Removing Startcom from the trust root would be a catastrophe for the
security of Mozilla's users, since it would move the Web from one free CA
to zero free CAs, thereby forcing over a hundred thousand websites from
HTTPS (which is actually still not terrible, even if you had a window of
Heartbleed
That would have the {justifiable,entertaining,controversial} result of
causing any captive portal that uses HTTPS in captivity to fail. Sounds
like an interesting proposal if you can persuade all the browsers to do it
simultaneously, but if Mozilla does it in isolation, it would unfortunately
just
On 13 April 2014 13:36, Florian Weimer wrote:
>
> The second reason is the following: What you are proposing is a value
> judgement. But these have no place in the browser PKI. For example,
> a properly contained sub-CA which issues interception certificates for
> internal company use arguably
Florian, there's something that about legal rules that is often quite
unintuitive to those of us with technical backgrounds: lawyers don't
necessarily expect them to be followed exhaustively all of the time. At
least in common law countries (.us, .uk, .ca, .au, .il, and many more),
legal rules exi
On 11 April 2014 04:06, Matthias Hunstock wrote:
> > Implementing a new tool that lets that happen
> > automatically, using a signature from the previous key, might be the
> right
> > way to make that scale.
>
> you are supposing to trust a signature created by a possibly compromised
> key ?
>
s
>> anti-security and we need to "strongly encourage" they be discontinued in
>> short order. If a CA wishes to continue such policies I would question
>> their trustworthiness.
>>
>> Further I think we are reaching the point where browsers have to refuse
>> SSL
Kaspar, suppose that Mozilla followed your suggestion and removed
StartCom's root certificates from its trust store (or revoked them!). What
would the consequences of that decision be, for the large number of domains
that rely on StartCom certs?
On 10 April 2014 00:46, Kaspar Janßen wrote:
> Hi
7 matches
Mail list logo