On Sun, Dec 28, 2008 at 7:37 AM, Ian G <i...@iang.org> wrote: >> That's for the specific certstar case. Domain validation isn't performed >> by Comodo on a wide scale apparently and perhaps no validation is >> performed at all. > > > Oh, that's a new claim, beyond this reseller.
You're only just now figuring that the security community (those who care about real security, anyway) is claiming that this is a SYSTEMIC problem in Comodo's operations? > Is there any evidence? If so, then maybe there should likely be a new > investigation, and widespread revocations by the CA of the non-verified > certs. OK, as discussed earlier, actual investigations are outside scope of > here (which begs the important question of where it is in scope of!) so > let's not speculate further on Comodo's exact position. No, there isn't. That's the problem -- as has been stated elsewhere in the discussion, security must by its nature be default-deny, not default-accept. This is upheld in the Mozilla products' prevailing view that "unknown_issuer is BAD". > Back to the damages estimate: we still need to form an estimate of how many > certificates were issued to people of malintent. We can't know that, because Robin/Comodo won't tell us. As such, they are hiding material information that we need to make a decision on whether to continue trusting them. > Without that, we are still left with a damages estimate of zero, albeit one > multiplied by a much larger number of users, with a much greater range of > possible error. I'm actually stuck with a damages estimate of a finite number greater-than-zero-but-less-than-all. If one RA can do it and did do it, chances are that in order to stay competitive another one did as well. CertStar was found out, only due to the diligence of someone on this list. How many other RAs haven't been found out yet? We can't know, because Comodo won't say. This affects the confidence I have in their system (i.e., it removes ALL confidence that Mozilla extended on my behalf). -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
