Eddy Nigg wrote:
Disabling the trust bits of "AddTrust External CA Root" could be a temporary measure to prevent damage to relying parties until Mozilla receives full report and disclosure from Comodo about its resellers and conclusion of their investigation.
Do you mean the UTN-UserFirst-Hardware root? According to the screenshot on your blog post, that's the root the bogus cert chains up to. Also, if we were to take action of this general sort (as a hypothetical), what about adding the PositiveSSL CA cert to NSS with the SSL trust bit disabled; wouldn't that accomplish the same purpose, without interfering with other parts of the hierarchy under the UTN-UserFirst-Hardware root? (I seem to recall we've discussed this sort of thing in the past.)
Also note that any "suspension" of a root would last at last 1-3 months, since that the typical interval between security updates for Firefox and other Mozilla-based products.
Frank -- Frank Hecker hec...@mozillafoundation.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
