On 01/22/2009 08:53 AM, Florian Weimer:
* Nelson B. Bolyard:
IMO, yes, it is enough evidence. But the position of those CAs, as I
understand it, is that such publication is only a potential compromise.
They require evidence that the published key is actually being used to
attack the site. Otherwise, their customer agreement does not let them
revoke the certs. I don't think that's an honorable position for a CA
to be in, but that's just my opinion.
It's more like the CA policies preventing obtaining customer private
keys, so they can't check at all.
CAs have all the potentially used keys already. CAs can easily find the
affected certificates and some CAs found and revoked all certificates
with weak keys in order to protect the relying parties and subscribers.
CAs don't need to obtain the private keys from their customers.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
