Robert Relyea wrote: > 1) work with CA's, in their existing infrastructures to get those certs > revoked. > 2) include that list of keys in the browser itself to detect this > compromise. > 3) build a parallel revocation scheme to phone home to mozilla (a.la. > anti-phishing) to identify sites with revoked keys. > > In any event, the final result is websites with these keys need to be > inaccessible. If 2 or 3 are chosen, we face the situation where mozilla > will start (some argue continue) to believe that the CA infrastructure > is irrelevant and push for non-PKI, bare key solutions.
I don't think that quite follows. "Incomplete" rather than "irrelevant", maybe. > If we see > cooperation from CA's in quickly revoking those certs which are > vulnerable, that would be enough to convince mozilla the right way to > solve the problem is to depend on option 1 and fix revocation in the > existing browsers. > > This is an opportunity to show that PKI infrastructure really works. It > is by far the best solution. The difficulty is that, according to initial reports and scans, only about 20% of the certs concerned have an OCSP URL. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
