Frank Hecker wrote: > Michael Ströder wrote: >> Frank Hecker wrote: >>> From my point of view I'd wait on more >>> information regarding items 2 and 3 above before making a >>> recommendation. >> >> Could you please define a time-frame within Comodo MUST react? > > Comodo (in the person of Robin Alden) has already made a reply: > > http://groups.google.com/group/mozilla.dev.tech.crypto/msg/b24e70ea2c396bb5
Yes, already saw that in the meantime. But it does not really say much. > The question is, what else do what want Comodo to do in this case? I'd like to know whether there are more contractors serving as RA for Comodo. A list should provided who they are and which measures are taken for domain validation. What really strikes me is that this case was only detected by Eddy because of Certstar's spam e-mails. > They still have some certificates unaccounted for in terms of > verifying the validation, and certainly I'd like to hear the status > of that as soon as possible. Beyond that? It's somewhat of an open > question. I'd tend to punish a rogue CA by removing their root CA cert from NSS. Maybe this serves as a good example to other CAs that the Mozilla CA policy is really enforced. Otherwise nobody will care. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto