On 12/30/2008 03:44 AM, Grey Hodge:
Considering the KNOWN size of the breach, a maximum of 111 certs, less than
ten percent of which could not be verified in 2 days, only 2 of which were
confirmed to be fraudulent (both your attempts), I don't think this requires a
revocation. If we /can/ resolv
I would LOVE for Comodo to clean up its practices.
Including "decertifying the CA that does not adhere to financial
levels of control that is certified by a CA that does".
-Kyle H
On Mon, Dec 29, 2008 at 5:44 PM, Grey Hodge wrote:
> On 12/29/2008 4:46 PM Eddy Nigg cranked up the brainbox and sa
On 12/29/2008 4:46 PM Eddy Nigg cranked up the brainbox and said:
> The amount of customers never was a known criteria of CAs business
> practices ever.
I also don't know how many Credit cards Bank of America issues, but I can
guess with reasonable accuracy.
> Isn't the responsibility of a CA th
On 29.12.2008 07:59, Nelson B Bolyard wrote:
Perhaps the policy should even go so far, as Kai has suggested, as to
require that whatever entity performs the verification of subject
identity for the CA must be audited.
Yes. Not perhaps.
The verification is one of the two core operations of t
On 12/29/2008 12:23 PM, Grey Hodge wrote:
> On 12/29/2008 3:47 AM Kyle Hamilton cranked up the brainbox and said:
>> And since the number one reason for having a CA in the root list is
>> for Mozilla-software user security, how do you arrive at "punish [...]
>> millions of users"?
>
> If all of Co
On 12/29/2008 10:23 PM, Grey Hodge:
Indeed, I am, as an educated guess. Comodo is a root CA. You don't get root
status by having a handful of customers.
The amount of customers never was a known criteria of CAs business
practices ever.
It's hard business to break into, and
Comodo has been a
On 12/29/2008 8:45 AM Eddy Nigg cranked up the brainbox and said:
> Please do not add comments to that thread without relevance, thanks.
Excuse me, I've had enough or your arrogant attitude. I've seen the way you've
been treating people and I can name half a dozen off the top of my head you've
bee
On 12/29/2008 3:47 AM Kyle Hamilton cranked up the brainbox and said:
> And since the number one reason for having a CA in the root list is
> for Mozilla-software user security, how do you arrive at "punish [...]
> millions of users"?
If all of Comodo's certs cease to be trusted, millions of web s
On 12/29/2008 07:40 AM, David E. Ross:
On 12/28/2008 3:45 PM, Kyle Hamilton wrote [in part]:
CertStar was found out, only due to the diligence of someone on this
list. How many other RAs haven't been found out yet? We can't know,
because Comodo won't say. This affects the confidence I have in
On 12/29/2008 09:41 AM, Grey Hodge:
Apparently, but that doesn't mean it's invalid. Mozilla can't act arbitrarily
and without cause and expect to retain any shred of respect or
trustworthiness.
Nobody suggested that I think. There is however real cause for concern.
Yes, perhaps, and perhaps
On 29/12/08 09:47, Kyle Hamilton wrote:
Uhm...
how did you arrive at the "tens of thousands of other Comodo
customers" figure? I don't believe that Comodo has disclosed the
number of unique domain names served by certificates that it has
issued.
http://www.securityspace.com/s_survey/sdata/20
Uhm...
how did you arrive at the "tens of thousands of other Comodo
customers" figure? I don't believe that Comodo has disclosed the
number of unique domain names served by certificates that it has
issued.
And since the number one reason for having a CA in the root list is
for Mozilla-software u
On 12/28/2008 9:42 AM Eddy Nigg cranked up the brainbox and said:
> On 12/28/2008 04:24 PM, Ian G:
>> No, I'm afraid there is an agreement to list the root, under a policy.
>> Once listed, Mozilla has to operate according to its side of the bargain.
> Apparently you are reading something I haven't.
