Ian G wrote: > On 26/12/08 00:36, Michael Ströder wrote: >> Paul Hoffman wrote: >>> At 7:16 PM +0100 12/25/08, Michael Ströder wrote: >>>> I'd tend to punish a rogue CA by removing their root CA cert from NSS. > > I do not see a rogue CA. The evidence of the posts here suggests a flaw > leading to false certs was found and such certs were issued; and that > the CA responded when made aware. > > What is rogue about that? Are you saying they didn't respond?
Bear in mind I'm not a native English speaker. After looking up "rogue" in a dictionary it seems a little bit strong. So thanks for asking back. Still I think we have a fundamental problem here which was discussed in theory before many times here. And the follow-ups by Robin, Comodo and Patricia, Certstar IMO shows that problem cannot be solved in practice by just fixing a single mistake. >>>> Maybe this serves as a good example to other CAs that the Mozilla CA >>>> policy is really enforced. Otherwise nobody will care. >>> This is Firefox we're talking about, not IE. Do you really think that >>> this is going to help end users, or just hurt people who bought >>> certificates from the lax (not rogue) CA? >> >> PKI is about security. > > Security is risks and costs. In this case, there is low risk and zero > costs. Perhaps because the problem was caught early on, but security is > about real hard facts not conjecture. Ian, we had this point many times. Frankly you cannot really estimate risks and costs in such cases since you don't know what happens out there. Bear in mind that even though Mozilla products are provided at no cost to the end user Mozilla could be made accountable and taken to court in some countries for things going wrong. IIRC here in Germany you cannot effectively deny warranty for open source products provided at no cost. To some extent you have to apply generally accepted rules of technology in every case. > (If you want real hard costs and losses and grief, check out phishing. > Where's the lynch mob when we are dealing with phishing, I wonder?) If you really want to discredit me or my comments as "lynch mob" we can simply stop discussing. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
