On 11 April 2014 04:06, Matthias Hunstock <no-s...@ple4se.org> wrote:
> > Implementing a new tool that lets that happen > > automatically, using a signature from the previous key, might be the > right > > way to make that scale. > > you are supposing to trust a signature created by a possibly compromised > key ? > Of course, yes. For revocation this is the correct approach. Supposing you are unlucky and strange guy named Eve has the private key from your cert. Now there are two people who can revoke your certificate: you, and Eve. Reissuance should of course still involve fresh Domain Validation. Which is only moderately secure, but that's as good as PKIX can ever do for you today. > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
