On 12/27/2008 12:54 AM, Ian G:
We can no more "prevent" bad certs than we can stop the winter from coming. The point is to put in place economically reasonable policies and practices that meet an appropriate balance of security versus cost.
Yeah right! It really depends what the right balance is, ehhh?!
So far the systems are dealing with it. Check the facts: CA was notified. Reseller frozen. Certs revoked. Internal audits are checking. External audit might get involved. This is what the systems are supposed to do.
The story starts before that. You are just seeing the tail, I'm seeing what preceded to that - or better, what did not happen and should have.
That's not up to an internal audit as if it were a well hidden bug in one of Comodo's system that somebody succeeded to crack. But maybe Robin can explain to us which failures happened at their side as they are taking supervision of RAs and resellers very seriously. But that's most likely something which we'll never know.
However, outside that week, there is no such protection. Where people in this group have crossed the line, and made actionable statements, and/or done actionable harm to a business or individual, they should note: it is unlikely that Mozilla, or the community, or the businesses as a whole will, can or should protect them.
Are you speaking in the name of Mozilla? Or in the name of the community? Or in the name of which business exactly?
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
