On 22/1/09 00:07, Nelson B Bolyard wrote:
Jean-Marc Desperrier wrote, On 2009-01-21 01:13 PST:
Now did we not receive promises by the CAs that they were *actively*
working to solve the problem and get all sites to replace their cert ?
Yes, but some of the CAs were emphatic that they would not revoke the
certs unless their customers requested them to do so. As I understand it,
basically they said that their agreement with their customer did not allow
them to revoke the cert without the customer's permission, unless they were
presented with evidence of an actual attack/compromise of the site whose
cert was affected. I did not like that position, but they were adamant.
Although it is good that people rose to the challenge of the debian PRNG
failure, I do not understand the position that all certs had to be
revoked. Isn't it a situation between the Subscribers, Relying Parties
and the CA concerned? That is, notification is as far as you can go?
As a sort of odd anecdote, one person of some rather excellent crypto
and PKI knowledge over at CAcert insisted that he be allowed to be able
to publish his private key for some arcane crypto experiment. As far as
I know, he didn't get a positive answer on that point ... but it does
rather make one think about the limits of the process.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
