On 01/22/2009 11:04 AM, Florian Weimer:
* Eddy Nigg:
As a matter of fact, most CAs have policies in place which require
them upon knowledge of potential or *suspected* compromise to revoke
ANY certificate. I'm certain those policies exist for the top CAs
covering the majority of certificates. The keys are compromised, not
only suspected to be compromised. It's known which keys and
certificates are affected (by the CAs themselves).
Yes, but we don't know all the CAs that exist and are recognized by
Mozilla. 8-(
Of course we know. It's right here:
http://lxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt
If you've got a sub-CA under a browser-listed root CA, it's kind of
hard for Mozilla or the root CA to enforce any rules (let alone detect
violations).
No it's quite easy to do that.
What about requiring that all certificates must be published by the CA
(including sub-CAs)?
I don't know the benefit for it, but I guess that sub CAs could be
published, end-user certificates most likely not.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
