Uhm... how did you arrive at the "tens of thousands of other Comodo customers" figure? I don't believe that Comodo has disclosed the number of unique domain names served by certificates that it has issued.
And since the number one reason for having a CA in the root list is for Mozilla-software user security, how do you arrive at "punish [...] millions of users"? TLS is geared very obviously toward security-of-the-user (among other things, a server that does not provide a certificate cannot ask for client authentication), and the user is who we're trying to protect (since the user is the one who interacts with Mozilla apps) -- NOT the server. As far as I can tell, there is no easy way for users to self-identify whether the web sites that they're going to are using Comodo certificates. As far as I can tell, there is no reporting of what CAs are used by sites browsed to by any given installation of Mozilla software. This leads me to believe that there are three possibilities: 1) You have communication from Robin about the number of certificates that Comodo has issued that the rest of us are not privy to, OR 2) You have some way of knowing what CAs are in use by the servers that users of the Mozilla applications use (which concept rather scares me, since it hasn't been disclosed as part of the software operations), OR 3) You're pulling numbers out of thin air. -Kyle H On Sun, Dec 28, 2008 at 11:41 PM, Grey Hodge <g...@burntelectrons.org> wrote: > On 12/28/2008 9:42 AM Eddy Nigg cranked up the brainbox and said: >> On 12/28/2008 04:24 PM, Ian G: >>> No, I'm afraid there is an agreement to list the root, under a policy. >>> Once listed, Mozilla has to operate according to its side of the bargain. >> Apparently you are reading something I haven't. > > Apparently, but that doesn't mean it's invalid. Mozilla can't act arbitrarily > and without cause and expect to retain any shred of respect or > trustworthiness. A policy not adhered to is worthless. > >> That's for the specific certstar case. Domain validation isn't performed >> by Comodo on a wide scale apparently and perhaps no validation is >> performed at all. > > Yes, perhaps, and perhaps they send out certs to anyone who asks nicely, but > we have little evidence to support these suppositions. > > Rather than having a kneejerk reaction of removing Comodo from the root list, > why don't we examine the situation. This reseller was not acting according to > proper procedure. Comodo immediately revoked their reseller status, and > reviewed their certs. Further, they've said they're reviewing their policies > to ensure this doesn't happen again. Given their candor and quick response, > what more do you require that you feel you're not getting that justified > removing them as a root CA? > > I really think you're going overboard. Form what I see, I'm not alone in that > assessment. You did a good job in bringing this to light. Having the issues > you uncovered addressed and fixed should be sufficient. Why do we need to take > punitive action that will do nothing but punish tens of thousands of other > Comodo customers and millions of users? > > -- > Grey Hodge > email [ grey @ burntelectrons.org ] > web [ http://burntelectrons.org ] > tag [ Don't touch that! You might mutate your fingers! ] > motto [ Make everything as simple as possible, but no simpler. - Einstein ] > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
