Jean-Marc Desperrier wrote, On 2009-01-21 01:13 PST: > Now did we not receive promises by the CAs that they were *actively* > working to solve the problem and get all sites to replace their cert ?
Yes, but some of the CAs were emphatic that they would not revoke the certs unless their customers requested them to do so. As I understand it, basically they said that their agreement with their customer did not allow them to revoke the cert without the customer's permission, unless they were presented with evidence of an actual attack/compromise of the site whose cert was affected. I did not like that position, but they were adamant. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
