On 12/26/2008 12:24 AM, Paul Hoffman:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
Maybe this serves as a good example to other CAs that the Mozilla CA
policy is really enforced. Otherwise nobody will care.
This is Firefox we're talking about, not IE.
Depending on country and audience, Internet Explorer has even less
market share than Firefox. We are in 2009, not 2003 if you forgot.
Do you really think that this is going to help end users,
In the longer term it might. And it really depends on other factors like
how many potentially other certs could have been issued this way.
or just hurt people who bought certificates from the lax (not rogue) CA?
So? They may claim damage from Comodo. Comodo even lists the compatible
browsers in their CPS [1] under section 2.1.5 CA Root Public Key
Delivery to Subscribers. A CA shouldn't guaranty browser support at any
time (and I doubt if Comodo really did).
In this case, it is also for financial gain by the first one to propose the
punishment, of course, but the base desire is the same.
Do you mean me? Go back and read what I really proposed:
http://groups.google.com/group/mozilla.dev.tech.crypto/msg/fb8c1fbd0c219eb4
But perhaps you'd disclose how many Comodo shares you've got? ;-)
[1]
http://www.comodo.com/repository/09_22_2006_Certification_Practice_Statement_v.3.0.pdf
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
