At 4:11 PM +1200 5/5/09, Peter Gutmann wrote:
>Thierry Moreau <thierry.mor...@connotech.com> writes:
>
>>Now that the main question is answered, there are sub-questions to be asked:
>>
>>1. Has any public CA ever encountered a situation where a revocation would
>>have been necessary?
>
>Yes, several times, see e.g. the recent mozilla.org fiasco, as a result of
>which nothing happened because it would have been politically inexpedient to
>revoke the CA's cert.

Peter, you really need more detents on the knob for your hyperbole setting. 
"nothing happened" is flat-out wrong: the CA fixed the problem and researched 
all related problems that it could find. Perhaps you meant "the CA was not 
punished": that would be correct in this case.

This leads to the question: if a CA in a trust anchor pile does something wrong 
(terribly wrong, in this case) and fixes it, should they be punished? If you 
say "yes", you should be ready to answer "who will benefit from the punishment" 
and "in what way should the CA be punished". (You don't have to answer these, 
of course: you can just mete out punishment because it makes you feel good and 
powerful. There is lots of history of that.)

--Paul Hoffman, Director
--VPN Consortium

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com

Reply via email to