On 08/18/2010 06:27 AM, From Kurt Seifried:
I have to say I'm a little concerned, I have now seen a good half dozen or so situations where CAs completely failed in some manner (technologically, procedurally, etc.).
Yes, me too.
And nothing has happened.
However I don't think that's correct.
In some cases some of the problems have been fixed with the specific CA that got caught
Yes and finally a sane defined list exists for domain control validation via email as a requirement. I believe that the Mozilla CA policy still has to be updated though.
Additionally three CAs were removed and omitted from the latest batch of root updates for NSS. That's not nothing - it's a strong sign about what to come and what possibly may happen to CAs until the issues are fixed. And rest be assured, most CAs come along here every while.
I suspect there are still some CAs that allow non standard addresses) or the CAs signing certs not only for IP addresses but for 192.168.1.2 and the like (which is completely inexcusable).
Agreed and unfortunately Mozilla hasn't apparently made any decision yet. Obviously Mozilla can't always act alone, but there are certain principals I expect that it should and will have to upheld and enforce.
I have seen 0 widespread or concerted effort from Mozilla to get these problems corrected.
It's my expectation that the responsible persons start to act. Apparently it's possible as Sid demonstrated with the email list for domain control validation. More has to be done.
Are we ever going to see Mozilla/Firefox actually do anything (like reprimand CAs publicly, remove bad CAs, ship revocation certificates for known bad sub CAs, or?).
Well, how about finally defining and notifying about those issues before any other actions can be performed? I think this step must come before anything else.
The certificate "" represents a Certificate Authority It would help if the interface maybe displayed a warning or the Organization name or something instead of just a blank
I suggest to open a bug report for this against the PSM module. And I expect this to be easily solved.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security