On 12/30/2008 03:44 AM, Grey Hodge:
Considering the KNOWN size of the breach, a maximum of 111 certs, less than ten percent of which could not be verified in 2 days, only 2 of which were confirmed to be fraudulent (both your attempts), I don't think this requires a revocation. If we /can/ resolve this issue without revoking, why shouldn't we?
Well Grey, this is only what we know for an almost certainty. There is a big question about what we don't know. There are contradicting practice statements and one of them suggests that there might be more (unvalidated certs), the other one suggest that validation isn't performed by Comodo, even if required as per their policy.
There's a reason "netcraftconfirmsit" is a tag on Slashdot, and it's not because Netcraft is a bastion of statistical rigor.
Still, it gives a better indication.
So far, I have no reason to believe Comodo can't tighten up their practices without nuking millions of web surfers.
That would be great, this is really, really what we want here. There is no fun in pulling a root, that's for emergencies. I'm certain, whatever Comodo is going to do in this respect will influence any decision taken at Mozilla. Hopefully Robin will tell us soon more...
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
