On 22/1/09 02:17, lots of people wrote:
At 3:45 PM -0800 1/21/09, Nelson B Bolyard wrote:
Perhaps Mozilla should change its policy to require CAs to revoke certs
when the private key is known to be compromised, whether or not an attack
is in evidence, as a condition of having trust bits in Firefox.
Fully agree.
There have been a lot of calls to "change the policy" ... has someone
thought to keep a record of all these? Here's what I recall so far:
* MD5 should be dropped [1]
* publication of private key is considered to be compromise
+ compromise should cause revocation
* no resellers
* drop the root of any rogue CA
I'm just wondering how far we are away from what people think is the
right place.
Are these things for policy changes, or are they just for "troublesome
practices" pages? Or are they disputes?
If there are more than three things in the list, we are beyond minor
tweaks, so we may find ourselves into a major revision cycle. I don't
think Mozo has the resources for that, but that's just my view.
iang
[1]
http://www.heise-online.co.uk/security/MD5-attack-on-Microsoft-s-Authenticode--/news/112448
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
