On 23 dez, 18:23, Daniel Veditz <dved...@mozilla.com> wrote: > Frank Hecker wrote: > > Eddy Nigg wrote: > >> Disabling the trust bits of "AddTrust External CA Root" could be a > >> temporary measure to prevent damage to relying parties > > > Also note that any "suspension" of a root would last at last 1-3 months, > > since that the typical interval between security updates for Firefox and > > other Mozilla-based products. > > And we don't have a magic switch we can flip in the office. We'd have to > make the change, test the change, make the builds, ship the builds, > users would have to update (about a week from ship until most users have > the update). > > If the sole purpose of the update was to break lots of sites (from the > user's POV) then some number of them disable updates, making them less > secure in the future. > > If Comodo is acting in good faith then anything they can do would be > lightyears faster than a client update. If they're not fulfilling their > responsibilities then a permanent removal would make sense, but given > the time scales it's hard to see how a "temporary" month-or-so removal > helps. > > Maybe we need to build in something like a CRL that pings back to > Mozilla that would let us revoke roots without having to ship a client > update.
I, for example, have a ssl cert from comodo reseller, and they DO have made all the validation steps. My site, a legitimate one, would be in trouble with this. Are you all sure that it is a good measure to just knock off the root cert or security bit? please, think twice _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