David E. Ross wrote, On 2008-12-28 21:40 PST:
> Now that it is known that a subordinate reseller operating under one CA
> issued certificates without authenticating the identity of the
> subscribers, we know that the theoretical concern expressed (before all
> this) about resellers is no longer
On 12/28/2008 3:45 PM, Kyle Hamilton wrote [in part]:
> CertStar was found out, only due to the diligence of someone on this
> list. How many other RAs haven't been found out yet? We can't know,
> because Comodo won't say. This affects the confidence I have in their
> system (i.e., it removes AL
On 12/29/2008 03:09 AM, Ian G:
The point I have made is that the discussion of Comodo's operations is
outside scope of this forum. You may feel that you have an opinion, and
you have a right to it. However, this forum is not for the investigation
of breaches or failures to comply with policies.
On 29/12/08 00:36, Kyle Hamilton wrote:
On Sun, Dec 28, 2008 at 6:24 AM, Ian G wrote:
Unlike you, Eddy actually runs a certifying authority. This means
that he has operational experience with not only the technical sides
of things, but also the legal sides of things.
I support your right
On Sun, Dec 28, 2008 at 3:42 PM, Ian G wrote:
> On 29/12/08 00:37, Kyle Hamilton wrote:
>> Considering that "trustability" is viewed as a binary state, it's the
>> only weapon that Mozilla has.
>
>
> Yes. This is reason for concern.
FWIW, I agree.
Alright, I propose that, in a new thread, we op
On Sun, Dec 28, 2008 at 7:37 AM, Ian G wrote:
>> That's for the specific certstar case. Domain validation isn't performed
>> by Comodo on a wide scale apparently and perhaps no validation is
>> performed at all.
>
>
> Oh, that's a new claim, beyond this reseller.
You're only just now figuring tha
On 29/12/08 00:37, Kyle Hamilton wrote:
On Sun, Dec 28, 2008 at 9:28 AM, Ian G wrote:
On 28/12/08 17:06, David E. Ross wrote:
How about the users of Mozilla products who might lose money or even go
bankrupt because they trusted a root certificate from such a CA? No,
such losses are not known
On Sun, Dec 28, 2008 at 9:28 AM, Ian G wrote:
> On 28/12/08 17:06, David E. Ross wrote:
>> How about the users of Mozilla products who might lose money or even go
>> bankrupt because they trusted a root certificate from such a CA? No,
>> such losses are not known (yet). What did happen, however,
On Sun, Dec 28, 2008 at 6:24 AM, Ian G wrote:
> (following is just for the record so as to deal with the response. No new
> info is in here for other readers.)
I would very much appreciate it if you would stop using fear,
uncertainty, and doubt to manipulate the audience into believing your
and
On 28/12/08 17:06, David E. Ross wrote:
On 12/28/2008 4:46 AM, Ian G wrote [in part]:
First, losses we will incur, regardless:
... The CA will lose; potentially it will lose its
revenue stream, or have it sliced in half (say), which is what we would
call in business circles a plausible
On 12/28/2008 4:46 AM, Ian G wrote [in part]:
> On 28/12/08 12:13, Kai Engert wrote:
>
>> If we'd like to be strict, we could remove CAs from our approved list if
>> they have shown to be non-conforming in the above way.
>
>
> Yes, we could! But this is what we call a blunt weapon. It is also
On 28/12/08 15:42, Eddy Nigg wrote:
On 12/28/2008 04:24 PM, Ian G:
I was clearly replying to the later part:
The CA will lose; potentially it will lose its revenue stream, or have
it sliced in half (say), which is what we would call in business circles
a plausible bankrupcy event.
It's not rele
On 12/28/2008 04:24 PM, Ian G:
1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All subscribers will lose, probably in the
thousands. The CA will lose; potentially it will lose its revenue
stream, or have it sliced in half (say), which is what we w
(following is just for the record so as to deal with the response. No
new info is in here for other readers.)
On 28/12/08 14:21, Eddy Nigg wrote:
On 12/28/2008 02:46 PM, Ian G:
1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All subscribers
On 12/28/2008 02:46 PM, Ian G:
1. Certs: All end-users who rely on these certs will lose. That probably
numbers in the millions. All subscribers will lose, probably in the
thousands. The CA will lose; potentially it will lose its revenue
stream, or have it sliced in half (say), which is what we
On 28/12/08 12:13, Kai Engert wrote:
If we'd like to be strict, we could remove CAs from our approved list if
they have shown to be non-conforming in the above way.
Yes, we could! But this is what we call a blunt weapon. It is also a
dangerous weapon. Consider (all) the consequences in th
29 matches
Mail list logo
