On Tue, Dec 30, 2008 at 12:47 PM, Florian Weimer <f...@deneb.enyo.de> wrote: > Usually, if the industry is not totally rotten, some players clean up > the field, often using the court system (we see attempts at that in > the antivirus market, for instance). I doubt that this will happen > with certificates because it's hard to see why issuing a certificate > creates liability, while delegating a domain does not. And this is a > matter many players will only touch with a ten-foot pole.
This is unfortunately a place where /only/ the browser vendors (as 'source of trusted certificates') can take action. And now, Ian and other people are saying that roots shouldn't ever be revoked because of "business concerns", and I and others are saying that roots need to be revoked, also because of "business concerns". I am sorry for using this language, but fuck that noise. Mozilla has an obligation to me as an end-user to uphold its CA program mission and stated requirements for participation, since it provided me the certificates that I am (by user interface) almost unable to quickly, easily, and thoroughly remove the trust from -- and also by making it impossible for me to completely remove the certificates that I remove trust from while keeping the ones that I don't want to remove the trust from in my local softoken. NSS's public non-programmer interface tools need a major redesign (if nothing else, certutil and modutil need to be modified to include 'print NSS and tool version' options and make their command-line parameters similar). Firefox's UIs for certificate-related things need to be completely thrown out and rebuilt from scratch. This situation is completely unworkable as it stands. -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
