On 01/22/2009 01:07 AM, Nelson B Bolyard:
Yes, but some of the CAs were emphatic that they would not revoke the certs unless their customers requested them to do so. As I understand it, basically they said that their agreement with their customer did not allow them to revoke the cert without the customer's permission, unless they were presented with evidence of an actual attack/compromise of the site whose cert was affected. I did not like that position, but they were adamant.
Isn't the publishing of the private key enough evidence for compromise? At least it got us and some others to revoke all weak keys.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
