A CA root cert is no big deal. If it gets lost,
just mint another one and let everyone know
you lost it and to watch out for it.
Er, given that we have no OCSP and no-one's checking CRLs, I think losing a root cert which is embedded in 99% of browsers out there would be an _extremely_ big deal.
Obvious attack scenario: mint your own certs for major banks, pick an ISP, do a little pharming and clean up.
The essence of the game is to get SSL and the like protection to the users. This does not happen if the CAs can't make any money; either the CAs have to be removed or we have to find a way to make them some money, or they have to do it for free. Economics is not really negotiable at the physics level.
<applause>
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security