On 14/1/09 06:47, Paul Hoffman wrote:
At 5:29 PM -0800 1/13/09, Julien R Pierre - Sun Microsystems wrote:
IMO, we don't have complete confidence that every CA and sub CA has closed the
MD5 hole yet,
What level of confidence do we seek?
Bearing in mind that complete confidence is a non-starter because we
have already set a lower standard as far as CAs are concerned.
Do we seek 90% of CAs and 90% of certs within those CAs? Perhaps a
published statement of awareness? Or their plan? Opinion by auditor?
Case-by-case basis?
Then we are failing at our job of policing our trust anchor repository.
"Policing" is a very strong word ...
This is a much larger issue than whether a CA that we would want to remove
anyway can be compromised by this attack.
Indeed. The events of the last month have brought this issue to the
forefront.
It isn't about one CA. It's about Mozilla's role in this market and how
it relates its decisions to its mission, clients, CAs and other
stakeholders.
iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
