[cryptography] another cert failure

Jeffrey Walton noloader at gmail.com
Sun Jan 6 22:48:48 EST 2013


On Sat, Jan 5, 2013 at 4:23 PM, Jeffrey Walton <noloader at gmail.com> wrote:
> On Sat, Jan 5, 2013 at 3:59 PM, Ryan Hurst <ryan.hurst at globalsign.com> wrote:
>> ....
> In the future, we won't need their honesty. Or the 'honesty' they want
> use to perceive.
>
> ....
>
> Did anyone really think a CA would risk a multimillion dollar business?
>
Did anything ever emerge about the pre-blog deal?

I suspect Mozilla/Trustwave transpired as follows:

(1) Trustwave issues certificate(s), violates agreements
(2) Trustwave realizes they are exposed to risk that could result in
reputational and financial loss
(3) Trustwave legal engages Mozilla
(4) A deal is brokered
(5) After the deal was executed, Trustwave blogged about the incident.

Everything Trustwave and Mozilla did [publicly] was likely a dog and
pony show to alter our perception of reality.

The outcome was already known and fixed. Otherwise, Trustwave lawyers
would never have agreed to the deal, and the blog never would have
occurred.

Mozilla had to play dumb to ensure it did not suffer reputational
loss; or jeopardize their relationship with Google, which could have
resulted in significant financial loss.

That also explains why the safety net failed.

Jeff



More information about the cryptography mailing list