Julien R Pierre - Sun Microsystems wrote:
Certainly not by issuing a CRL. Mozilla doesn't have the keys needed to issue a CRL to revoke any root. (CRL's must be signed by the issuer, or by an agent with the appropriate key usage which is signed by the issue. I don't think any CA would give mozilla the keys to do this, nor would mozilla want to include the root of any CA which would give them the keys).How do we revoke Mozilla's root?By updating mozilla software :)
We could use PKIX to authorize the roots by setting up a mozilla root, then cross signing each of the approved roots. In that case mozilla could issue a CRL to revoke a root, then it's effectively revoking an intermediate. (and revoking the base mozilla root would still have all the problems currently described, except now you have a single point of failure).Can we eliminate the whole CA notion by just using a single sig over the list from a "root" ... and just deliver signed updates?
The problem with this idea is that mozilla probably does not want to be in the CA business. The overhead of creating a mozilla root key in a safe and secure manner is quite involved (and more than doing a key gen on a smart card).
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto