Re: Unbelievable!

Tue, 23 Dec 2008 19:55:32 -0800 

On 12/24/2008 05:32 AM, Paul Hoffman:

At 1:45 AM +0200 12/24/08, Eddy Nigg wrote:

Paul, you are disappointing me! I have not heard one critical word from you 
about this incident,


You tried to find this one because this particular reseller tried to steal your 
customers in a slimy fashion...



Well, I didn't tried to find the flaw, I tried to find the CA 
responsible. It took me a while to recap how I got the cert for my 
domain and went like...gosh, this can't be, I must have overlooked 
something. I decided to check it out and bingo.



As to my personality, what I wrote in my blog article is what I meant. I 
was clearly disappointed, because I'm also a strong supporter of domain 
validated certificates and that they have their place in PKI (provided 
that they are applied correctly). Obviously, this incident makes it 
harder if we don't act accordingly.




but you could probably find other resellers (possibly even Comodo resellers) 
who are just as lax.



I really hope not. And it should serve others to re-check their controls 
and procedures.




You are repeatedly using this list as a springboard to criticize a competitor.



That's how you look at it. I think I've contributed and proved that I'm 
not against our competition, I'm against devaluing our work 
collectively. One CA is enough to get us looking for other jobs if you 
don't mind.



When you didn't get your way instantly, you made threats against Mozilla, an 
organization for which many of us have a lot of respect.



I never threatened Mozilla. If at all, I made clear what the results may 
be. Including this specific incident shows clearly that my arguments and 
concerns were real in many ways. Here we have a CA which issues domain 
validated wild cards up to ten years. Now you tell me how this is OK - 
specially in light of what happened.



I care about what I'm doing, yes! And I have no intention apologizing 
for it.



Yes, exactly. And you, the COO/CTO of a trusted CA, are making public threats 
that would be the equivalent of that. I understand that you don't think that is 
a problem; please understand that other might think it is.


OK, maybe I should have made my point different.

--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





























					Reply via email to