> Andrews, Rick wrote, On 2008-06-04 15:24: > >> It seems that CAs are not bothering to contact their customers with
> >> weak keys[1], although they are of course revoking the keys of > >> customers who ask, and reissuing certificates. > > > > Gerv, > > > > I just wanted to mention that we've been working feverishly to automate > > checking of all valid certs in our databases. It's taking time because > > it's a huge task - we have hundreds of thousands of certs to check - but > > we intend to notify any customer who is using a weak key. > > Rick, Does this mean that Verisign will not revoke the cert unless and > until the customer agrees to it? If a customer doesn't agree, or doesn't > respond, will the cert remain unrevoked until it expires? > > That strikes me as a policy that one might describe as "attacker friendly". > > I suggest: revoke first, contact later. > > When you revoke the certs, you're protecting your relying parties, and > you can count on your relying parties to contact the subjects whose > certs have been revoked. :) Nelson, That's a good question, and I don't know the answer. I'll bring it up with the business folks to decide what we should do. -Rick -- Rick Andrews __o Phone: 650-426-3401 VeriSign, Inc. _ \>,_ Fax: 650-426-5195 487 E. Middlefield Rd. ...(_)/ (_) URL: www.verisign.com Mountain View, CA 94043 email: [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto