* Nelson B. Bolyard: > IMO, yes, it is enough evidence. But the position of those CAs, as I > understand it, is that such publication is only a potential compromise. > They require evidence that the published key is actually being used to > attack the site. Otherwise, their customer agreement does not let them > revoke the certs. I don't think that's an honorable position for a CA > to be in, but that's just my opinion.
It's more like the CA policies preventing obtaining customer private keys, so they can't check at all. > Perhaps Mozilla should change its policy to require CAs to revoke certs > when the private key is known to be compromised, whether or not an attack > is in evidence, as a condition of having trust bits in Firefox. I don't think this can be made a requirement. Sudden improvements in cryptanalysis are possible, and you don't want to turn that into an effective DoS attack on Internet users, do you? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
