Nelson B Bolyard: > > I'll be convinced when I see the cert and/or see the web site's enrollment > page with that feature. There's one CA that can kiss it's place in the root > list good-bye. >
Quoting from the article: "The one obtained by the researcher at Black Hat was for MSFT’s https://login.live.com site, he didn't disclose the CA that issued it to him but it was one that was trusted in IE by default." First of all, this CA doesn't have to be in NSS, but is in IE. Luckily not every CA which is trusted by MSIE is also in Mozilla. Some of you might be surprised about which aren't in NSS and most likely rightly so. MS doesn't have the same requirements as Mozilla. Not sure now if they require domain validation, but maybe not... Second, Mozilla and/or Microsoft might be able to force the disclosure of that CA. Most likely they removed the evidence at the web site and revoked the certificate by now, but the certificate itself might be prove enough. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
