On 02/11/2012 11:16 AM, Martin Smith wrote: > > Trustwave CA /usr/share/ca-certificates/mozilla/SecureTrust_CA.crt > > This company has publicly admitted purposefully supplying a > subordinate CA to a company forn the purpose of MITM attacks, by > generating SSL certificates on the fly See > http://blog.spiderlabs.com/2012/02/clarifying-the-trustwave-ca-policy-update.html > > This is currently being debated by Mozilla at > https://bugzilla.mozilla.org/show_bug.cgi?id=724929 but it has now > been 4 days since they have been notified with hardly a word from > Mozilla and I don't think Mozilla are givng this the attention it > deserves.
I have been following the discussion on the Mozilla dev-security-policy mailing list, and read the bug report a couple days ago. I will catch up on the discussion to see if if the issue has gained any clarity. It is possible for any user to distrust any/all provided certificates they wish with 'dpkg-reconfigure ca-certificates'. If there is a personal desire to distrust the Trustwave CA at this time, prior to full discussion and decision by Mozilla, please do so. Since users have the means to trust/distrust any/all CAs, this particular CA will not be manually removed from the Mozilla CA bundle, until such time Mozilla removes it, if at all. People and businesses make mistakes all the time. Admitting them is highly unusual, and personally, I applaud the fact they are discussing this publicly. I can understand your feelings on the topic. How do you feel about the sneaky nature of the apparently multiple Verisign compromise disclosures, and the subsequent lack of public discussion - should we also remove their CAs? -- Kind regards, Michael Shuler
signature.asc
Description: OpenPGP digital signature
