Ian G wrote:
I'll assume that you're not being obtuse. This is the most well known issue from Verisign;
http://www.pcworld.com/news/article/0,aid,45284,00.asp
This case allows anyone to make a value judgement on Verisign's services,
MF included. Please don't pretend otherwise.
The facts outlined in that article are not an awful lot to hang ones hat on. The made a mistake, once, and it was 4.9 years ago. So, it's not a current issue, assuming the cert has expired.
Not only that, but even at the time, methods of revocation checking for certificates existed, such as CRL and OCSP. None of this was mentioned in the article.
One should be able to protect from such errors retroactively after they are discovered once Verisign revokes the certificate, if the application is configured to do a revocation check.
I'm not trying to defend verisign here, but this type of error needs to be kept in perspective. If a cert gets improperly issued and is found out like the above, then the risk is much lower . I'm more worried about the cases in which nobody noticed. But unfortunately there are no statistics for those .
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
