On 26/12/08 00:36, Michael Ströder wrote:
Paul Hoffman wrote:
At 7:16 PM +0100 12/25/08, Michael Ströder wrote:
I'd tend to punish a rogue CA by removing their root CA cert from NSS.
I do not see a rogue CA. The evidence of the posts here suggests a flaw
leading to false certs was found and such certs were issued; and that
the CA responded when made aware.
What is rogue about that? Are you saying they didn't respond?
Maybe this serves as a good example to other CAs that the Mozilla CA
policy is really enforced. Otherwise nobody will care.
This is Firefox we're talking about, not IE. Do you really think that
this is going to help end users, or just hurt people who bought
certificates from the lax (not rogue) CA?
PKI is about security.
Security is risks and costs. In this case, there is low risk and zero
costs. Perhaps because the problem was caught early on, but security is
about real hard facts not conjecture.
(If you want real hard costs and losses and grief, check out phishing.
Where's the lynch mob when we are dealing with phishing, I wonder?)
Strange I have to remind you about that. There is
a Mozilla CA policy which was violated possibly causing a risk for
end-users. Mozilla has to give some evidence to the community and CAs
that the policy is enforced.
But it has! Mozilla talked to the CA. The CA is dealing with it.
There are emails to that extent, posted here.
What else is necessary? And more importantly, why?
iang, curiosity mode switched to hard-ON.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
