Frank Hecker wrote:
David Ross wrote:
> #3: I indicate that a CA that fails an audit or loses
> accreditation should have its certificates removed and the removal
> should be publicized. Mozilla users should not rely on a
> deficient CA.
Note that in practice this will be problematic, since AFAIK removing a
cert from the default database affects only users who are installing
Mozilla for the first time. I'll let others speak to this issue.
Frank, Things work rather differently now than they did 4 years ago.
The "built-in" list of CAs, and the built-in list of trust info is
no longer stored in the cert DB. It's in a shared library that gets
replaced when a new (or old) version of mozilla is installed.
If users CHANGE the trust settings on a root CA, or import a new root
CA and trust, the new CA and trust info goes into the cert DB.
Anyway, I think it's easier to remove trust for a built-in root CA now
than before.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
