On 28/12/08 17:06, David E. Ross wrote:
On 12/28/2008 4:46 AM, Ian G wrote [in part]:
First, losses we will incur, regardless:
... The CA will lose; potentially it will lose its
revenue stream, or have it sliced in half (say), which is what we would
call in business circles a plausible bankrupcy event.
So when a CA behaves badly, we should still be concerned that the CA
might lose money? Because a CA might go bankrupt, we should do nothing?
No, that's not my conclusion. I simply listed some losses. Now add it
to the other comment I made to Eddy's response:
> Let me put it another way: one phone
> call from the CA's lawyer to Mozo's
> lawyer is probably sufficient to
> solve this problem *for the CA*.
The problem is, that particular cost will have impacts. We can talk all
we like about the proper or right thing to do, but Mozilla's general
counsel will likely think differently, will likely urge caution.
(That's just general business knowledge...)
How about the users of Mozilla products who might lose money or even go
bankrupt because they trusted a root certificate from such a CA? No,
such losses are not known (yet). What did happen, however, indicates
that such losses are indeed possible and not only through Certstar.
Yes, indeed. That's a big question.
What I am suggesting is that "dropping the root" will not address that
question. It is too blunt a weapon to be used reliably.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
