On 2/5/09 17:50, Paul Hoffman wrote:
Peter Gutmann asked on a different mailing list:
Subject says it all, does anyone know of a public, commercial CA (meaning one
baked into a browser or the OS, including any sub-CA's hanging off the roots)
ever having their certificate revoked? An ongoing private poll hasn't turned
up anything, but perhaps others know of instances where this occurred.
Current consensus here is that none has ever been revoked in Mozilla's
history, from memory.
There are several aspects:
(1), How to do it:
https://wiki.mozilla.org/CA:Recommendations_for_Roots#Revocation_of_the_Root
(2), there exists a standard need in audits to discuss disaster
recovery. Curiously, this does not appear to be documented anywhere,
draw your own speculations....
(3), whether there is a framework to make a decision about doing it
against the wishes of a CA. There are notes about how to do this
somewhere, but the current consensus of Mozilla group is that they do
not want to make decisions of these types.
(4) no review of existing grandfathered roots has been done.
(5) possibly as consequence of all the above, it can be claimed that it
is an empty threat, and no more than a security/marketing tool for PKI
people.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
