136
edits
Changes
→Issue A: StartCom Cross-signing (2017): update link
Certinomis asked Mozilla to approve their plan to help Startcom, but when the cross-certificates were discovered, [https://groups.google.com/d/msg/mozilla.dev.security.policy/RJHPWUd93xE/lyAX9Wz_AQAJ Gerv responded] "This seems to be very different to the plan you implemented." By cross-signing Startcom's old roots, Certinomis assisted Startcom in circumventing the remediation plan, and by proposing one plan then implementing a different one, Certinomis did so without Mozilla's consent.
Startcom misissued a number of certificates (e[https://crt.g. [3sh/?opt=cablint&id=160150786 example]) under that cross-signing relationship that Certinomis is responsible for as the Mozilla program member.
By cross-signing Startcom's roots, Certinomis also took responsibility for Startcom's qualified audit.
