* Eddy Nigg: > As a matter of fact, most CAs have policies in place which require > them upon knowledge of potential or *suspected* compromise to revoke > ANY certificate. I'm certain those policies exist for the top CAs > covering the majority of certificates. The keys are compromised, not > only suspected to be compromised. It's known which keys and > certificates are affected (by the CAs themselves).
Yes, but we don't know all the CAs that exist and are recognized by Mozilla. 8-( If you've got a sub-CA under a browser-listed root CA, it's kind of hard for Mozilla or the root CA to enforce any rules (let alone detect violations). What about requiring that all certificates must be published by the CA (including sub-CAs)? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
