On 26/12/08 22:38, Kyle Hamilton wrote:
See, Robin, my thought is this:
You've already shown that it's possible for the RA function to bypass
all controls. At this point, because they're not subject to the same
audits that Comodo is, and because the last WebTrust audit that anyone
here can find any record of is in 2007, I find it difficult to believe
that you have the "annual external audit".
The internal controls are supposed to prevent this kind of
mis-issuance. Because they didn't, they throw all the audits that you
have provided into doubt. Because of this, there is no trust that I
have in Comodo's operation.
The internal controls are not supposed to "prevent mis-issuance". This
is a gross consumer simplification, and has no place here. The controls
are meant to reduce the likelihood of them, make them discoverable, and
deal with them when they happen.
We can no more "prevent" bad certs than we can stop the winter from
coming. The point is to put in place economically reasonable policies
and practices that meet an appropriate balance of security versus cost.
If there has been a case where a particular instance has swayed and
delivered too much convenience, for too high a security risk, then the
systems will deal with it.
So far the systems are dealing with it. Check the facts: CA was
notified. Reseller frozen. Certs revoked. Internal audits are
checking. External audit might get involved. This is what the systems
are supposed to do.
To all: Although we might in other contexts promote the use of open
forums for open governance purposes -- analysis and discussion of the
properties of providers by open parties -- *this public lynching is not
that*.
It is neither informed, nor professional.
Mozilla runs a process where there is a one week period of public
scrutiny of a CA. During that time, we could reasonably argue that
people here are invited to state their fears. We might consider
discussions to be more "priviledged" such as in parliament.
However, outside that week, there is no such protection. Where people
in this group have crossed the line, and made actionable statements,
and/or done actionable harm to a business or individual, they should
note: it is unlikely that Mozilla, or the community, or the businesses
as a whole will, can or should protect them. And where corporates are
forced to be quiet for fear of reputational damage, then it is up to the
rest of us to seek professionalism and self-governance.
The process of recovery from this hack is not an open nor public
process. CAs, as businesses, and audits, as governance are not
generally public affairs.
If you wish to advance these into the open, by all means do, but first,
establish a policy and a practice. Let's establish guidelines on
reasonable behaviour so that criticism can be seen in a narrow context,
and can be protected and informed.
Elsewise, it is unbalanced. You can talk unprofessionally, but others
are forced to remain silent. Any comments are wasted, discussion is
fruitless at best, and at worst, the mob will have their way.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
