Frank Hecker wrote: > Eddy Nigg wrote: >> Disabling the trust bits of "AddTrust External CA Root" could be a >> temporary measure to prevent damage to relying parties > > Also note that any "suspension" of a root would last at last 1-3 months, > since that the typical interval between security updates for Firefox and > other Mozilla-based products.
And we don't have a magic switch we can flip in the office. We'd have to make the change, test the change, make the builds, ship the builds, users would have to update (about a week from ship until most users have the update). If the sole purpose of the update was to break lots of sites (from the user's POV) then some number of them disable updates, making them less secure in the future. If Comodo is acting in good faith then anything they can do would be lightyears faster than a client update. If they're not fulfilling their responsibilities then a permanent removal would make sense, but given the time scales it's hard to see how a "temporary" month-or-so removal helps. Maybe we need to build in something like a CRL that pings back to Mozilla that would let us revoke roots without having to ship a client update. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
