On 12/25/2008 02:39 PM, Michael Ströder:
doug...@theros.info wrote:
I, for example, have a ssl cert from comodo reseller, and they DO have
made all the validation steps.
My site, a legitimate one, would be in trouble with this. Are you all
sure that it is a good measure to just knock off the root cert or
security bit?
please, think twice
Douglas, I understand that this would be a problem for you. But after
thinking twice the larger issue with bad operational practice at
Comodo's CA and their resellers outweigh your personal damage.
If the operations of certstar would have been a glitch and bug in their
validation system and a very isolated event, I would not suggest to take
any actions beyond requesting to have it fixed properly, reviewed and
approved by the Comodo management.
The very fact that there was no validation in place *at all* suggests
however that Comodo hasn't done any review, testing and approval of
their systems. This is beyond the acceptable norm of failures which
certainly can happen - it suggests gross negligence by Comodo.
Secondly, I believe that such crucial parts shouldn't be outsourced to a
third party - an issue we'll have to look at very closely soon here at
Mozilla. More than that, Comodo hasn't any controls in place to prevent
fraudulent or mistaken issuance of certificates of high profile targets.
This is another failure.
Third and as noted, resellers don't have to undergo any or only some
validations - insufficient and not adhering to the Mozilla CA Policy.
The policy is very clear in this respect and Comodo has failed to
disclose this properly during their review this spring.
Douglas, if and when any actions will be taken, you'll be eligible for
compensation by Comodo. You would have to look elsewhere to get a new
certificates maybe. This would be perhaps annoying, however the risk of
real damage to a third party would be much more severe.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
