On 01/25/2009 11:02 PM, Florian Weimer:
The Mozilla-listed CA does not know which certificates have been issued if there's an intermediate CA. Mozilla does not know which intermediate CAs exist. So there's not much room for proactive action. You can only run after individual certificates.
Well, this thread started out with the request that Mozilla should change it's policy to require CAs revoke certificate when the private key is known to be compromised.
We've got a lot of information about web sites which have broken or weak keys (a compromise is very likely). We've got now another list of 250,000 web sites, some of them have such keys most likely as well. It's easy to track those to the CA, even when issued by an intermediate.
Actually this is the only way to detect if CAs revoked such keys or not. Even for CAs which issue directly from the root it won't help a lot if you don't know any web sites. It basically doesn't matter if a end-user certificate is issued directly from a root or from an intermediate, in the end they all chain to a root.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
