* Paul C. Bryan: > Presumably it was Comodo that underwent an audit to be added to > Mozilla's roots, and Comodo should not be allowed to delegate trust to > their resellers for domain validation. If, today, trust is delegated > to their resellers, then we can't trust Comodo, period.
Many of the historic root CAs have a forest of sub-CAs and RAs which are totally undocumented. By your argument, they should be removed as well. Mozilla started to require CPS for sub-CAs only recently. I don't know if this is part of a larger effort to clean up this mess, or was some sort of an ad-hoc decision to make things hard to for a particular CA to get added to the root CA list. Personally, I don't care that much about the root CA list because it's quite clear to me that browsing security does not rely on it. However, if Mozilla went EV-only (which is probably what's favored by some CAs), many users would be warned about sites which are perfectly safe to use. Those operators who wanted to avoid the confusion would have to pay higher road tolls for no real security gains. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
