On 13/09/11 13:06, Marsh Ray wrote: > Or not, like the Dutch government, have the pull to convince Mozilla to > hesitate for a few days to revoke your pwned CA.
That is rather unfair. You make it sound like they asked, and we complied. In truth, we relied on an assessment of the situation from GovCERT, the Dutch CERT - who have a decent reputation. When their assessment changed, we changed our position; whether they should have made their initial assessment the way they did is a good question, and one which concerned parties should ask them. It is certainly not an obvious truth, even more so in the heat of the moment, that a compromise of one part of a certificate hierarchy at a CA necessarily means that an entirely different one is also compromised. It may, it may not - that depends on the arrangement and interlinking or otherwise of the issuance systems. Anyway, regardless, the situation is more complex than your allegation of back-room influence. Gerv _______________________________________________ websec mailing list websec@ietf.org https://www.ietf.org/mailman/listinfo/websec
