On 01/22/2009 11:59 AM, Florian Weimer:
http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txtThe list doesn't include sub-CAs, which are equivalent to listed CAs for all practical purposes.
Well, if you ping a web site then you'll most likely also know the issuer and ultimately the CA root. Scripts can do that too...
...but since CAs know to whom they issued certificates and have the certificates themselves, it's very easy for them to find the compromised keys.
It's also difficult to match the blobs to
legal entities ("Equifax" comes to my mind).
I agree, but this is a different matter really.
No it's quite easy to do that.For Mozilla? How so?
A certificate always has to chain to a valid root, otherwise the certificate isn't viewed at as valid (by Mozilla software anyway).
Transparency. You can actually check what's in those CRLs and what kind of mistakes are being covered up.
Well, there is apparently a problem publishing end-user details so bluntly as also a recent incident has shown. Not that it's impossible to obtain the certificates for many sites as Johnathan demonstrated with his robot and as a certain reseller of certificates did that as well.
But I agree that it would however be interesting to review such a list and compare to the published CRLs :-)
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
