Hi, >Please read the thread about Debian keys first: I did (now completely), but most of it seems to be a discussion about CAs (not) revoking keys. As I understand it, if the CA does use only a normal CRL (and not OCSP), firefox won't care. At least the proof-of-concept attack on the akamai key still worked.
>You can try to edit the trust flags of that see (remove >all trust) and when encountering a site with a certificate >from that CA to add an exception. The problem with this is that the CA is then completely ignored (as it is basically untrusted), so I cannot see if the cert is really issued by that CA or a fake CA certificate with a different key but the same name. >Wild cards go as well with the exceptions. I did not find a way to do this, can you tell me where to look? >> I think that if the Mossad wanted a fake >> cert, they would get it fairly quickly, >> one way or the other. >there is no such a thing, >never was and never will be! First, I would like to make clear that I am quite sure that no CA would create a fake cert just because an intelligence agency simply asked to do so. But I assume(d), that if a powerful intelligence agency wants to achive something like this, they will find a way (for example by threatening an employee or simply faking identification documents, or just intercepting the verification e-mail that is probably transfered via unsecured SMTP). I just picked the mossad because I considered it the most powerful and capable agency, and the Startcom CA as I assumed that it would be the easiest thing for the mossad to do it in its own country. If something like that happened, it would not be the fault of the CA, I don't think there is anything the CA can do against this. I do NOT say that Startcom is insecure because it is from Israel (actually I might get my cert from Startcom as soon as I need one). I think it can happen anywhere in case a capable intelligence agency decides that it wants to get a fake cert. (Hopefully there aren't any "trusted" CAs in countries with totalitarian governments, as it would probably be quite easy there) About the Verisign thing: In the USA, the new counter-terrorism regulations (some of which seem to be secret) could force a CA to cooperate, but I will gladly accept the opinion of someone who has more experience than me. > I guess the Mossad doesn't need the services > of StartCom nor does any "party of interest" > use certificates issued by a legitimate CA either. That might be the main reason why not to worry too much about the scenario. But it was just an example, other failure situations are possible, so I think a "lock in" feature would be useful for advanced users anyway. (AFAIK the only reason why the CAcert root certificate was not broken because of the debian problem is that it was generated before the error was introduced). Regards, Jan -- Please avoid sending mails, use the group instead. If you really need to send me an e-mail, mention "FROM NG" in the subject line, otherwise my spam filter will delete your mail. Sorry for the inconvenience, thank the spammers... _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto