* Eddy Nigg: > On 01/22/2009 11:59 AM, Florian Weimer: >>> http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt >> >> The list doesn't include sub-CAs, which are equivalent to listed CAs >> for all practical purposes. > > Well, if you ping a web site then you'll most likely also know the > issuer and ultimately the CA root. Scripts can do that too... > > ...but since CAs know to whom they issued certificates and have the > certificates themselves, it's very easy for them to find the > compromised keys.
The Mozilla-listed CA does not know which certificates have been issued if there's an intermediate CA. Mozilla does not know which intermediate CAs exist. So there's not much room for proactive action. You can only run after individual certificates. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
