I've already stated my preference. To reiterate:
Actually, I think it's very important that the accounting include this: for each name (not just certificate, but name in subjectAlternativeNames) that has been certified, a connection to the TLS ports should be made, and the certificate presented by the site compared against the certificate that Comodo issued. This obviously won't be a complete verification, but it should give a start to see how widespread the problem is. A script to do this could probably be written fairly easily, but depending on the number of certificates Comodo has issued that are currently valid (and I'd like to see some hard numbers on that, as well) it could take a while to run. From the script, the numbers I'd like to see are: the number of unreachable/not-answering names/hosts, the number of matching certificates, and the number of mismatched certificates. From that output plus Comodo's records, I would also like to see how many resellers there are and how many of them have sold mismatched certificates. (The 'resellers' I refer to here are 'contracted registration authorities', not those who make money by funnelling users into Comodo's pages. I'd also like to know how Robin/Comodo performed the audit on certificates for proper domain validation -- if they're relying on the presence or absence of that check-box "I have verified the domain control in accordance with...", I think the entire audit is useless and that they should be removed from the root store out of spite -- for making a mockery of the entire process.) I do think that Comodo should be required to suspend their Registration Authority processing until they in-source their domain-control verification as a condition of staying in Mozilla's trust list. I also have not heard word 1 about if they use registration authorites for higher-assurance certificates. -Kyle H On Thu, Dec 25, 2008 at 8:49 AM, Frank Hecker <hec...@mozillafoundation.org> wrote: > Michael Ströder wrote: >> >> Frank Hecker wrote: >>> >>> From my point of view I'd wait on more >>> information regarding items 2 and 3 above before making a recommendation. >> >> Could you please define a time-frame within Comodo MUST react? > > Comodo (in the person of Robin Alden) has already made a reply: > > http://groups.google.com/group/mozilla.dev.tech.crypto/msg/b24e70ea2c396bb5 > > The question is, what else do what want Comodo to do in this case? They > still have some certificates unaccounted for in terms of verifying the > validation, and certainly I'd like to hear the status of that as soon as > possible. Beyond that? It's somewhat of an open question. > > Frank > > -- > Frank Hecker > hec...@mozillafoundation.org > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
