On Wed, Jul 10, 2019 at 12:29 PM fabio.pietrosanti--- via dev-security-policy <[email protected]> wrote:
> Said that, given the approach that has been following with DarkMatter > about "credible evidence" and "people safety" principles, i would strongly > argue that Mozilla should take action against the subject previously > documented. > > I will open a thread on those newsgroup for each of those company to > understand what's the due process and how it will compare to this. > It sounds like you've not done the research to actually analyze which of the listed organizations are similar in substance. For example, which of these organizations is in control of the private key and/or the CP/CPS and issuance control. This is a very basic and essential understanding to have, if proposing such a discussion. For each of the organizations listed, my queries show that they are not controlled or operated by such organizations, merely branded as such. It is noteworthy, because this was similarly the case for DarkMatter; QuoVadis controlled the private key, issuance, and core activities. Transfer of control happened late 2017, which became publicly known February 2018, although not formally disclosed as such for a non-trivial amount of time after. The policies are in the process of being updated, which will incidentally ensure such actions do not happen again. However, without understanding the relevant audits or CP/CPS, this is not a productive line of argument. If I've overlooked something with respect to the specific audits mentioned, and you weren't just pulling names out of certificates, please highlight the relevant audits. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
