Frank Hecker wrote:
> Michael Ströder wrote:
>> Frank Hecker wrote:
>>> From my point of view I'd wait on more
>>> information regarding items 2 and 3 above before making a
>>> recommendation.
>>
>> Could you please define a time-frame within Comodo MUST react?
> 
> Comodo (in the person of Robin Alden) has already made a reply:
> 
> http://groups.google.com/group/mozilla.dev.tech.crypto/msg/b24e70ea2c396bb5

Yes, already saw that in the meantime. But it does not really say much.

> The question is, what else do what want Comodo to do in this case?

I'd like to know whether there are more contractors serving as RA for
Comodo. A list should provided who they are and which measures are taken
for domain validation. What really strikes me is that this case was only
detected by Eddy because of Certstar's spam e-mails.

> They still have some certificates unaccounted for in terms of
> verifying the validation, and certainly I'd like to hear the status
> of that as soon as possible. Beyond that? It's somewhat of an open
> question.

I'd tend to punish a rogue CA by removing their root CA cert from NSS.
Maybe this serves as a good example to other CAs that the Mozilla CA
policy is really enforced. Otherwise nobody will care.

Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to