On 01/05/2009 04:56 PM, Gervase Markham:
I am not saying the two incidents were the same - I think every incident has to be assessed individually. I am just saying that you cannot make such a division so quickly and easily.
Not quickly and easily - agree on that. And every incident needs to assessed on its own merits, that's what I said too. Nelson suggested that both were "just" flaws and it sounded like it can be put to rest now.
No excuses on having a flaw and StartCom treated the incident as a "critical event" which required full reporting on the events and its resolution. It was certainly not taken lightly even though the event itself was handled excellent (IMO) and the systems proved themselves to a great extend. However I'm very certain that flaws do happen here and elsewhere, just look at the critical bugs Firefox has every here and now, despite great QA and thousands of eyes looking at the code and testing. It matters what is done with it and how to prevent it if possible. Reporting, alertness and correct response is crucial too for such events.
Now, this issue is quite different to that of Comodo, since StartCom has no stipulation for RAs. As a matter of fact I'm proposing to Comodo to perform domain and email validations by themselves, with being fully aware that flaws can happen even at their systems. The issue I'm seeing with Comodo is policy and implementation wise - besides the poor performance (or was it negligence?) of the certstar reseller. In that, both CAs differ greatly in many ways including the events themselves, reporting and their resolution.
Therefor we can't lump just all failures together and as you correctly stated, there is no clear line between one and the other. This is what I was saying.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
