Andrews, Rick wrote, On 2008-06-04 15:24: >> It seems that CAs are not bothering to contact their customers with >> weak keys[1], although they are of course revoking the keys of >> customers who ask, and reissuing certificates. > > Gerv, > > I just wanted to mention that we've been working feverishly to automate > checking of all valid certs in our databases. It's taking time because > it's a huge task - we have hundreds of thousands of certs to check - but > we intend to notify any customer who is using a weak key.
Rick, Does this mean that Verisign will not revoke the cert unless and until the customer agrees to it? If a customer doesn't agree, or doesn't respond, will the cert remain unrevoked until it expires? That strikes me as a policy that one might describe as "attacker friendly". I suggest: revoke first, contact later. When you revoke the certs, you're protecting your relying parties, and you can count on your relying parties to contact the subjects whose certs have been revoked. :) _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
