On 03/01/14 14:29, Leif Johansson wrote:
On 2014-01-03 14:24, Ralph Holz wrote:
Hi,
My understanding of what Jakob wrote is that he holds the key for a
subordinate CA. Unless the CA that "signed" that subordinate has
been removed from trust lists then that subordinate would still be
useful, yes.
The subordinate certificate is blacklisted in browsers. Furthermore,
Mozilla does not accept any non-root certs with MD5 signatures since
mid-2011.
Ralph
Assumes you run an updated browser, right?
Yes.
There's only so much we can do to protect folks who don't update their
browsers. It seems very unlikely that MD5 signatures are the biggest
threat that they face.
Blacklisting isn't part of the PKIX trust model, but a band-aid used to
fix the lack of deployed/able revocation.
So?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
therightkey mailing list
therightkey@ietf.org
https://www.ietf.org/mailman/listinfo/therightkey
