On 01/29/2009 02:21 PM, Jean-Marc Desperrier:
Eddy Nigg wrote:
[...]
Well, this thread started out with the request that Mozilla should
change it's policy to require CAs revoke certificate when the private
key is known to be compromised.
Given the practical problems of revoking a very large number of
certificates, I'd consider it acceptable if the policy only requires the
CA to :
- make the client aware of the situation
- get the certificate promply replaced if it is actually used on an open
network.
- revoke it if there's a failure to get it replaced within an acceptable
timeframe
I think that this is the approach taken by CAs which decided to revoke
them (there are those which don't). Making the client aware and have him
make the needed preparations is by far the best. Those which ignore (or
fail to receive messages/phone calls) should be revoked within
reasonable time.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
