Eddy Nigg wrote, On 2009-01-21 15:25: > On 01/22/2009 01:07 AM, Nelson B Bolyard: >> Yes, but some of the CAs were emphatic that they would not revoke the >> certs unless their customers requested them to do so. As I understand it, >> basically they said that their agreement with their customer did not allow >> them to revoke the cert without the customer's permission, unless they were >> presented with evidence of an actual attack/compromise of the site whose >> cert was affected. I did not like that position, but they were adamant. >> > > Isn't the publishing of the private key enough evidence for compromise? > At least it got us and some others to revoke all weak keys.
IMO, yes, it is enough evidence. But the position of those CAs, as I understand it, is that such publication is only a potential compromise. They require evidence that the published key is actually being used to attack the site. Otherwise, their customer agreement does not let them revoke the certs. I don't think that's an honorable position for a CA to be in, but that's just my opinion. Perhaps Mozilla should change its policy to require CAs to revoke certs when the private key is known to be compromised, whether or not an attack is in evidence, as a condition of having trust bits in Firefox. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
