Nelson B Bolyard:
One or more well known and large CAs have already found many certs whose public keys are in that list. There's no question that those keys are compromised, The question is: what are the CAs' responsibility regarding the certs with those compromised keys?
That really depends on the CPS as Paul also indicated. Considering there is prove of a key compromised (in your case it is), than revocation in many times is stipulated because the subscriber hasn't used a trustworthy system.
CAs are already doing this, Eddy. The issue is: what is the responsibility after this is done and the compromised certs are identified.
Apparently yes.
It's cheap and pretty fast. I'm sure most CAs who have kept copies of the unexpired certs they have issued could have done it already in the time that this issue has been publicly discussed. Perhaps the very biggest ones would take a little longer.
Yes, maybe I'm seeing a problem where there isn't one.
I don't think a CA can retain credibility if it says "We just won't examine the certs we issued for compromised keys, and that way we won't have any responsibility."
No, I don't think anybody is saying that, sincerely! Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
