On 10/24/2008 12:54 AM, Julien R Pierre - Sun Microsystems:
If a root ended up being compromised and we heard about it, I can assure
you that we would produce a new NSS release with an update root cert
module with all due haste - meaning probably within a couple of business
days.
Under certain circumstances that's a long time. But I wasn't talking
exclusively about current releases of NSS and Mozilla products (about
which I'm pretty familiar with and the expected time frame to push out
an emergency release), I was rather talking about
- software that uses NSS but isn't a product of Mozilla
- other libraries
How to reach them within a reasonable useful time? I guess controlling
that on the software level is problematic. For one, I'd expect MS to be
fastest under such circumstances - at least for those that update their
OS....same for other supported operating systems (like Red Hat), but a
lot slower for applications which ship the crypto library (like NSS) as
part of their software.
There was a time where CRLs for EE certificates updated every two weeks
or so, something which these days sounds absolutely insufficient. OCSP
seems to be a lot more responsive (caching is usually limited to one day
- at least for NSS), but still...time is of essence under such
circumstances. I think that the current options at the hand of CAs are
limited to say the least.
Just imagine that one of the roots in NSS would have been affected by
the Debian fiasco - pretty much anybody out there could have played
CA...for days, maybe weeks, maybe beyond. That's scary.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
