Re: Has any public CA ever had their certificate revoked?

Tue, 05 May 2009 13:53:11 -0700 


Paul Hoffman wrote:

At 4:11 PM +1200 5/5/09, Peter Gutmann wrote:


Thierry Moreau <thierry.mor...@connotech.com> writes:



Now that the main question is answered, there are sub-questions to be asked:

1. Has any public CA ever encountered a situation where a revocation would
have been necessary?


Yes, several times, see e.g. the recent mozilla.org fiasco, as a result of
which nothing happened because it would have been politically inexpedient to
revoke the CA's cert.



Peter, you really need more detents on the knob for your hyperbole setting. "nothing 
happened" is flat-out wrong: the CA fixed the problem and researched all related problems that 
it could find. Perhaps you meant "the CA was not punished": that would be
 correct in this case.

This leads to the question: if a CA in a trust anchor pile does something wrong (terribly wrong, in this 
case) and fixes it, should they be punished? If you say "yes", you should be ready to answer 
"who will benefit from the punishment" and "in what way
 should the CA be punished". (You don't have to answer these, of course: you 
can just mete out punishment because it makes you feel good and powerful. There is 
lots of history of that.)




Before the collapse of the .com market in year 2000, there were 
grandiose views of "global PKIs," even with support by digital signature 
laws.



Actually, it turned out that CA liability avoidance was the golden rule 
at the law and business model abstraction level. Bradford Biddle 
published a couple of articles on this topic, e.g. in the San Diego Law 
Review, Vol 34, No 3.



The main lesson (validated after the PKI re-birth post-2002) is that no 
entity will ever position itself as a commercially viable global CA 
unless totally devoid of liability towards relying parties.



Thus no punishment is conceivable beyond the Peter's opinions (they are 
protected by Freedom of speech at least). That was predicted by the Brad 
Biddle analysis 12 years ago.


Regards,


--

- Thierry Moreau

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com






















					Reply via email to