On Dec 23, 9:44 pm, doug...@theros.info wrote: > On 23 dez, 18:23, Daniel Veditz <dved...@mozilla.com> wrote: > > > > > Frank Hecker wrote: > > > Eddy Nigg wrote: > > >> Disabling the trust bits of "AddTrust External CA Root" could be a > > >> temporary measure to prevent damage to relying parties > > > > Also note that any "suspension" of a root would last at last 1-3 months, > > > since that the typical interval between security updates for Firefox and > > > other Mozilla-based products. > > > And we don't have a magic switch we can flip in the office. We'd have to > > make the change, test the change, make the builds, ship the builds, > > users would have to update (about a week from ship until most users have > > the update). > > > If the sole purpose of the update was to break lots of sites (from the > > user's POV) then some number of them disable updates, making them less > > secure in the future. > > > If Comodo is acting in good faith then anything they can do would be > > lightyears faster than a client update. If they're not fulfilling their > > responsibilities then a permanent removal would make sense, but given > > the time scales it's hard to see how a "temporary" month-or-so removal > > helps. > > > Maybe we need to build in something like a CRL that pings back to > > Mozilla that would let us revoke roots without having to ship a client > > update. > > I, for example, have a ssl cert from comodo reseller, and they DO have > made all the validation steps. > > My site, a legitimate one, would be in trouble with this. Are you all > sure that it is a good measure to just knock off the root cert or > security bit? > > please, think twice
I puzzled by the security approach on this issue. There was a severe security problem, and at least two, maybe many certs are compromised, who knows by this point. Do i still have trust in the Certs of Comodo or their signing resellers? No, until the whole issue is cleared up completely. Now it's the users duty to check every Cert on the issuer to evaluate the trustlevel, while his browser states, everything is fine? This is not about punishing Comodo, their resellers or their customers, this is about trusting my browser software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
