On 12/23/2008 2:05 PM, Paul C. Bryan wrote: > Presumably it was Comodo that underwent an audit to be added to > Mozilla's roots, and Comodo should not be allowed to delegate trust to > their resellers for domain validation. If, today, trust is delegated > to their resellers, then we can't trust Comodo, period. > > Although disruptive, their trust bits should be suspended. The > explanation to users: "The CA purporting to provide assurance about > the site you are trying to visit cannot be trusted. Please contact the > site operator and advise them to find a trustworthy certification > authority." > > Yes, perception is that Mozilla releases code expressly to "break" > access to legitimate sites, but this is because a trusted CA has gone > rogue. Users can still jump through hoops to expressly include the > site's certificate and keep going. > > The trust model for browsers should be fail-safe, even if this > inconveniences users. Better that than me and countless others > inadvertently exposing my credentials to a site pretending to be my > bank, investment house, government revenue agency, etc. > > If Mozilla doesn't pull the trust bits, what's it's accountability for > any breaches that occur due to keeping the bits? With assurance must > come liability, whether from the certification authority, or those who > are implicitly trusted with vetting them.
I've turned off all trust bits for all Comodo certs in my own personal, home installation of SeaMonkey. That was step one. I might turn some back on when I see the consequences. So far, however, I have not encountered any secure site using Comodo. The bigger issue is what will be done by the Mozilla organization. Now that Mozill knows about the problem, I believe they have a liability to their users if they fail to take action to mitigate the risks to those users. This is analogous to laws in many U.S. states that hold a city liable for automobile damage from a pothole AFTER the pothole is reported to the city; there is no liability before knowledge but much liability after knowledge (even if the city did not cause the pothole). -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
