Comment 155 for bug 232340

(In reply to comment #2)

I've had multiple communications with StartCom both via email and by phone, with independent verification of the phone number and email address. I have no reason to believe that my communications have been spoofed or other maliciously manipulated.

Note that I'm not opposed on principle to adding additional communications channels to ensure we're getting the right root CA certificates. However I'm not going to do this in an ad hoc manner in this particular instance. Feel free to open a thread on the mozilla.dev.tech.crypto newsgroup (dev-tech-crypto mailing list) on this topic, and we can discuss what particular mechanisms might be appropriate for future use. (Just saying "offline, trusted medium" begs the question somewhat, especially if your threat model includes a TLA as the attacker.)