The only effective and appropriate response to a root that does not have sufficient internal controls to maintain its own security is to remove the trust in it. If you've purchased a certificate from them because it's trusted, and then they lose that trust, I would think that you should be clamoring for your money back and looking for an alternate certificate issuer rather than trying to maintain the problem.
-Kyle H On Tue, Dec 23, 2008 at 12:44 PM, <doug...@theros.info> wrote: > On 23 dez, 18:23, Daniel Veditz <dved...@mozilla.com> wrote: >> Frank Hecker wrote: >> > Eddy Nigg wrote: >> >> Disabling the trust bits of "AddTrust External CA Root" could be a >> >> temporary measure to prevent damage to relying parties >> >> > Also note that any "suspension" of a root would last at last 1-3 months, >> > since that the typical interval between security updates for Firefox and >> > other Mozilla-based products. >> >> And we don't have a magic switch we can flip in the office. We'd have to >> make the change, test the change, make the builds, ship the builds, >> users would have to update (about a week from ship until most users have >> the update). >> >> If the sole purpose of the update was to break lots of sites (from the >> user's POV) then some number of them disable updates, making them less >> secure in the future. >> >> If Comodo is acting in good faith then anything they can do would be >> lightyears faster than a client update. If they're not fulfilling their >> responsibilities then a permanent removal would make sense, but given >> the time scales it's hard to see how a "temporary" month-or-so removal >> helps. >> >> Maybe we need to build in something like a CRL that pings back to >> Mozilla that would let us revoke roots without having to ship a client >> update. > > I, for example, have a ssl cert from comodo reseller, and they DO have > made all the validation steps. > > My site, a legitimate one, would be in trouble with this. Are you all > sure that it is a good measure to just knock off the root cert or > security bit? > > please, think twice > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
