* Roland Dobbins:

> On Mar 24, 2011, at 6:41 PM, Florian Weimer wrote:
>
>>  Disclosure devalues information.

> I think this case is different, given the perception of the cert as
> a 'thing' to be bartered.

Private keys have been traded openly for years.  For instance, when
your browser tells you that a web site has been verified by "Equifax"
(exact phrasing in the UI may vary), it's just not true.  Equifax has
sold its private key to someone else long ago, and chances are that
the key material has changed hands a couple of times since.

I can't see how a practice that is completely acceptable at the root
certificate level is a danger so significant that state-secret-like
treatment is called for once end-user certificates are involved.

-- 
Florian Weimer                <fwei...@bfk.de>
BFK edv-consulting GmbH       http://www.bfk.de/
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

Reply via email to