On 02/05/2009 04:05 AM, Frank Hecker:
* In the near term I think we should make it a recommended practice that CAs should revoke certificates whose private keys are known to be compromised, as well as certificates for which subscriber verification is known to be invalid.
Well, a recommendation is just what it is I guess...
* In the longer term we can consider making this a policy requirement.
...on the other hand, the issue of the weak Debian keys will in the longer term fade away since the systems get updated (hopefully) and certificates will expire within the next five to ten years. The same applies to MD5 hashes since I believe they will start to disappear now slowly as well. It would most likely have to be a principal decision, unrelated to the issues above.
There are likely some ambiguities and corner cases we need to worry about, which is one reason why I'd like us to first get some experience with what CAs are actually putting in their CPSs.
If however you intend to have any effect on the desired behavior, than Mozilla must make those things a requirement. As Robin (or was it Rob?) clearly pointed out just recently, as long as it's not in the policy it doesn't exist (even though I pointed out that problematic practices are influencing inclusions requests of roots, it's apparently non-binding for any CA already in the pile (using Paul's preferred definition ;-) ). Or Mozilla must create by-laws to the policy which may change more frequently.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
