened? If there sufficient evidence that both the > specific incident and any underlying causes have been remediated? > Alternatively, if we allow it to be attributed to malice (or, for that > matter, greed), is it possible to design a system of trust that is robust > against such considerations? If not, is it an acceptable risk to take going > forward. If we can, what are those controls and expectations?
While I do not want to make this discussion entirely about specific people, as Mozilla's investigator of the issues at the time I am satisfied that WoSign's actions at the time were taken with full knowledge - that is, they were not due to incompetence. And those decisions were overseen and approved by individual(s) who still control WoSign/WoTrus. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
