On 12/29/2008 12:23 PM, Grey Hodge wrote: > On 12/29/2008 3:47 AM Kyle Hamilton cranked up the brainbox and said: >> And since the number one reason for having a CA in the root list is >> for Mozilla-software user security, how do you arrive at "punish [...] >> millions of users"? > > If all of Comodo's certs cease to be trusted, millions of web surfers will see > errors on potentially thousands of sites. > >> This leads me to believe that there are three possibilities: >> 1) You have communication from Robin about the number of certificates >> that Comodo has issued that the rest of us are not privy to, OR >> 2) You have some way of knowing what CAs are in use by the servers >> that users of the Mozilla applications use (which concept rather >> scares me, since it hasn't been disclosed as part of the software >> operations), OR > > The fact you think these are even reasonably conclusions tells me a lot about > your reasoning skills. > >> 3) You're pulling numbers out of thin air. > > Indeed, I am, as an educated guess. Comodo is a root CA. You don't get root > status by having a handful of customers. It's hard business to break into, and > Comodo has been around a while. I find it hard to believe a company of their > size and age has any fewer than ten thousand certs out there, and that's a > lowball guess. There are many hundreds of millions of web users, and millions > of websites. Do you really find it hard to believe at least 1% of those secure > sites might be using a Comodo cert? >
For my own installation of SeaMonkey, I disabled all Comodo roots as soon as I understood the problem. I disabled all UserTrust roots some years ago, for reasons I don't remember. I have yet to encounter a problem with any Web site because of this. The several financial institutions where I access accounts via the Web -- the Web sites for which I'm most concerned -- all seem to use either VeriSign or Equifax for their SSL site certificates. My ISP's Web-mail interface uses Equifax as does the domain registry where I maintain two domains. Amazon.com uses VeriSign. I'm beginning to wonder what important Web sites do use Comodo. -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
