* Eddy Nigg:
> On 01/22/2009 11:04 AM, Florian Weimer:
>> * Eddy Nigg:
>>
>>> As a matter of fact, most CAs have policies in place which require
>>> them upon knowledge of potential or *suspected* compromise to revoke
>>> ANY certificate. I'm certain those policies exist for the top CAs
>>> covering the majority of certificates. The keys are compromised, not
>>> only suspected to be compromised. It's known which keys and
>>> certificates are affected (by the CAs themselves).
>>
>> Yes, but we don't know all the CAs that exist and are recognized by
>> Mozilla. 8-(
>
> Of course we know. It's right here:
> http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt
The list doesn't include sub-CAs, which are equivalent to listed CAs
for all practical purposes. It's also difficult to match the blobs to
legal entities ("Equifax" comes to my mind).
>> If you've got a sub-CA under a browser-listed root CA, it's kind of
>> hard for Mozilla or the root CA to enforce any rules (let alone detect
>> violations).
>
> No it's quite easy to do that.
For Mozilla? How so?
>> What about requiring that all certificates must be published by the CA
>> (including sub-CAs)?
>
> I don't know the benefit for it,
Transparency. You can actually check what's in those CRLs and what
kind of mistakes are being covered up.
> but I guess that sub CAs could be published, end-user certificates
> most likely not.
Why not?
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
