If we decide that a CA does not operate properly,.but we don't want to
cause problems for users, another option would be to shorten the expiry
date of the relevant root certs to one year or less.
Technically, that should be possible. The cert is public anyways. The
current certs are probably self-signed, but I don't know if that's
necessary for NSS to function - I don't think it's inherently necessary,
so NSS could be changed to allow the roots to be not self-signed (but
instead signed by e.g. a Mozilla Foundation cert). What's important is
the trust that the cert gains by being included in the root cert store
shipping with Mozilla.
This would mean that users could continue to browse normally, including
SSL verification. Website owners would have one year (or less) time to
get certs from another CA, which does proper verifications. We restore
proper functioning of the system within one year (or less).
And we have a real threat to CAs.
Ben
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
