Duane wrote: > > I couldn't find the reference off hand in your postings Frank but a > thought occurred to me that rather then removing CAs immediately, make a > small code change to reject any certificates issued by a CA after a > certain date if they were found to be in breach of any policies, MF or > otherwise. > > The idea is you don't want to inconvenience any mozilla users with > existing certificates, but what about putting CAs on notice that until > XYZ criteria is rectified, they will be unable to issue further > certificates until the situation is rectified. > > Possibly a few flaws in this idea I haven't considered, but could be a > purgatory before complete removal, or just deny any future certificates...
Would you really trust a Web server certificate issued by a CA that lost its accreditation or received less than an unqualified opinion on an audit? I would not, and I would be extra suspicious about server certificates issued by that CA before the negative action against it. After all, such negative action would be the result of past discrepancies by the CA, not future discrepancies. And I would certainly not trust server certificates issued after the negative action until someone -- definitely not the CA itself -- pronounced the discrepancies corrected. Then, I would trust only those server certificates issued after the corrections were determined. We are talking about MONEY and PRIVACY. How much risk are you willing to take with these? -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
