Re: [websec] Certificate Pinning via HSTS (.txt version)

Gervase Markham <> Tue, 13 September 2011 20:36 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 5FDC721F8C88 for <>; Tue, 13 Sep 2011 13:36:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id jmZpCUe0E+hP for <>; Tue, 13 Sep 2011 13:36:47 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7FB7921F8C85 for <>; Tue, 13 Sep 2011 13:36:47 -0700 (PDT)
Received: from [] (unknown []) (Authenticated sender: by (Postfix) with ESMTP id DF98E4AEDAF; Tue, 13 Sep 2011 13:38:53 -0700 (PDT)
Message-ID: <>
Date: Tue, 13 Sep 2011 13:38:53 -0700
From: Gervase Markham <>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:6.0) Gecko/20110808 Thunderbird/6.0
MIME-Version: 1.0
To: Marsh Ray <>
References: <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: IETF WebSec WG <>
Subject: Re: [websec] Certificate Pinning via HSTS (.txt version)
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Web Application Security Minus Authentication and Transport <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 13 Sep 2011 20:36:48 -0000

On 13/09/11 13:06, Marsh Ray wrote:
> Or not, like the Dutch government, have the pull to convince Mozilla to
> hesitate for a few days to revoke your pwned CA.

That is rather unfair. You make it sound like they asked, and we
complied. In truth, we relied on an assessment of the situation from
GovCERT, the Dutch CERT - who have a decent reputation. When their
assessment changed, we changed our position; whether they should have
made their initial assessment the way they did is a good question, and
one which concerned parties should ask them.

It is certainly not an obvious truth, even more so in the heat of the
moment, that a compromise of one part of a certificate hierarchy at a CA
necessarily means that an entirely different one is also compromised. It
may, it may not - that depends on the arrangement and interlinking or
otherwise of the issuance systems.

Anyway, regardless, the situation is more complex than your allegation
of back-room influence.