Kyle Hamilton wrote: > (Especially if Comodo delegates full Registration Authority capability > without verification, which seems to be the case -- though they could > have simply issued a sub-CA certificate.)
Delegating the RA's tasks is still different from issuing a sub-CA cert since with a delegated RA the CA can look at all issued EE certs and revoke some of them if needed. A sub-CA typically runs completely on its own so the CA could only revoke the sub-CA cert and not certain EE certs. > It occurs to me that there is no facility in Firefox or other Mozilla > products to provide an explanatory dialog that there's an issue, and > such a facility would be extremely useful at this point. Being able > to print a message to the user like "The Mozilla Foundation has > identified issues with the trusted root that issued this certificate > which prevent Firefox from being able to guarantee that this is truly > the site to which you intended to go. While it is unlikely that this > is a widespread problem, and an attack would rely on more technical > intrusions into the network, the nature of these issues requires that > you be warned of this circumstance so that you can exercise > appropriate levels of caution. The Mozilla Foundation is working with > the trusted root to resolve these issues." would help a lot. Either the trust bits are removed or not. Such a dialogue wouldn't help at all. It's too complicated. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
