On 12/28/2008 4:46 AM, Ian G wrote [in part]: > On 28/12/08 12:13, Kai Engert wrote: > >> If we'd like to be strict, we could remove CAs from our approved list if >> they have shown to be non-conforming in the above way. > > > Yes, we could! But this is what we call a blunt weapon. It is also a > dangerous weapon. Consider (all) the consequences in the current case. > > First, losses we will incur, regardless: > > 1. Certs: All end-users who rely on these certs will lose. That > probably numbers in the millions. All subscribers will lose, probably > in the thousands. The CA will lose; potentially it will lose its > revenue stream, or have it sliced in half (say), which is what we would > call in business circles a plausible bankrupcy event. >
So when a CA behaves badly, we should still be concerned that the CA might lose money? Because a CA might go bankrupt, we should do nothing? How about the users of Mozilla products who might lose money or even go bankrupt because they trusted a root certificate from such a CA? No, such losses are not known (yet). What did happen, however, indicates that such losses are indeed possible and not only through Certstar. -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto