Ian G wrote: > That "earlier story" has no real place here, IMHO. This is a forum for > the discussion of technical, crypto, root and general PKI issues, by > either dictat or convention. It is not a forum for the airing of > general business complaints.
I agree that the effects of this whole story on Startcom's business is out of scope for this forum and Eddy has to clarify that with his lawyers. I'm certain Eddy knows that. (And I personally am not affiliated with Eddy or Startcom.) But the fact is that Certstar used misleading DNS names for their web site to trick Starcom's customers to "re-new" certs at their web site. These server naming tricks are pretty close to what phishers are doing. Also look at From: google@ in one of Patricia's postings. So I take this as a strong indication that Certstar has a rather rogue attitude (and in case of Certstar I mean like this). And discussing the conclusions for trustworthiness of Comodo is perfectly within the scope of this forum. > E.g., where Comodo or any CA completes an internal audit and creates a > report to document that audit action, could we expect the CA or the > internal auditor to publish this as a routine action? Personally I have some doubts about auditing reports anyway. But I believe that bad press and removing the trust flags from a root CA cert as a result of a CA misbehaving is an appropriate negative enforcement leading to better results in the long run. Again: If Mozilla fails to enforce its own policy the Mozilla foundation should better drop this whole root CA cert store completely. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto